Researcher’s checklist for compliance with the Data Protection Act, 1998

This checklist is for use alongside the Guidance notes on Research and the Data Protection Act 1998. Please refer to the notes for a full explanation of the requirements.

You may choose to keep this form with your project management documentation so that you can prove that you have taken into account the requirements of the Data Protection Act.

REQUIREMENT
/ 
A
/ Meeting the conditions for the research exemptions:
1 / The information is being used exclusively for research purposes. / Mandatory
2 / You are not using the information to support measures or decisions relating to any identifiable living individual. / Mandatory
3 / You are not using the data in a way that will cause, or is likely to cause, substantial damage or substantial distress to any data subject. / Mandatory
4 / You will not make the result of your research, or any resulting statistics, available in a form that identifies the data subject. / Mandatory
B
/ Meeting the conditions of the First Data Protection Principle:
1 / You have fulfilled one of the conditions for using personal data, e.g. you have obtained consent from the data subject. Indicate which condition you have fulfilled here: ______/ Mandatory
2 / If you will be using sensitive personal data you have fulfilled one of the conditions for using sensitive personal data, e.g. you have obtained explicit consent from the data subject. Indicate which condition you have fulfilled here: ______/ Mandatory if using sensitive data
3 / You have informed data subjects of:
  1. What you are doing with the data;
  2. Who will hold the data, usually The University of Edinburgh;
  3. Who will have access to or receive copies of the data.
/ Mandatory unless B4 applies
4 / You are excused from fulfilling B3 only if all of the following conditions apply:
  1. The data has been obtained from a third party;
  2. Provision of the information would involve disproportionate effort;
  3. You record the reasons for believing that disproportionate effort applies, please also give brief details here:
______
N.B. Please see the guidelines above when assessing disproportionate effort. / Required only when claiming disproportionate effort
C
/ Meeting the conditions of the Third Data Protection Principle:
1 / You have designed the project to collect as much information as you need for your research but not more information than you need. / Mandatory
D
/ Meeting the conditions of the Fourth Data Protection Principle:
1 / You will take reasonable measures to ensure that the information you collect is accurate. / Mandatory
2 / Where necessary you have put processes in place to keep the information up to date. / Mandatory
E
/ Meeting the conditions of the Sixth Data Protection Principle:
1
/
You have made arrangements to comply with the rights of the data subject. In particular you have made arrangements to:
  1. Inform the data subject that you are going to use their personal data.
  2. Stop using an individual’s data if it is likely to cause unwarranted substantial damage or substantial distress to the data subject or another.
  3. Ensure that no decision, which significantly affects a data subject, is based solely on the automatic processing of their data.
  4. Stop, rectify, erase or destroy the personal data of an individual, if necessary.
Please give brief details of the measures you intend to take here:
______/ Mandatory
F
/ Meeting the conditions of the Seventh Data Protection Principle:
1 / You have made suitable security provisions for the data including assessing the security of your work environment and the systems you use.
Please give brief details of the measures you intend to take here:
______/ Mandatory
G
/ Meeting the conditions of the Eighth Data Protection Principle:
1 / You will not transfer personal data outside the EEA unless one of the following applies:
  1. The country you are transferring the data to has been designated as providing adequate protection for personal data;
  2. You have obtained explicit consent from the data subject(s);
  3. You have an appropriate contract with the recipient of the data, which specifies the appropriate data protection requirements that must be met;
  4. You have completely anonymised the data.
Indicate which condition you have met and which country you will transfer the data to here: ______/ Mandatory

If you do not meet each of these requirements please contact for further assistance.