Students undertaking research or other work involving personal data Audience This guidance is intended for students undertaking research or other work involving information about living, identifiable individuals as part of their programme of study at the University of Edinburgh. Background The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 protect the rights of individuals when you process personal data about them, including obtaining, holding and destroying it. The definition of personal data is highly complex. For day-to-day purposes, it is best to assume that all information about a living, identifiable individual is personal data. This includes any expression of opinion by or about the individual. Students use personal data for three main reasons: To maintain a personal life, for example to communicate with family and friends. To pursue a course of study with the University, for example to research and write an essay, report or thesis. To carry out research as a member of the University established research group. Students may use many different methods to process personal data, such as maintaining an email account, a computer database, or using social media accounts. The data protection laws and you The University is only responsible for personal data when it is the data controller for that data. A data controller is the person who determines the purposes for which, and the manner in which any personal data is or is to be processed. Therefore the University is only responsible for the personal data processed by its students when the students process data for the University's purposes. The following scenarios are the most likely circumstances in which students will process personal data. Scenario one Students process personal data in the course of their personal life, for example writing e-mails (using their University-provided e-mail account) to their families about a friend's recent birthday. The University is not the data controller for personal data processed by students in the course of their personal life, as the University does not determine the purpose of the processing. The fact that students may choose to use their University-provided e-mail account to pursue their personal life does not make the University responsible for the processing of personal data for that purpose. The University did not determine the purpose so the University cannot be the data controller. Students are the data controller and may claim the so-called ‘purely personal or household activity’ exemption. Use of this exemption has the effect that data protection laws do not apply to the processing activity. Scenario two A student processes personal data in order to pursue a course of study with the University. The University is not the data controller for personal data processed by students to pursue a course of study with the University. Students undertake a course of study with a University for their own personal purposes, most obviously to obtain a qualification. Students are not employees or agents of the University, and neither do they act on behalf of the University. Students decide what work they will do, the way in which they will do it and what they will include in their final write up. They must make these decisions themselves in order to prove that they are capable of degree-level work. They work on behalf of themselves and not the University. Thus, the University cannot be the data controller for the personal data processed by students in the course of their studies. Again, the ‘purely personal or household activity’ exemption applies. However, the student will still be bound by the University’s policy and procedures due to the Student Contract with the University. This means that when students are processing personal data as part of their work to pursue a course of study, the University’s Data Protection Policy applies to them and they will be required to ensure that their work complies with the data protection principles. This contractual duty to comply with the University's Data Protection Policy extends to all work related to the course of study, even if the Student Contract has expired, such as a promise to inform research participants of results after the dissertation has been submitted and approved. If the students use the work generated during their course of study as the basis for a post as academic researchers, then the University is the data controller for this follow-on work. Data Protection Policy If the students use personal data in their research, whether for a postgraduate degree or for an honours dissertation, then they must complete a data protection impact assessment and follows the guidelines provided in the document “Research and Data Protection”. Research and Data Protection Data Protection Impact Assessment Scenario three A student submits a piece of work (e.g. an essay /report /dissertation /thesis) in which there is personal data, to the University for assessment. The University and the student are joint data controllers for the personal data contained within the submitted piece of work from the point at which it is submitted. Once the work has been submitted the University is jointly responsible for the personal data within the document, for example the member of staff who marks the work is processing the personal data contained within it (by reading it) for the purpose of determining what grade the University should award the student; this is the University's purpose. If the work is then transferred to the University library to be put on reference (for example if it is a Ph.D. thesis) the University is responsible for any processing of the personal data associated with the document being placed on reference as providing a reference service is a University purpose. Scenario four A research student processes personal data whilst working on a project led by a university research group. This scenario is only relevant for postgraduate research. The University is the data controller for personal data processed by a student working on a research project led by a university research group. The student processes personal data for the purposes laid down by the project, the remit of which has been decided by the University (or the University employed project leader), not the student. The purposes for processing are the University's and not the student's; therefore the University is the data controller and the student is an agent of the University. This is the case whether the student is funded by the research project or whether the student is self-funding. Scenario five A research student processes personal data in order to pursue a course of study with the University. The University is the (co-)sponsor ofthe study. In this situation the University will always be a data controller. Conclusion The University is the data controller for personal data processed by students only in very limited circumstances as described in scenarios 3, 4 and 5; in all other circumstances students process data for their own purposes and not the University's and are covered by the ‘purely personal or household activity’ exemption. Ten steps to responsible use of personal data Before you start, carefully consider what personal data you need to collect for your project and obtain the consent of your supervisor or other relevant member of University staff. Obtain ethical consent from the data subject. For research this will usually be in writing. Discuss with your supervisor any concerns about obtaining consent prior to collecting personal data. Give a clear explanation of what you are going to do with the data to the people participating in your research. Do not collect or keep data that is not necessary for your research. Anonymise data where possible by removing names and other identifying information. Ensure that all personal data, especially opinions, is recorded accurately. Respect reasonable requests to update or delete data you have collected. Store personal data securely. If you are using information that is already public knowledge such as the names of Olympic medal winners, you will not need to take any security measures. However if you are recording less public information, you must ensure that the information is secure. Do not disclose personal data to anyone except the individual concerned. Securely destroy personal data when it is no longer necessary for your research. Consult the Assessment Regulations to confirm how long you will need to retain research data for until your marks have been confirmed. Be aware of required safeguards for international transfers of personal data outside of the UK.