Research in Health Care and Medicine

In the UK, the Data Protection Act 1998 (DPA 1998) regulates the use of information that relates to an identifiable living individual, as well as information which, when combined with other data accessible to the researchers, would permit the individual’s identification (personal data). It places obligations on those who are responsible for determining the purposes for which the personal data is processed (data controllers), and gives rights to those who are the subject of that data (data subjects). Processing of personal data for research purposes falls under the general provisions of the Act, but some specific research-related exemptions are provided.

Undertaking research that involves processing personal data will normally bring you into contact with your institutional research ethics committee (RECs) as such research is usually considered as research with human subjects. The boundary between the legal requirements of the DPA 1998, and the ethical principles that your REC use to guide their processes overlap, although those legal requirements and ethical principles may have differing objectives and may not map precisely (see more information).

Different institutions, and indeed disciplines, may also work to different ethical understandings, eg social science researchers may have rather different understandings of the nature and scope of ethical review than researchers in the bio-medical sciences. This guide will concentrate primarily upon the legal issues, but will note where legal and ethical approaches sometimes diverge.

from https://www.jisc.ac.uk/full-guide/data-protection-and-research-data