UNIVERSITY of GLASGOW

DP and FOI office

Research on Personal and Sensitive Data

The term Research is not precisely defined by the DPA but it includes historical and statistical studies. Research on personal data may only be undertaken subject to all the following safeguards:

  • The processing of the personal data in the research must not be used to support measures or decisions targetted at specific individual(s) without their explicit & informed consent;
  • The processing of the personal data must not be undertaken in such a way that substantial damage or distress is, or is likely to be, caused to any individual(s);
  • The results of the research must not identify any individual(s).

In addition to the safeguards that apply to research on personal data, there are additional constraints that apply to research on sensitive personal data. At least one of the following conditions must apply:

  • Explicit consent in writing must have been given by the individual(s);
  • Medical research is being carried out by a health professional or by someone with a similar duty of confidentiality;
  • Analysis of racial/ethnic origins is being carried out for equal opportunities monitoring;
  • Research is in the substantial public interest and is necessary for research purposes and does not support measures with respect to the particular individual except with their specific consent nor cause, or be likely to cause, substantial damage or distress. In this case, it is advisable to include a statement in the project documentation indicating the potential benefits to the public of the research.


Section 33 of the Data Protection Act provides limited exemptions from some requirements of the DPA for personal data processed for research purposes. All the DPA Principles apply subject to the following limited exemptions:

  • The research data may be kept indefinitely – exemption from the 5th Principle;
  • The research data is not open to Subject Access Requests if the results of the research, whether in articles or research reports or dissertations or presenntations, do not identify any individual - exemption from the 7th Principle & Section 7;
  • Personal data may generally be used for research, without further consent of the individuals, even if it was collected for other purposes subject to the conditions that (a) it was not initially anticipated that the data would be used for research purposes, and (b) it is deemed as not practical to retrospectively inform the individuals - exemption from the 2nd Principle;


The exemptions do not apply when the personal data is (a) processed to support measures or decisions on targeted or identified individuals, and (b) where the processing may cause substantial damage or distress to any individual. As more strenuous conditions apply for research on sensitive personal data and, consequently, these exemptions may not apply.

The explicit consent of the institution must be obtained if research is for private purposes & will use institutional data.