Data Protection Guidance for Researchers

Data Protection Guidance for Researchers

Data protection laws apply to any processing of personal data carried out by the University. This will include processing in the course of research activities. A suite of data protection guidance documents has been developed for researchers to support the University's compliance with data protection legislation.  

Current key relevant UK legislation:

  • The UK General Data Protection Regulation (UK GDPR)
  • The Data Protection Act 2018 (DPA 2018)
  • The Privacy and Electronic Communications Regulations 2003 and 2011 (PECR)
  • The Freedom of Information Act 2000 (FOIA)
  • The Environmental Information Regulations 2004 (EIR)

Where researchers have collaborative partners based in an EEA country or are undertaking research with EEA participants, the EU GDPR is also likely to apply.  Other countries outside the EEA have data protection legislation that may be applicable to some research projects.  The Information Governance team will assist as far as possible where non-UK laws apply but may need some external advice on legislation in other jurisdictions. Transferring personal data outside the UK and EEA also usually requires us to have additional safeguards (e.g., additional legal agreements) in place.

Index of guidance notes for researchers:

1.When do data protection laws apply?

  • When does data protection apply to research?
  • What is personal data? 
  • What is pseudonymised data?
  • When is data fully anonymised?
  • What are special category personal data and criminal offence data and what extra requirements apply to these kinds of personal data?

2. Key requirements and research exemptions

  • Data minimisation and other principles
  • The lawful basis for processing
  • How data protection laws define research and exemptions for research activities

3. Transparency and the Right to be Informed

  • Privacy Notices and Participant Information Sheets
  • The right to be informed
  • Exceptions to the right and where this might apply in a research context

4a. Data Protection Impact Assessments (DPIAs) 

  • What is a DPIA?
  • When do I need to do a DPIA?
  • What should I include?
  • What is the process and where can I get support?

4b. DPIA Template Form

4c. DPIA Training Slides

4d. DPIA Examples

  • Worked examples of DPIAs for research projects are available in the table towards the bottom of the linked page.  Internal access only; example documents are not for sharing outside of the university.  Doctoral researchers may need to click 'request access' to be able to view these.

5. Sharing Personal Data with Partners and Suppliers

  • Data Processor and Data Controller roles and responsibilities
  • Data sharing agreements
  • International Data Transfers
  • Appointing suppliers for a project

6. Data Security and Storage 

  • Risks and appropriate measures
  • Data breaches
  • Fines and enforcement action

(See also The Digital Skills Hub; internal access only)

Further information 

ICO Guidance on research

The Information Commissioner's Office has published detailed guidance on the research provisions in the UK GDPR and the DPA 2018 which may be of interest.

Information on Artificial Intelligence

The ICO has published Guidance on AI and data protection and continues to update this.  This ICO blog article on generative AI may also be helpful .  The ICO ran an informative workshop on generative AI at its 2023 conference and the recording has been published here.

The OECD has published a range of resources on AI which include Principles, a Framework for the Classification of AI systems.  It has produced a series of articles on AI, including AI in Science: Challenges, Opportunities and the Future of Research.

Biometric data

The ICO has published draft guidance on biometric data.  This link will be updated once the final guidance is published.

Information to support funding bids and tenders

Information for use in funding bids and tenders for contract research and consultancy as well as template data sharing and processing agreements is also available on the Information Governance SharePoint site: Bids, Tenders and Contracts

The University is registered with the Information Commissioner’s Office (ICO) as a data controller - Sheffield Hallam University Higher Education Corporation, registration number: Z6559086.  

The University is a public authority for the purposes of the Freedom of Information Act 2000 and the Data Protection Act 2018. 

The University has appointed a Data Protection Officer, Helen Williamson, who can be contacted on


Information Governance Team

The Information Governance Team are located within the Directorate of Governance, Legal, and Sector Regulation and provide a central information governance service across the University’s business areas and activities.

Accessing IG Team Services and Support: