Researchers must consider any legal requirements relating to their work before they start their research. The legal requirements may differ depending on the research that is being conducted, and the environment in which it is taking place. For example, different countries will have different legal requirements that you will need to consider.
The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 together determine how, when, and why any organisation can process personal data. Personal data is any information relating to an identified or identifiable natural person. You therefore need to think about and justify how and why you will use the data you collect. This includes ensuring that the processing of personal data is fair, lawful, necessary, and proportionate.
Processing can be unlawful if it results in other breaches, for example, of the Human Rights Act 1998. Researchers must ensure that their research is undertaken in a way that advances equality of opportunity, does not cause harm to any involved party, and eliminates discrimination. Some of these aspects are considered in other sections of this guidance.
You must have a lawful basis for processing personal data. The lawful basis which applies to your data depends on the specific purpose and context of the processing.
Article 6 of the UK GDPR outlines the lawful bases for processing data. At least one of these must apply when you are processing personal data:
- legal obligation
- vital interests
- public task
- legitimate interest
Participants have the right to be informed about the collection and use of their personal data. This is a key requirement under GDPR. It is about providing participants with clear and concise information about what you will do with their personal data. Articles 13 and 14 of the UK GDPR specify what information individuals have the right to be informed about. Researchers will need issue participants with a privacy notice, which can be included as part of the information materials.