To comply with data protection legislation, it is necessary to take appropriate steps to protect personal data. Any personal data collected or used in a research project needs to be documented in a Data Management Plan, along with the safeguards that will be in place to mitigate any risks.
Personal data is any information relating to a living individual. If you're collecting data about someone who is alive, and it's possible to identify that someone, then you're collecting personal data. Individuals might be identifiable directly or indirectly.
Special category data is personal data that is more sensitive in nature, and so requires a higher level of protection. GDPR defines special category data as personal data about an individual's:
Information relating to criminal convictions or offences also require higher levels of protection.
Data minimisation means collecting the minimum amount of personal data that you need, and no more. It is not acceptable to collect more than is strictly needed on the off-chance it might be helpful in the future.
It's a requirement of GDPR and designed to reduce the risk of unlawful disclosure. It will reduce the scale of a breach and its potential impact on participants if only a minimum amount of personal data is handled to begin with.
For example, if you need to know how old a participant is for your research study, collect their age and not their date of birth. This reduces the risk to the participant if data is disclosed in error.
In keeping with the principle of data minimisation, If you plan to collect or use personal data in your research project, you will need to explain why it is needed in your Data Management Plan.