UNIVERSITY of GLASGOW

DP and FOI office
home > services > DP and FOI office > A-Z topics > Checklist for Research

Checklist for compliance with DPA for Research on Personal Data

The DPA places responsibility on the University to control the processing of personal data for research within the University. The processing must meet the eight Principles of the DPA, though there are limited exemptions for research. Research is not defined by the DPA but it includes historical & statistical studies.


The following points should help determine whether your research project, planned or new or existing, are subject to the DPA and, if so, what precautions you must take. Please work your way through all the points unless you conclude, after point 1, that the DPA does not apply to your research project. If you are unsure at any stage, you must consult the University Data Protection Officer, via the Enquiries link to ensure compliance.

  • Check that you know what is meant by personal data and sensitive personal data. If your research project does not involve such data then the DPA does not apply.

  • Check that you know what is meant by, and the conditions applied to, research on personal data;

  • Check that you know and apply the additional rules that apply to research on sensitive personal data;

  • Check that you have obtained appropriate consent for research from all the individuals who are the target of the research;

  • Check that you know the limited exemptions that may apply to your research project;

  • Strip out any identifying information not needed for the processing of the research data. Make the research data anonymous if practical, & to no disadvantage to the research, to increase the security of the processing. Do not supply a ‘key’ to completely anonymised data to anyone other than the person(s) required to know the 'key'.

  • Check that your arrangements meet the security requirements of the DPA. Be particularly careful when physically taking research data outwith the University - especially on laptop computers;

  • Research data remains subject to the 8th Principle of the DPA. If the research data is (a) transferred into the University or (b) being transferred outwith the University at any stage, ensure that an appropriate contract is in place that covers data protection requirements & responsibilities;

  • Check the Research and Enterprise publication Good Practice in Research, which provides recommendations on documenting results and storing primary data based on the requirements of several Research Councils, as it takes into account:
    • The legal and regulatory framework for particular types of research;
    • The terms and conditions imposed by external research sponsors;
    • The commercial, political or ethical sensitivity of particular types of research, or any research for particular external sponsors.

  • Check that, when the research data is not longer required, it is retained in line with the Research and Enterprise publication Good Practice in Research or is securely destroyed. The University Records Centre provides secure facilities for the deposit of research data that may be required to be retained after the termination of the research project. Material is deposited in numbered boxes that may only be retrieved by the depositor and any nominated colleagues.