Determine data needs
Choosing the right data for your research project
Researchers should share their research idea with a SHIP research co-ordinator at the earliest opportunity. The research co-ordinator can provide advice about the design of a feasible study and potential sources of data.
When developing your research proposal and considering what data you may require it is important to weigh up the relative benefits to your research of using person-identifiable data, against the obligations that will fall to you if you process identifiable and potentially sensitive personal data under the law. You should ask yourself whether you are asking for data of greater sensitivity than your project strictly requires and therefore elevating the risk category to which your data access request will be assigned without good reason. The obligations that fall to someone processing personal data (which includes using data for research purposes, even when conducted within a Safe Haven) under the Data Protection Act 1998 are set out below. If necessary SHIP’s Research Coordinator will be able to help you refine your research proposal in light of any issues associated with data privacy risks.
When you come to submit your data access request it will need to be accompanied by a project protocol, which clearly specifies the study cohort, aims and methods. It should also carry a date and version number for matching against approvals. The specific data needed to best fulfil the requirements of the protocol should be agreed with the SHIP research co-ordinator. This specification, along with any subsequently amended versions, will be stored in the SHIP Project Management system.
Obligations under the Data Protection Act 1998
Under the Data Protection Act 1998 (DPA) it is the responsibility of the data controller to comply with the obligations set out in the Act, which are contained in the data protection principles in schedule 1. However, even if you as a researcher are not a data controller but simply a data processor, it is still good practice for you to be aware of and comply with the obligations under the DPA.
The obligations imposed by the DPA are:
- To process data fairly and lawfully;
- To process data in accordance with one of the conditions in schedule 2 and for sensitive personal data also schedule 3 of the DPA;
- To process data only in such a way that is compatible with the purpose for which you specified the data would be processed;
- To not process personal data excessive or irrelevant for the purpose for which they are processed;
- To ensure that personal data is accurate and up to data;
- To only keep personal data for as long as is necessary for the purposes of processing;
- To process data in accordance with the rights of the data subject;
- To ensure that adequate security measure, both physical, technical and managerial, are in place to protect personal data;
- To not transfer personal data outside the European Economic Area unless adequate security safeguards are in place.
For more guidance on the obligations imposed by the DPA, please see the guidance page on the data protection principles and the guidance page on the conditions for processing personal data.
Remember however that these obligations only apply if you are using identifiable data. Therefore if you chose to only make use of anonymised data then you will not have to worry about the provisions of the DPA.