Ensure any changes in data use comply with existing conditions

The relevant data protection principles

Under the Data Protection Act 1998 (DPA) the second data protection principle provides that personal data should only be processed for one or more specified and lawful purposes, and shall not be processed in any manner incompatible with these purposes. Essentially this means that you must be clear about your reasons for obtaining the data, and what you are going to do with the data once you have it.

However, s33 of the DPA provides for the ‘research exemption.’ Under this section even if you did not originally have the authority to do research with the data, you can do research with it at a later stage. importantly, research can be kept indefinitely for such purposes. This examption applies so long as controls are respected, the data is not used to take a decision affecting the individual whose data it is, and so long as the individual will not become identifiable from the research results.

If the research exemption does not apply then additional consent and/or approval will need to be sought for any new or modified data usages.

More information on the second data protection principle can be found here and more information on the research exemption can be found here.

Return to top of page

Limits to consent conditions, authorisation conditions and/or anonymisation

As well as ensuring that any new or modified data usages comply with the DPA, you must also ensure that the consent or authorisation conditions applying to the original data use extend to cover the new or modified use of the data. If not you may need to seek additional consent and/or authorisation.

In addition, if the new or modified use of the data involved linking the data with another dataset, you must ensure that any anonymised data will remain anonymous. If not additional steps may need to be taken to further anonymise the data.

Return to top of page

Return to route-map