Information governance for researchers

What is information governance?

Information Governance (IG) is a holistic approach to managing information at an organisation. A range of processes, roles, controls and metrics support the secure treatment of information as a valuable business asset and embed compliance with legislation governing the management of information.

Why is IG needed when accessing secure data?

When accessing secure personal data, it is vital to protect the rights and freedoms of those individuals whose data is being accessed and to comply with the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018.

Robust information governance not only ensures that an organisation is complying with data protection legislation but also engenders trust and confidence in individuals that their personal data is being treated securely and confidentially. IG processes also assist researchers by establishing contractual and technical controls and appropriate risk assessments to support efficient and timely access to data. It is worth noting that there is no “one-size-fits-all" IG approach and processes are determined on a case-by-case basis depending on what kind of data a researcher requests. 

Data protection principles and guidance

The UK GDPR and the Data Protection Act 2018 together determine how, when and why any organisation can process personal data (any information that can identify a living individual). These laws exist to ensure that personal data is managed safely and used responsibly. 

The UK GDPR sets out seven key principles governing the processing of personal data. 

• Lawfulness, fairness and transparency 
• Purpose limitation 
• Data minimisation 
• Accuracy 
• Storage limitation 
• Integrity and confidentiality (security) 
• Accountability 

Following these core principles is crucial when using personal data for research purposes as they help to ensure personal data is processed safely, securely and in compliance with legislation. 

Lawful basis for processing

Any intended processing of personal data must be lawful, fair and transparent. Researchers must establish a lawful basis for processing the data before a project starts.

The most likely lawful basis for research in UKRI Institutes and in universities (as public authorities) is “task in the public interest”.

Organisations can demonstrate they meet the requirements to use this lawful basis by referring to their legal constitutions, or because they are operating under a relevant statute that specifies research as one of the organisation’s purposes. Examples of relevant university statutes include: 

• University Charter 
• Education Reform Act 
• Universities Scotland Act 
• Higher Education and Research Act (for UKRI research institutes) 

For non-public authorities, such as charities and commercial/independent research organisations, the most likely lawful basis for processing personal data for research purposes is “legitimate interests”.

Data protection legislation allows certain exceptions for research as it recognises not only that any data can be useful for research but also that research can be a long-term undertaking. Specifically, in relation to the UK GDPR principle of “storage limitation”, the Information Commissioner’s Office (ICO) states that data can be stored for research purposes indefinitely, where the data owner has set out a lawful and legitimate justification for its retention. 

Data processing contracts and DPIAs

Another fundamental part of ensuring that the processing of personal data is lawful is completing the necessary risk assessments and establishing contracts that govern the sharing or processing of the data. These contracts are known as Data Sharing Agreements and Data Processing Agreements, which contain the necessary legal clauses to define the roles of the parties and their obligations in relation to the processing of data.

A Data Protection Impact Assessment (DPIA) should also be completed prior to commencing research using personal data. The DPIA will

• establish the data protection roles of all parties involved 
• document the processing activity 
• identify any risks associated with the processing and  
• include the mitigations which will either reduce or eradicate those risks.  

The completion of a DPIA is a legal requirement dependent upon the volume and sensitivity of the data being processed. The UK GDPR states that a DPIA must be carried out where the processing of data is likely to result in a high risk to the rights and freedoms of individuals. Further guidance on the requirement for a DPIA is available on the ICO’s website.

Under the UK GDPR an organisation undertaking research involving personal data will take on one or more of the undernoted roles, dependent upon their processing activity and the following factors: 

• Who owns the data?​ 
• Where is it going?​ 
• What is being done to it?​ 
• How many parties are involved? 

A fundamental consideration is establishing who determines the purposes for which the data is processed and the means of processing. In other words, who is the Data Controller and who is the Data Processor? 

• Controller: The person (i.e., an individual or legal body, such as a business or public authority) who decides the means and purpose of how personal data is processed. Data Controllers are responsible for adhering to the UK GDPR and DPA 2018 legislation and take responsibility for any issues. (NB. Individuals can be controllers but staff working for a controller are not themselves controllers if they are carrying out authorised processing for the controller.)  
• ​Joint Controllers: Where two or more controllers jointly determine the purposes and means of processing. 
• Processor: An individual or legal body who processes on behalf of the controller under instruction (this definition excludes the staff of a controller as controllers authorise access for their staff). A Data Processor only follows instructions but has obligations towards security (e.g., data breach reporting).​ 

Guidance

Most universities and research organisations will have either an information governance or data protection team, a research support office, or a legal practitioner, all of whom are there to assist researchers with their projects (including applications for data) and any aspects of governance or data protection. It is important to engage with your organisation’s information governance/data protection team to not only ensure that the proposed data processing is lawful and secure, but also that any internal processes are followed and signed off by the appropriate member of staff.

The information governance/data protection team will be able to signpost relevant templates, for example DPIAs, data processing agreements, and data sharing agreements. They can also advise if other contracts will be required in relation to the proposed research activity.

Guide to accountability and governance

Other considerations

In addition to the agreements between the researcher’s institution and the data provider, further agreements may be required with the institution or facility which will hold or link the data. For example, for non-health data using the National Safe Haven, a controller/processor contract with eDRIS is required as they will process (i.e., hold and link) the data on the researcher’s behalf. In this case, eDRIS will provide their own standard contract.

If eDRIS are not involved, the researcher may consult their institution’s research support office or data protection team to obtain a relevant controller-processor contract or to arrange specific research contracts to govern the research activity. These would then sit alongside the relevant data sharing/processing agreement.