Study Initiation and Management: Collection and storage of Data

Back to Study Initiation and Management

Station navigation


When working with identifiable personal information it is essential that some general principles are followed. These can be accessed from Principles in the 1st resource below.

The Data Protection Act 1998 (DPA) requires that all organisations handling identifiable personal information comply with a number of important principles regarding privacy and disclosure. The 2nd resource below outlines the 8 Principles of the Data Protection Act and other parts of the Act relevant for research. The research exemption (Section 33) applies to medical research, which in practice means:

  • Further processing of data for the purposes of research is allowed; provided that the data are not processed to support decisions with respect to individuals and not processed in a way that substantial damage/distress is likely to be caused
  • Data can be held indefinitely
  • Where results of research are provided in a form that does not identify individuals, subjects do not have the right to access the data that is held about them

The principle of fair processing including fair collection still applies (see below).

The DPA requires that any data collected are fairly collected i.e. individuals have a right to know who holds information about them and why. Whilst consent represents the ultimate in fair collection, as long as data subjects are aware how their personal information is being used this meets the requirement of the DPA (e.g. information notices). In order to meet the requirements of the common law duty of confidence the research must be carried out by those who owe a duty of confidence to the individual, or consent or Section 251 or Caldicott Guardian or Medical Director approval be obtained. See Proposed use without appropriate consent station.

The Information Commissioners Office (ICO) requires that any organisation wishing to collect or hold personal data must be registered with them (see 3rd resource).  You should check with your local Data Controller what types of data are held on the ICO register for your organisation and if details of the data you propose to collect need to be added to the register.

It is important that all data should be held securely, be robustly backed up and its confidentiality safeguarded. To ensure compliance with these and other requirements (e.g. governmental), organisations implement an Information Security Policy (see 4th resource of MRC policy as an example). This policy should be consulted prior to the design and conduct of any study to ensure the research team has the principles of the DPA in mind at all times.  For example, study questionnaires should be designed so that only the required information is requested and study data can be easily dissociated from identifiable data.

The NHS Information Governance Toolkit (5th resource below) allows NHS organisations and partners to assess themselves against Department of Health Information Governance policies and standards. Completion of the Information Governance Toolkit is now a requirement for a number of approvals (see also Central NHS and Government Data and Section 251 approval).

Coding data is one method by which the confidentiality of data can be safeguarded. Usually this means that a key to the code or cipher is kept by the same organisation/research team and access to the cipher given on a tightly controlled basis. In addition to this physical barriers/protection can be put in place to support controlled access (i.e. locked offices and filing cabinets). It is worth noting that the coded data itself is still classed as personal data under the DPA if the cipher and linked data are held within the same organisation (i.e. as both are available to the Data Controller).

Further guidance on Anonymisation and pseudonymisation is available in the 1st resource below. See also Information security for identifiable data, and Information security for non-identifiable data.

If requiring access to NHS data, NHS Trusts should operate a 'Safe Haven' policy to ensure that personal information is received to a secure and protected point, and that confidentiality is maintained. See Access to Data/Tissues and Transfer of Data/Tissues. If requiring access to identifiable NHS data without consent, guidance is also available in Should consent be sought? and Central NHS and Government Data.

In exceptional circumstances (e.g. where access to NHS IT networks is required), initial enquiries should be directed to NHS Digital, contact details are available in the 6th resource below.

When acquiring data from others, you (or more accurately your organisation) may be required to enter into specific agreements on how the data will be used, your responsibilities and the arrangements for the end of the study, etc. You would not normally be expected to prepare an agreement or to sign one off yourself, but you should know that this has been done before you start using the data in your research.


  • 1. MRC Ethics Series: Using information about people in health research

    This practical guidance reflects the current relevant legal framework when using information about people in health research. It will be revised to reflect the new GDPR, which is expected to come into force on 25 May 2018.

    Good practice for data Date added: 4 September 2007
  • 2. ICO Guidance

    Information Commissioner's Office Guidance (ICO) for organisations that hold identifiable data.

    Legal requirement for data Date added: 6 September 2007
  • 3. ICO register

    Information Commissioner's Office (ICO) public register of Data controllers.

    Legal requirement for data Date added: 18 March 2011
  • 4. MRC Information Security Policy

    MRC Information Security Policy.

    Good practice for data Date added: 17 March 2011
  • 5. NHS Information Governance Toolkit

    An online system which allows NHS organisations and partners to assess themselves against Department of Health Information Governance policies and standards.

    Good practice for data Date added: 6 September 2007
  • 6. NHS Digital: Contact details

    Initial enquiry point for access to NHS IT networks.

    Standard process for data Date added: 6 September 2007