Data Protection Compliance Checklist
Data Protection Compliance Checklist
For conducting research on personal data and special categories of data
Data protection legislation places responsibility on the University to control the processing of personal data and special categories of data for scientific or historical research and statistical purposes within the University. The processing must meet the principles of the legislation, though there are limited exemptions for research. See our page on research for further information.
The following points should help determine whether your research project -- planned, new, or existing -- is subject to data protection legislation and, if so, what precautions you must take.
Please work your way through all the points unless you conclude, after point 1, that data protection legislation does not apply to your research project. If you are unsure at any stage, you must consult the Data Protection Office.
- Ensure that you know what is meant by personal data and special categories of data. If your research project does not involve such data then DP legislation does not apply.
- Ensure that you understand what is meant by "research on personal data", and the conditions applied to this research;
- Ensure that you know and apply the additional rules relevant to research on special categories of data;
- Ensure that you have considered and determined an appropriate lawful basis for the processing of your research data;
- Ensure that you know the limited exemptions which may apply to your research project;
- If your processing may pose a high risk to individuals, complete a Data Protection Impact Assessment. See the UofG Information Risk classifications for further information on risk.
- Strip out any identifying information that is not needed for the processing of the research data. To increase the security of the processing, make the research data pseudonymous or anonymous (if practical and to no disadvantage to the research). Do not supply a "key" to pseudonymised data to anyone unless required.
- Ensure that your technical and organisational safeguards meet the security requirements of the data protection legislation. Be particularly cautious when physically taking research data outwith the University. More information is available via Information Security;
- Research data remains subject to data transfer requirements of the data protection legislation. If the research data is (a) transferred into the University or (b) being transferred outwith the University at any stage, ensure that an appropriate data sharing contract is in place that covers data protection requirements & responsibilities;
- Review the Research Strategy & Innovation Office's publication Code of Good Practice in Research, part of the Research Integrity Framework, which provides recommendations on documenting results and storing primary data based on the requirements of several Research Councils. The guidance takes into account:
- The legal and regulatory framework for particular types of research;
- The terms and conditions imposed by external research sponsors;
- The commercial, political or ethical sensitivity of particular types of research, or any research for particular external sponsors.
- Ensure that when the research data is no longer required, it is retained in line with the Code of Good Practice in Research, or is securely destroyed. The Research Data Management team provides secure facilities for the deposit of research data that may be required to be retained after the termination of the research project. Material is deposited in numbered boxes that may only be retrieved by the depositor and any nominated colleagues.