LibGuides: Research Data Management: Personal and Special Category Data

Data Management Plans (DMPs) - Personal Data

To comply with data protection legislation, it is necessary to take appropriate steps to protect personal data. Any personal data collected or used in a research project needs to be documented in a Data Management Plan, along with the safeguards that will be in place to mitigate any risks.

These should be documented in the following sections/questions of the BU Data Management Plan (DMP) template:

Ethical and legal compliance

Will you be handling personal data?
Will you be handling special category data or data relating to criminal convictions?
List what personal data or special category/criminal conviction data you will be handling during your research.
Briefly describe why the personal data you're handling is needed. > Data minimisation
Will any of the data be sent to partners outside of the UK? > International data transfers
Briefly list the countries/partners where data will be sent to.
Provide brief details of anyone else who will have access to any of the data. > Restricting access to authorised persons and organisations

Storage, back-up, and security

Where will your non-digital research data or project documentation be stored, short or long-term? > Physical storage
Where will your digital research data or project documentation be stored, short or long-term? > Electronic storage
Do you plan to keep identifiable participant data after the study has finished? > Storage limitation and retention periods
Provide a justification if you plan to keep identifiable participant data after the study has finished.
How and when will personal or other sensitive data be deleted/destroyed? > Data destruction > Storage limitation and retention periods
What security measures will be put in place to prevent unauthorised disclosure of data, both during and after the study?

Personal data

Personal data is any information relating to a living individual. If you're collecting data about someone who is alive, and it's possible to identify that someone, then you're collecting personal data. Individuals might be identifiable directly or indirectly.

Special category data is personal data that is more sensitive in nature, and so requires a higher level of protection. GDPR defines special category data as personal data about an individual's:

Race
Ethnic origin
Political opinions
Religious or philosophical beliefs
Trade Union membership
Genetic data
Biometric data (where this is used for identification purposes)
Health data
Sex life; or
Sexual orientation

Information relating to criminal convictions or offences also require higher levels of protection.

Privacy Impact Assessments (PIAs) / Data Protection Impact Assessments (DPIAs)

Purpose

A Privacy Impact Assessment (PIA) (also known as a Data Protection Impact Assessment (DPIA)) is required when data processing activities are likely to result in a "high risk" to the rights and freedoms of individuals.

In a research context, this need may arise when research involves high-risk data processing, particularly when handling sensitive or special category personal data.

The primary purpose of a PIA is to identify and mitigate data protection risks early in the project planning stage. The requirement for a PIA often emerges as part of the Data Management Plan (DMP) and/or the ethics approval process and may also be required by a research funder or sponsor.

Additional information on conducting a PIA at BU is available from the BU's Data Protection SharePoint site. For support or questions, please contact the Data Protection Officer.

When Are You Likely to Need to Conduct a PIA?

A PIA is typically required if your research involves:

Large-Scale Processing of Special Category Data
- This includes processing sensitive data, such as health, biometric, or genetic data, on a substantial scale.
Systematic Monitoring of Individuals
- Projects that involve continuous or large-scale observation, tracking, or profiling of individuals may require a DPIA.
Data Transfers Outside the UK
- When data is transferred to countries outside the UK that may not offer adequate data protection standards, a DPIA is necessary to evaluate and address associated risks.

PIA Process

The PIA process involves assessing the scope, necessity, and proportionality of the planned data processing. It also includes identifying and implementing measures to mitigate potential privacy risks to participants.

This proactive assessment helps ensure that privacy considerations are integral to the project from the start, thereby reducing potential compliance issues and protecting participant rights.

Anonymisation and Pseudonymisation

Anonymisation
Anonymisation involves processing data to prevent the identification of individuals, directly or indirectly, from the data alone or in combination with other available information. Properly anonymised data is no longer classified as personal data and, thus, is not subject to data protection laws. Anonymisation is suitable when research results or shared datasets do not require identifiable information.

Pseudonymisation
Pseudonymisation replaces identifiable information with codes or pseudonyms. While pseudonymisation protects participants' privacy to a significant extent, it allows for re-identification if additional information is available. Consequently, pseudonymised data remains subject to data protection regulations and should be safeguarded accordingly.

Further information on these techniques and reference to guidance on how to utilise them can be found under the 'security section'.

Using PIAs in conjunction with anonymisation and pseudonymisation can enhance compliance and build participant trust, ensuring that privacy protections align with ethical and regulatory standards throughout the research project.