Data Protection » History » Version 21

Steve Welburn, 2012-11-20 12:15 PM

1 1 Steve Welburn
h2. Data Protection
2 1 Steve Welburn
3 19 Steve Welburn
Data protection protects the rights of individuals over their personal information. In particular, The "Data Protection Act":http://www.legislation.gov.uk/ukpga/1998/29/contents covers the processing of data relating to identifiable living individuals. The core of the Data Protection Act is a set of data protection principles. These state that personal data shall be processed fairly and lawfully and shall not be processed unless the subject gave their consent except under "specific conditions":http://www.legislation.gov.uk/ukpga/1998/29/schedule/2 (for sensitive personal data such as marital status, ethnic origin or health information there are "further restrictions":http://www.legislation.gov.uk/ukpga/1998/29/schedule/3). In addition, personal data should be:
4 8 Steve Welburn
* obtained only for specified purposes, and should not be used for anything else;
5 8 Steve Welburn
* adequate, relevant and not excessive in relation to the purposes (i.e. only the data that is required);
6 8 Steve Welburn
* accurate and, where necessary, kept up to date;
7 8 Steve Welburn
* kept no longer than is necessary for the purposes;
8 8 Steve Welburn
* processed in accordance with the rights of the data subjects under the Act;
9 8 Steve Welburn
* protected from:
10 8 Steve Welburn
** unauthorised or unlawful processing
11 8 Steve Welburn
** and loss, destruction; or damage
12 8 Steve Welburn
* shall not be transferred outside the European Economic Area without similar protection being provided.
13 5 Steve Welburn
14 21 Steve Welburn
Fair and lawful processing requires that the data was not obtained by deception and is kept confidential and that the data subject was given information about who will process the data and for what purpose.
15 21 Steve Welburn
16 19 Steve Welburn
In general, data subjects have a right to access to data held about them. The onus to provide this data is on QMUL as the data controller, and, as such, QMUL should be able to find any personal data relating to identifiable living individuals which is held within the college.
17 15 Steve Welburn
18 19 Steve Welburn
However, there is a specific exemption, for research which is not targeted at particular individuals and will not cause distress or damage to a data subject, which allows data to be processed for other purposes and held indefinitely. Data subjects also have no immediate right of access for personal data where the data is processed for research purposes and the results do not identify the data subjects.
19 15 Steve Welburn
20 1 Steve Welburn
JISC "state":http://www.jisc.ac.uk/publications/generalpublications/2001/pub_dpacop_0101.aspx:
21 1 Steve Welburn
22 1 Steve Welburn
bq. Data controllers are required by the Act to process personal data only where they have a clear purpose for doing so, and then only as necessitated by that purpose. A data controller’s purpose for any personal data processing operation should thus be clearly set out in advance of the processing, and should be readily demonstrable to data subjects. 
23 1 Steve Welburn
24 19 Steve Welburn
They also note: that the majority of the Data Protection principles do apply to research data; that there should be a review to ensure compliance with Data Protection requirements; and that a mechanism should be in place for subjects to object to the processing if they believe it would cause them damage or distress. Particular care must still be taken when processing involves sensitive data.
25 19 Steve Welburn
26 20 Steve Welburn
As data protection applies to identifiable living individuals, it is generally best practice to anonymise any data relating to individuals as soon as possible, discarding any information that allows individuals to be identified. In order to comply with the Data Protection Act, a suitable consent form should be provided allowing the use of data relating to identifiable living individuals in research. Alternatively, such consent may be recorded in interviews. Within QMUL, research which involves human participants and data relating to them should be approved by the college "Research Ethics Committee":http://connect.qmul.ac.uk/research/ethicscommittee/index.html - the fast-track ethics review should be sufficient for most C4DM research.
27 10 Steve Welburn
28 4 Steve Welburn
Further information:
29 4 Steve Welburn
* QMUL Academic Registry and Council Secretariat (ARCS) information on "data protection":http://www.arcs.qmul.ac.uk/information_governance/dp/data_protection.html
30 14 Steve Welburn
* JISC "Data Protection Code of Practice for HE and FE":http://www.jisc.ac.uk/publications/generalpublications/2001/pub_dpacop_0101.aspx with specific section on "personal data in research":http://www.jisc.ac.uk/publications/generalpublications/2001/pub_dpacop_0101.aspx#research
31 5 Steve Welburn
* Canterbury Christchurch University document on "Data Protection in Research":http://www.canterbury.ac.uk/Research/Documents/DataProtection.pdf
32 4 Steve Welburn
* "EU Data Protection Directive":http://ec.europa.eu/justice/data-protection/index_en.htm
33 1 Steve Welburn
34 4 Steve Welburn
The Act:
35 4 Steve Welburn
* "Data Protection Act 1998":http://www.legislation.gov.uk/ukpga/1998/29/contents