The legal requirements for collecting and processing personal data are explained at https://dataprotection.leeds.ac.uk/data-protection-and-personal-data. Template privacy notices are available from the same webpage, including one specifically for research participants.
It is important to consider what data it is useful to collect and how that data will be used once it is obtained. Consider whether you really need to collect personal data.
Care should be given to the wording of any participant information sheets and consent forms to ensure that you are asking for appropriate consent for the intended use of the data collected. All research participants must be told about about how any personal data collected about them will be used, stored, processed, transferred and destroyed.
- Data protection code of practice
- Data protection, anonymisation and storage and sharing of research data protocol
- Approaching and recruiting research participants
- Insurance information
- Template privacy notices – revised February 2019
- Online research
- Planning your research project
- Using different research methodologies
- Verbal informed consent protocol – revised February 2019
- Confidentiality and anonymisation
- Research data guidelines
- UK Data Archive tips on organising data
Data should usually be stored in the researcher’s M: drive or appropriately secured N: drive folder with approval of the Faculty IT Manager. Refer also to the University’s policies on information security.
Collecting research data while away from Leeds
Desktop Anywhere provides access to University IT services in a familiar cluster-style desktop from anywhere with a reliable Internet connection. Find out how to set up, launch and use the service.
According to paragraph 37 of the University of Leeds policy on data protection, the Act places restrictions on the transfer of personal data outside the European Economic Area (EEA), unless the country or territory involved ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. If, after careful consideration, it is regarded as essential that the transfer of personal data outside the EEA should take place the consent of the data subject must be sought. This restriction has particular implications for international research projects and information placed onto websites.
- Staying safe – using computers abroad
- Travelling abroad with an encrypted laptop, mobile and data
- Top tops for improving your information security
Any survey information collected online must be done in a manner that complies with the Data Protection Act, specifically that if the survey is collecting data that is person identifiable then the data must be held within the EEA. In practical terms, that means not using surveymonkey.com or the like which hold their data in the USA (which therefore makes the data subject to the US patriot act), but rather using https://www.survey.leeds.ac.uk (BOS) or similar.
Many surveys are conducted anonymously and as such the data is classified as non-sensitive. BOS is underpinned by some robust security but nevertheless using any online survey tool to collect person identifiable highly sensitive data is not recommended. For previous projects that have needed to collect highly sensitive data via an online survey, we have conducted the survey anonymously and then asked participants who are happy to follow up with us to enter a random six digit code as the final survey response and then for them to contact us via e-mail quoting this code. That way, the research team is able to contact them and also link them to a survey response without making the data held in BOS person identifiable on its own.
- Bristol online survey accounts
- Consent for questionnaires/ surveys (includes an example introductory paragraph)
- How to run a survey
Dealing with sensitive personal data
Sensitive personal data includes the following types of information about an identifiable living individual:
- racial or ethnic origin;
- political opinions;
- religious beliefs;
- trade union membership;
- physical or mental health;
- sexual life;
- commission of offences or alleged offences.
Such sensitive personal data can be used for research purposes, but only under certain circumstances.
- ASDL guidance on using sensitive personal data for research
- Confidentiality and anonymisation guidance
Dealing with security sensitive research material
In accordance with section 3.3 of the University’s Use of Computer Systems Policy researchers with a legitimate academic interest in security sensitive research material are advised to register their interest with the University Secretary in advance (via the IT Security Team at email@example.com).