Skip to main content

Joint Research Management Office

Data protection and GDPR

How do I manage data protection?

Collection and use of data

All researchers must comply with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018). The GDPR defines personal data as any data that can be attributable to a living individual and does not have to include name, address, and date of birth or gender. The CI is usually the named Data Custodian of the study.

Storage of data:

  • Physical storage - data should be kept in a locked filing cabinet, accessible only to the research team in a lockable room. Identifiable data will be transcribed and or anonymised and identifiers removed as soon as possible.
  • Electronic Storage - including Cloud storage, IT programs and infrastructures, must be identified, risk assessed and validated where appropriate and data kept in an encrypted format, accessible only to the research team via a password-protected Barts Health or Queen Mary computer.

Participants should be informed that any information recorded because of their involvement with the trial will be stored securely. The research findings of any study are to be stored at Barts Health/Queen Mary Records Management Facility.

Individual rights over data

Individuals have various rights over their personal data; for example, they can access any personal data that you have about them.  The participant also has a right to request that you stop processing their data. However, in the research context, many of these rights are limited; although you must be able to show that complying with such requests would impair your research, that you have appropriate security measures in place, and that published research results will not identify individuals. For further details on data management please see SOPs 38a and 38b

Further information

The GDPR only applies to the European Economic Area (EU plus Iceland, Lichtenstein and Norway). If your study requires you to send data outside EEA special conditions apply and you should seek guidance. 

What is the General Data Protection Regulation (GDPR)?

The GDPR 2018, accompanied by the Data Protection Act 2018 (DPA 2018), replaces all pre-existing provisions under the Data Protection Act 1998. The GDPR is intended to strengthen and unify data protection for all individuals within the EU.

The HRA website provides full guidance both for those who manage data and for members of the public. There is specific information on the HRA website for researchers, researchers should also be aware of the HRA guidance regarding patient information and healthcare research. There is also an informative short film on YouTube that summarises the GDPR and the legal position concerning all personal information held for research purposes. 

To discuss how this may impact your research please contact the JRMO research governance team at 

What is the Data Protection Act 2018?

The GDPR allows member states some leeway in certain respects, one of which is in the processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. Therefore, some special conditions are laid out in Section 19 of the Data Protection Act 2018 (DPA 2018).

In short, you must have in place certain measures to safeguard personal data such as appropriate protection and using the least data possible. Your research must not be likely to cause substantial damage or substantial distress to data subjects or be carried out to take measures, or make decisions, about a particular data subject, unless that purpose is expressly approved ‘medical research.’ If you have these safeguards in place, then exemptions will exist to some data subjects’ rights and data protection principles.

What if I have a Freedom of Information request relating to my research?

Depending on which organisation holds your data - Queen Mary or Barts Health - there are different Freedom of Information (FOI) processes to follow:

What is a Research Database?

A research database is a structured collection of individual-level personal information, which is stored for potential research purposes beyond the life of a specific research project. A research database is not a research project in itself, but researchers establishing a research database may choose to apply to an NHS REC for a favourable opinion of the database. This is optional but can provide the following benefits:

  • It demonstrates that the NHS REC considers the means of data collection, processing and storage used by the database team to be ethical.
  • The generic REC approval for the database can be applied to a range of future research studies using the data, meaning that REC approval is not required for each individual study (any other approvals such as sponsorship and HRA approval are still required).

For more information on research databases please see the HRA website.

Return to top