Data protection in research: An overview

All research projects that use personal data (as defined by the ICO here) must be considered under the University’s Research Data Protection Assessment Procedure. Data Protection Impact Assessments (DPIAs) are a requirement under the UK General Data Protection Regulation where projects include potential ‘high risk’ processing activities.

The full Research DPIA Procedure is available here, which documents the requirements for data protection ‘high risk’ research projects.

Researchers often work with other organisations to collaborate on research or share personal data, for example with other universities, councils, government, policing bodies or the NHS. The data protection assessment requirements for this type of personal data sharing are fully addressed within the EthOS application where researchers complete sections A through to L. When researchers complete the EthOS application, they should consider this sharing as a key part of the research project, and answer questions with reference to this sharing.

For example,

Where the application asks the researcher to explain how the personal data collected are relevant to their project (question D4.4.2 in the full application and F2.3.2 in the UG PGT application), they should consider how the sharing of personal data categories between Manchester Met and the external organisation is justifiable to meet the proposed purpose.

Where the application asks the researcher to describe any potential negative effects that the participants may experience as result of the project (question D4.4.1a in the full application, and F2.3.1a in the UG PGT application), this should include any effects of sharing the data beyond MMU or beyond the organisation that originally collected those data.

In addition, researchers are required to consider whether a data sharing agreement is required.

Question D7 in the full application and F2.4 in the UG PGT application now asks:

Will you be sharing personal data or special category (sensitive) personal data with external sources, or receiving it from external sources? (yes/ no).

Where a researcher selects ‘yes’, they are asked to contact [email protected] or [email protected] to discuss requirements, and to subsequently confirm they have done this.

As per the Research Data Protection Impact Assessment procedure, certain projects will require a separate external Research Data Protection Impact Assessment to be completed. Any collaboration work must be considered in detail in this document.

No further data protection assessments are required for this type of collaboration work.

Researchers may need to enlist the services of a service provider, such as a transcription or translation service, interpreter or coder. These arrangements are usually straightforward in nature, and require the provider (a company or sole trader acting as a ‘processor’ to the University) to complete work on behalf of the researcher, usually for payment. 

For this type of work, researchers need to request a contract for services so that the provider can be paid for the work by the University. Researchers should answer ‘yes’ to question D7 in the full application and F2.4 in the UG PGT application, which now asks:

Will you be sharing personal data or special category (sensitive) personal data with external sources, or receiving it from external sources? (yes/ no).

The information button confirms that this is a requirement.

Where a researcher selects ‘yes’, they are asked to contact [email protected] or [email protected] to discuss requirements, and to subsequently confirm they have done this. This will lead to a contract for services being produced. A similar question is posed in the separate Research Data Protection Impact Assessment template.

Within the contract for services template, the researcher is asked to contact [email protected] if the arrangement involves sharing personal data with the service provider. The data protection team will guide the researcher through any requirements, which will vary depending on circumstances, but will likely include one of the following:

1. Reviewing an existing ‘overarching’ assessment for the type of service provider in question, and confirming the processing is similar to that documented.
2. Completing a new basic data protection assessment.
3. Arranging for an undertaking of confidentiality to be signed by the provider.
4. Providing further advice for the researcher to follow to reduce privacy risk to any data subjects.

Researchers often use application service providers to assist them with disseminating information, meeting and collaborating online, or compiling surveys. When researchers use these services, it is usually a requirement that some form of personal data relating to participants are shared with that provider. The application service provider is acting as a ‘processor’ to the University in these situations. It is therefore very important that the terms and conditions of these application service providers are reviewed to ensure that the personal data the University is responsible for are adequately protected.

IT Support at the University ensure that all software requests are adequately considered, and that the providers of the software meet the required standards for processing. Researchers can contact the IT Helpline to request access to software; if the software has already been assessed and approved, access will be granted. If the software is new to the University, researchers will need to complete a form to request a license or access. Researchers should contact IT support to request to use any specific application service providers.

In addition to this, the Data Protection team and Information Security have reviewed the terms and conditions of some external survey solutions, and are satisfied that the University’s data are adequately protected. A list of agreed application service providers is available on the University’s data protection pages here. Researchers can use these providers knowing that data are adequately protected in respect of the data protection legislation and information security measures, and do not need to notify the Data Protection team of their use. Please note that other teams may still need to be consulted as per usual university procedure. Where one of these authorised service providers is used (i.e. those checked by IT Vendor Management, or included in the intranet hyperlink above), the researcher is still expected to follow the following guidance notes (which now appear in EthOS where the applicant ticks that they are using an online application service provider):

• If the processing of personal data are required you should consider what personal data are necessary, adequate, relevant and not excessive to achieve your purpose. If using surveys, consider if anonymised returns could be used.
• Ensure that you clearly inform participants that the provider is a recipient of the personal data they provide.
• Provide participants with a hyperlink to the provider’s privacy notice.
• MMU remains responsible for the retention of the data collected by the application, and you must work with the provider to ensure it is retained in line with retention and disposal requirements. You must securely manage any data extracted from the tool in line with the rest of your project data.
• Please remember that all Information security policies and procedures will need to be followed. Please refer to The Information Security policy site or contact [email protected] for guidance.

The Data Protection team intend to expand this list along-side Information Security, to include other types of application service provider.

If a researcher would like to create a new website (i.e. external to the main University website) as a part of their project (for example, if they wish to publish results, or generate further interest in their study), they will need to ensure this complies with the University’s standards on web development, and that it is included in the register of digital assets.

To begin this process, researchers must download and review the web standards (this should be shared with any external supplier/ web developer you wish to contract with).  Following this you should complete the new website request form and submit this to the External Relations Digital Team through Assist, attaching the form and with the subject “New Website Proposal”.

Along with other compliance aspects and regulations with which we must comply, this process ensures that the data protection aspects of the proposal are adequately addressed. Researchers may be asked to complete a data protection ‘website assessment’ as a part of this process, in particular for example, if personal data are being included on the site or are harvested through an online enquiry form, or if cookies are being used. The data protection team can also be contacted directly about this requirement via [email protected].

ManMetJobs advise on the correct way of employing/paying people for tax purposes, e.g., for projects, providing services, talks etc.  The ESI Staff and Supplier questionnaires may trigger a request for more information regarding sharing data and data protection queries when trying to set up the contract with Legal. This may then require a data protection compliance assessment or an undertaking of confidentiality to be completed by the external participants. Legal/RKE contracts will then advise on the most appropriate contract to put in place.