University of East London Homepage

Research Ethics - Data Protection and Information Security

All data gathering for the purposes of the proposed research, especially in cases involving personal data, must be conducted in accordance with our university's Data Protection PolicyData Protection Policy‌. This policy is founded on the eight core principles of the Data Protection Act (1998) which are listed below:

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless – (a) at least one of the conditions in Schedule 2 is met, and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

(Note: The criteria set out in schedules 2 and 3 of the Data Protection Act are "conditions for processing". For more information please refer to the Information Commissioner's Office (ICO) website.)

2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

4. Personal data shall be accurate and, where necessary, kept up to date.

5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

6. Personal data shall be processed in accordance with the rights of data subjects under this Act.

7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to,
personal data.

8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

(Note: The European Commission has agreed that the following countries currently have an adequate level of protection for personal data: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, Switzerland.)

Data Storage

Before submitting for formal approval of ethical parameters in the proposed research, those responsible for the research must ensure that a suitable and sufficient strategy for data storage is in place. This is particularly imperative in cases where the proposed research involves gathering and storing personal data, and arrangements should be tailored to the specific nature and sensitivity of the data involved.

When obtaining informed consent from participants, the details on security measures for the handling of confidential and / or sensitive data should be made clear. The information provided to participants concerning the use of data should include:

  • Confirmation that UEL assumes the role of data controller, in line with the Data Protection Act (see UEL Data Protection Policy).
  • Details of location of data storage.
  • Details of how data will be stored (e.g. HDD, SSD, secure network, hardcopy) .
  • Confirmation of any arrangements for sharing of data.
  • Confirmation on whether or not the data will be reused.
  • Details on arrangements for secure disposal of personal data.

Although most Research Ethics Committees (RECs) would not normally ask for assurances on the timescale for disposal of general research data, as in the case of longitudinal studies, those responsible for the proposed research must ensure there is a clear timescale for the disposal of personal data.

It is imperative that all personal data is stored securely, with access restricted to staff and students involved directly in the research. The UK Data Archive provide an overview of recommended file formats for data storage. Any arrangements for data storage will be specific to the nature of the study and the data involved, however, adequate and appropriate security measures must be the primary concern.

Data Security

The fundamental concern in ensuring the safety and integrity of data for the proposed research is keeping the personal data of participants secure. Any files containing personal data generated by the research will be subject to the Data Protection Act, therefore sufficient and appropriate measures must be taken to ensure its safety. Some of the key questions relevant to the application for ethical approval will be:

  • how will the research data be stored (e.g. PC, hard copies, disks)?
  • who will have access to the data (e.g. researchers external to UEL, third-parties)?
  • what contingency plans are in place for lost or damaged data?

The Research Ethics Guidebook poses a scenario that might further inform considerations made by those responsible for the proposed research:

For example, losing a USB stick that contains anonymised data is problematic, but it is less problematic if the stick is securely password protected.  But what if the USB stick contained participant contact details or other personal or identifiable information?  How secure would it need to be?  Could you ensure that?

The expectation for data gathered for the purposes of research carried out by staff and students at our university is that it will be stored on secure UEL servers.

The two core considerations here are the physical and electronic security of the data. A range of questions that may prompt relevant considerations for ethical approval are listed below:

  • Will data be stored in a secure room where access is key restricted to staff and students involved in the research?
  • Will access and removal of physical data be logged systematically?
  • Will data stored on the UEL server be encrypted and password protected?
  • Will access be read only, read and write or administrator-only permission?
  • Will data be disposed of in a manner which is consistent with its sensitivity level?
  • Will the data be transferred at any point? If so, what precautions will be taken to ensure it is secure.

Personal, Confidential and Sensitive

In outlining the unique elements of participant data, which must be considered in line with the Data Protection Act (1998), the UK Data Archive provide the following definitions:

Personal Data

Personal data are data which relate to a living individual who can be identified from those data or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller and includes any expression of opinion about the individual and any indication of the intentions of the data controller. This includes any other person in respect of the individual (Data Protection Act 1998).

Confidential Data

Confidential data are data given in confidence or data agreed to be kept confidential, i.e. secret, between two parties, that are not in the public domain such as information on business, income, health, medical details, and political opinion.

Sensitive Personal Data

Sensitive personal data are defined in the Data Protection Act 1998 as data on a person's race, ethnic origin, political opinion, religious or similar beliefs, trade union membership, physical or mental health or condition, sexual life, commission or alleged commission of an offence, proceedings for an offence (alleged to have been) committed, disposal of such proceedings or the sentence of any court in such proceedings.

Navigation menus:

Site-wide menu

Information for screenreader users:

For a general description of these pages and an explanation of how they should work with screenreading equipment please follow this link: Link to general description

For further information on this web site’s accessibility features please follow this link: Link to accessibility information