Skip to Main Content

Research Data Management: Personal and Special Category Data

Research Data Management (RDM) Library guide

Personal data

To comply with data protection legislation, it is necessary to take appropriate steps to protect personal data. Any personal data collected or used in a research project needs to be documented in a Data Management Plan, along with the safeguards that will be in place to mitigate any risks.

 

Personal data is any information relating to a living individual. If you're collecting data about someone who is alive, and it's possible to identify that someone, then you're collecting personal data. Individuals might be identifiable directly or indirectly.

Special category data is personal data that is more sensitive in nature, and so requires a higher level of protection. GDPR defines special category data as personal data about an individual's:

  • Race
  • Ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade Union membership
  • Genetic data
  • Biometric data (where this is used for identification purposes)
  • Health data
  • Sex life; or
  • Sexual orientation

Information relating to criminal convictions or offences also require higher levels of protection.

Data minimisation

Data minimisation means collecting the minimum amount of personal data that you need, and no more. It is not acceptable to collect more than is strictly needed on the off-chance it might be helpful in the future.

It's a requirement of GDPR and designed to reduce the risk of unlawful disclosure. It will reduce the scale of a breach and its potential impact on participants if only a minimum amount of personal data is handled to begin with.

For example, if you need to know how old a participant is for your research study, collect their age and not their date of birth. This reduces the risk to the participant if data is disclosed in error.

In keeping with the principle of data minimisation, If you plan to collect or use personal data in your research project, you will need to explain why it is needed in your Data Management Plan