Data protection & research

Research projects undertaken at the University will often involve information relating to individuals. This information must be processed in accordance with the requirements of data protection law.

These pages introduce researchers to the provisions of the following legislation on data protection (which take effect from 25 May 2018):


The GDPR is an EU Regulation that applies directly to the UK while it remains a member of the EU. The UK government has indicated that the requirements of the GDPR will be incorporated into UK law when the UK ceases to be a member of the EU.



The Data Protection Bill, which is currently before Parliament, will supplement the GDPR by legislating in those areas where member states have discretion to vary or adapt GDPR provisions. A number of its clauses relate specifically to research.

These pages focus mainly on the GDPR, as it is the more significant piece of legislation. References to the GDPR should be taken to mean the GDPR, as supplemented by the Data Protection Bill. The pages will be updated after the Data Protection Bill has been finalised and formally enacted.


These pages were prepared for researchers based at the University of Oxford and are provided for information purposes only. The information in them is therefore general in nature, and should not be considered or relied on as legal advice. You are strongly advised to obtain specific advice in relation to your project.