Research in action Research in action Research areas Research areas Excellence and integrity Excellence and integrity Research degrees Research degrees Events Events Outputs and data Outputs and data People People Contact us Contact us

Data Protection Guidance for Researchers

Data protection laws apply to any processing of personal data carried out by the University. This will include processing in the course of research activities. A suite of data protection guidance documents has been developed for researchers to support the University's compliance with data protection legislation.

Current key relevant UK legislation:

The UK General Data Protection Regulation (UK GDPR)
The Data Protection Act 2018 (DPA 2018)
The Privacy and Electronic Communications Regulations 2003 and 2011 (PECR)
The Freedom of Information Act 2000 (FOIA)
The Environmental Information Regulations 2004 (EIR)

Where researchers have collaborative partners based in an EEA country or are undertaking research with EEA participants, the EU GDPR is also likely to apply. Other countries outside the EEA have data protection legislation that may be applicable to some research projects. The Information Governance team will assist as far as possible where non-UK laws apply but may need some external advice on legislation in other jurisdictions. Transferring personal data outside the UK and EEA also usually requires us to have additional safeguards (e.g., additional legal agreements) in place.

Index of guidance notes for researchers:

1.When do data protection laws apply?

When does data protection apply to research?
What is personal data?
What is pseudonymised data?
When is data fully anonymised?
What are special category personal data and criminal offence data and what extra requirements apply to these kinds of personal data?

2. Key requirements and research exemptions

Data minimisation and other principles
The lawful basis for processing
How data protection laws define research and exemptions for research activities

3. Transparency and the Right to be Informed

Privacy Notices and Participant Information Sheets
The right to be informed
Exceptions to the right and where this might apply in a research context

4a. Data Protection Impact Assessments (DPIAs)

What is a DPIA?
When do I need to do a DPIA?
What should I include?
What is the process and where can I get support?

4b. DPIA Template Form

4c. DPIA Training Slides

4d. DPIA Examples

Worked examples of DPIAs for research projects are available in the table towards the bottom of the linked page. Internal access only; example documents are not for sharing outside of the university. Doctoral researchers may need to click 'request access' to be able to view these.

5. Sharing Personal Data with Partners and Suppliers

Data Processor and Data Controller roles and responsibilities
Data sharing agreements
International Data Transfers
Appointing suppliers for a project

6. Data Security and Storage

Risks and appropriate measures
Data breaches
Fines and enforcement action

(See also The Digital Skills Hub https://sheffieldhallam.sharepoint.com/sites/4042; internal access only)

Further information

ICO Guidance on research

The Information Commissioner's Office has published detailed guidance on the research provisions in the UK GDPR and the DPA 2018 which may be of interest.

Information on Artificial Intelligence

The ICO has published Guidance on AI and data protection and continues to update this. This ICO blog article on generative AI may also be helpful . The ICO ran an informative workshop on generative AI at its 2023 conference and the recording has been published here.

The OECD has published a range of resources on AI which include Principles, a Framework for the Classification of AI systems. It has produced a series of articles on AI, including AI in Science: Challenges, Opportunities and the Future of Research.

Biometric data

The ICO has published draft guidance on biometric data. This link will be updated once the final guidance is published.

Information to support funding bids and tenders

Information for use in funding bids and tenders for contract research and consultancy as well as template data sharing and processing agreements is also available on the Information Governance SharePoint site: Bids, Tenders and Contracts

The University is registered with the Information Commissioner’s Office (ICO) as a data controller - Sheffield Hallam University Higher Education Corporation, registration number: Z6559086.

The University is a public authority for the purposes of the Freedom of Information Act 2000 and the Data Protection Act 2018.

The University has appointed a Data Protection Officer, Helen Williamson, who can be contacted on DPO@shu.ac.uk.

Information Governance Team

The Information Governance Team are located within the Directorate of Governance, Legal, and Sector Regulation and provide a central information governance service across the University’s business areas and activities.

Accessing IG Team Services and Support:

Staff Intranet/Sharepoint Site - Information Governance SharePoint site: Information includes: Additional IG Team contact details, a list of Information Governance Guardians, template forms and template data sharing and data processing agreements, details of training, further information for use in bids and tenders.
Team Inbox/Email: Staff should contact the inbox for advice, support, and training enquiries - DPO@shu.ac.uk or FOI@shu.ac.uk
Website: For members of the public, information about privacy and data protection is available on the University website: Privacy and GDPR | Sheffield Hallam University (shu.ac.uk), as is information about Freedom of Information: Freedom of Information Act | Sheffield Hallam University (shu.ac.uk).

Excellence and integrity