The Data Protection Act 2018

Background and scope of the legislation

The data protection rights defined in GDPR and the Data Protection Act 2018 are citizen centric rights which mean that the rights apply wherever data subjects are in the world.

It applies to:

• EU data controllers and processors processing data of EU residents
• Other data processors and controllers offering goods or services to individuals in the EU
• Other data processors and controllers monitoring behaviour of individuals in the EU

Each EU country will adopt GDPR and introduce domestic legislation.  In the UK GDPR has been translated into the UK Data Protection Act 2018.  There are some variations as to how GDPR has been interpreted in domestic legislation.

The Information Commissioner’s Office (ICO) regulates the Data Protection Act 2018.

The European Data Protection Board (EDPB) regulates the GDPR.

The Data Protection Act 2018 is an Act of Parliament which defines UK law on the processing of personal data on identifiable living people. The Data Protection Act controls how personal information is used by organisations, businesses or the government.

There is a new EU General Data Protection Regulation (GDPR) which came into force in May 2018. Brexit will not change the requirement to adhere to GDPR and the Data Protection Act 2018.  The MRS will also keep their website updated with advice.


In general, data protection is about ensuring people can trust you to use their data fairly and responsibly. If you collect information about individuals for any reason other than your own personal, family or household purposes, you need to comply.

The UK data protection regime is set out in the DPA 2018, along with the GDPR (which also forms part of UK law). It takes a flexible, risk-based approach which puts the onus on you to think about and justify how and why you use data.

Core Concepts 

Core Concepts of Data Protection Act 2018 and GDPR are:


Transparency: being transparent about what is happening in any process.  For research recruitment transparency requirements apply:

• When gathering consent, you need to meet the higher threshold for demonstrating consent-based research
• Effective communication and clear information, for example with privacy consents, ensuring the language is appropriate for the audience whose personal data is being collected e.g. children, vulnerable adults, etc.
• Procedures for allowing participants to exercise their rights such as subject access rights, withdrawing consent and having procedures in place to enable these rights to be easily managed and implemented
• Respect of data subjects, participants, is a core requirement

Accountability: being able to demonstrate you have taken responsibility for all data protection measures.  Accountability principle applies to all irrespective of size, although how you implement requirements will be scalable.  Examples of accountability requirements include:

• Detailed written records are important, although the responsibility of this is likely to be shared with others involved in any research project e.g. field agencies, clients and so on.
• The privacy legislation is a risk-based piece of legislation.  If you have low-risk small amounts of personal data, your risk is likely to be less than those who have large datasets
• Mandatory breach notification
• The appointment of a Data Protection Officer is only mandatory for those that process large scale personal data, collect high levels of special category data or undertake large scale monitoring of individuals.  It is unlikely that recruiters will need a Data Protection Officer although organisations that offer recruitment services may need to.

Privacy by design and default – all research projects should be designed with privacy at the core, from the beginning, and built through the entire research process.  For example, anonymising data, limited access, minimal data collected, etc.

Key Definitions used in the Data Protection Act

Before we go through the principles and rules which govern the collection and retention of personal data it is useful to understand the terms that are used in the Act.

These terms refer to the people who obtain the data and to those whom the data is about:

Data Controller - controller means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.

You are the data controller if you collect and/or keep identifiable data on participants including, but not exclusively, names, email addresses, telephone numbers and determine the purposes for which and the manner in which personal data is processed.

The Data Protection Act 2018 requires data controllers, which includes research recruiters, to register with the ICO. Recruiters are not exempt from registration. Registration can be completed online via:  https://ico.org.uk/for-organisations/register . It is very straightforward and costs £40 to £2,900 with most organisations paying between £40-£60 (as per July 2019).

Data Processor - processor means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller

For instance you would be the data processor if you were recruiting from a client database/customer list and were not gathering or using any client data for your own purposes.

GDPR places specific obligations on both data controllers and data processors including the requirement to maintain records of personal data and processing activities, legal liability for breaches, having contracts in place, etc.

Data Subject - definition of a data subject is broadly a living natural person - this a technical term and in general the ICO will talk about 'individuals'.  

For market and social research purposes this is anybody who is identifiable from data which you hold irrespective of whether individuals have participated in research or not. Any employees you have will also be data subjects under the Act as you will hold identifiable personal data about them.

These terms refer to how you store and process data:

Processing - the GDPR covers a wide range of activities performed on personal data including by manual or automated means.

It includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.

The GDPR applies to the processing of personal data wholly or partly by automated means as well as to non-automated processing, if it is part of a structured filing system.

These terms refer to the nature of the data held:

Personal Data - Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The GDPR applies to the processing of personal data that is:

• wholly or partly by automated means; or
• the processing other than by automated means of personal data which forms part of, or is intended to form part of, a filing system.

Personal data only includes information relating to natural persons who: can be identified or who are identifiable, directly from the information in question; or who can be indirectly identified from that information in combination with other information.

In most circumstances, it will be relatively straightforward to determine whether the information you process ‘relates to’' an ‘identified’ or an ‘identifiable’ individual. In others, it may be less clear and you will need to carefully consider the information you hold to determine whether it is personal data and whether the GDPR applies. In research recruitment it is best to assume that the data you have is personal data and treat it as such.

Sensitive Personal Data - Special category data (sometimes called sensitive data as it needs more protection when it is being collected) means personal data about an individual's:

race
ethnic origin
politics
religion
trade union membership
genetics
biometrics
health
sex life
sexual orientation

In particular, this type of data could create more significant risks to a person’s fundamental rights and freedoms. For example, by putting them at risk of unlawful discrimination. In addition there are separate safeguards for personal data relating to criminal convictions and offences, or related security measures, and largely the same conditions apply to this data as with special category data.

Types of Data 

Three types of data:

•  Identifiable data: data that identifies a data subject (a participant in research).
• Anonymous data: data from whom no data subjects can be identified – and such data falls outside of the Data Protection Act 2018 and GDPR – but not the MRS Code.
• Pseudonymous data: personal data that has been processed so that it can no longer be attributed to a specific data subject within the use of additional information e.g. coded data sets that cannot identify individuals without a key.

The risk profile for each type of data is different.  The highest risk is with identifiable data and the lowest is anonymous.  Research data is most likely to be identifiable data and recruiters should treat all data as identifiable data.

The rules for using personal data in the Data Protection Act 2018

The principles of the Data Protection Act 2018 are that data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

Fines 

The legislation has a fine regime of two tiers:

• Some contraventions will be subject to administrative fines of up to €10,000,000 or 2% of global turnover, whichever is the higher
• Some contraventions will be subject to administrative fines of up to €20,000,000 or 4% of global turnover, whichever is the higher

Higher fines for breaches of basic principles including consent conditions, data subject rights, transfer and non-compliance with orders by regulators (such as the ICO).