Skip to Main Content

Research Data Management: Personal and Special Category Data

Research Data Management (RDM) Library guide

Data Management Plans (DMPs) - Personal Data

To comply with data protection legislation, it is necessary to take appropriate steps to protect personal data. Any personal data collected or used in a research project needs to be documented in a Data Management Plan, along with the safeguards that will be in place to mitigate any risks.

These should be documented in the following sections/questions of the BU Data Management Plan (DMP) template:

Ethical and legal compliance

Storage, back-up, and security

Personal data

Personal data is any information relating to a living individual. If you're collecting data about someone who is alive, and it's possible to identify that someone, then you're collecting personal data. Individuals might be identifiable directly or indirectly.

Special category data is personal data that is more sensitive in nature, and so requires a higher level of protection. GDPR defines special category data as personal data about an individual's:

  • Race
  • Ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade Union membership
  • Genetic data
  • Biometric data (where this is used for identification purposes)
  • Health data
  • Sex life; or
  • Sexual orientation

Information relating to criminal convictions or offences also require higher levels of protection.

Privacy Impact Assessments (PIAs) / Data Protection Impact Assessments (DPIAs)

Purpose

A Privacy Impact Assessment (PIA) (also known as a Data Protection Impact Assessment (DPIA)) is required when data processing activities are likely to result in a "high risk" to the rights and freedoms of individuals.

In a research context, this need may arise when research involves high-risk data processing, particularly when handling sensitive or special category personal data.

The primary purpose of a PIA is to identify and mitigate data protection risks early in the project planning stage. The requirement for a PIA often emerges as part of the Data Management Plan (DMP) and/or the ethics approval process and may also be required by a research funder or sponsor.

Additional information on conducting a PIA at BU is available from the BU's Data Protection SharePoint site. For support or questions, please contact the Data Protection Officer.

When Are You Likely to Need to Conduct a PIA?

A PIA is typically required if your research involves:

  • Large-Scale Processing of Special Category Data
    • This includes processing sensitive data, such as health, biometric, or genetic data, on a substantial scale.
  • Systematic Monitoring of Individuals
    • Projects that involve continuous or large-scale observation, tracking, or profiling of individuals may require a DPIA.
  • Data Transfers Outside the UK
    • When data is transferred to countries outside the UK that may not offer adequate data protection standards, a DPIA is necessary to evaluate and address associated risks.

PIA Process

The PIA process involves assessing the scope, necessity, and proportionality of the planned data processing. It also includes identifying and implementing measures to mitigate potential privacy risks to participants.

This proactive assessment helps ensure that privacy considerations are integral to the project from the start, thereby reducing potential compliance issues and protecting participant rights.

Anonymisation and Pseudonymisation

Anonymisation
Anonymisation involves processing data to prevent the identification of individuals, directly or indirectly, from the data alone or in combination with other available information. Properly anonymised data is no longer classified as personal data and, thus, is not subject to data protection laws. Anonymisation is suitable when research results or shared datasets do not require identifiable information.

Pseudonymisation
Pseudonymisation replaces identifiable information with codes or pseudonyms. While pseudonymisation protects participants' privacy to a significant extent, it allows for re-identification if additional information is available. Consequently, pseudonymised data remains subject to data protection regulations and should be safeguarded accordingly.

Further information on these techniques and reference to guidance on how to utilise them can be found under the 'security section'. 

Using PIAs in conjunction with anonymisation and pseudonymisation can enhance compliance and build participant trust, ensuring that privacy protections align with ethical and regulatory standards throughout the research project.