The GDPR is a legal framework that outlines requirements for the collection and processing of personal information of individuals within the European Union (EU) and replaces the Data Protection Act (DPA).
The GDPR applies to the processing (collection, storage, analysis etc) of personal data. Personal data is information that relates to a living individual who can be identified from that information, whether directly or indirectly, and in particular by reference to an identifier. It includes, for example, a name, an identification number (eg pseudonymised data), location data, audio/video recording or an online identifier, such as the IP address. It could also include information that identifies an individual’s characteristics, whether physical, physiological, genetic, cultural or social. Sensitive personal data (relating to race, ethnicity, sexual orientation, politics, religion, health, trade union membership, genetics, sexual life, biometrics (where used for ID purposes), or criminal activities) is referred to as special category data under the GDPR.
For more information, please refer to the University guidance on data protection and research, the HRA’s website, the MRC’s website.
If researchers have any queries related to GDPR in the context of their particular research study or clinical trial, they should address these to CTRG.
The University’s Research Governance, Ethics & Assurance Team has no legal basis to receive, process or store personal and sensitive data (in particular related to patients). Therefore, it is imperative that such information is not sent to us. Instead, please ensure you have anonymised the information appropriately before sending it to us.