Data protection notice for research participants

This general notice sets out how the University deals with the personal information of individuals who participate in University-led research projects. You should read this notice alongside the participant information sheet provided to you by the research team.

We may update this information from time to time to ensure continued compliance with current legislation and to reflect best practice.

In the unlikely event that there is any contradiction between this general information and the specific participant information sheet that you will be provided with by the researcher, the specific participant information sheet takes precedence.

Identity of the Data Controller

As a Data Controller, Cardiff University is legally responsible for processing your personal data in accordance with data protection legislation. In order to carry out its research functions it is necessary for the University to collect, store, analyse and otherwise process your personal data.

The University is registered as a Data Controller with the Information Commissioner's Office (ICO) to process personal data for research purposes. Reg no Z6549747.

What personal information do we collect about you?

All research projects are different and the information we collect will vary. You will be provided with a participant information sheet which will specify the personal data that we need to collect from you for the research project. Researchers will only collect information that is essential for the purpose of the research.

Some data (such as survey data) is frequently collected anonymously so cannot be withdrawn once you have given permission for it to be used. Where you may be identifiable in a research publication (such as an attributable quote or a photograph), we will seek your explicit consent.

What is our legal basis for processing your personal data?

Under Data Protection law we are required to specify the legal basis we are relying on to process your personal data.

Cardiff University is a public research institution established by royal charter to advance knowledge and education through its teaching and research activities. As such, personal data is processed on the basis that doing so is necessary for our public task, is for scientific and historical research purposes which are in the public interest, and is subject to necessary safeguards.

Note that the legal basis on which your personal data is processed under data protection law is separate from ethical consent requirements and any common law duty of confidentiality that may apply.

Research in the University is governed by policies and procedures and all research involving human participants undergoes ethical scrutiny to ensure that the research is conducted in a manner that protects participants. For more information see our Integrity and Ethics pages.

For what purpose will your information be used?

The purposes of the research study will be set out in the participant information sheet that you will receive from the researcher prior to agreeing to take part in the research. This will detail the specific research study or project you are participating in and (where applicable) the sources of data that might be used, any data sharing or international transfer arrangements, and any automated decision-making that affects you.

Who will have access to your data and how will it be secured?

To communicate our research to the public and the academic community your anonymised data is likely to form part of a research publication or conference presentation or public talk. Where researchers wish to use any information that would identify you, specific consent will be sought.

The privacy of your personal data is paramount and will not be disclosed unless there is a justified purpose for doing so. The specific security arrangements for any personal data you provide will be included as part of the participant information sheet and will also be covered by the University Information Security Policies.

Your personal data may be shared with project team members who are authorised to work on the project and access the information. This may include staff at Cardiff University or collaborators at other organisations. This will be clearly identified in your participant information sheet.

Where necessary, your personal data may also be made available in confidence to auditors or to the named person in the case of allegations of research misconduct outlined in our Procedures for Dealing with Allegations of Misconduct in Academic Research.

How long will your information be held?

The participant information will provide details about the long-term use (and, where applicable, re-use) and retention of your personal information in connection with the specific research study or project you are participating in. If a study is funded the research funder will usually define the period of time for which data will be kept. Otherwise it will be kept in accordance with the University’s Records Management Policy and Records Retention Schedules for a specified period of time after your research participation with us ceases.

Research data is normally anonymised as quickly as possible after data collection so that individuals cannot be identified and your privacy is protected. You will not be able to withdraw your data after this point.

In addition to data we collect from you or generate through interactions with you as part of the research activity, we will also hold your personal data within project governance documentation (in particular participant agreements or consent forms) and records of any communications with you through email or letter. These will usually need to be retained for audit purposes even if you decide not to take part or withdraw from participation at a later date.

Your data protection rights

There are various rights under data protection legislation details of which can be found on the rights webpage. Note that your rights to access, change or move your information are limited, as we need to manage your information in specific ways in order for the research to be reliable and accurate. If you withdraw from the study, we may need to keep the information about you that we have already obtained. To safeguard your rights, we will use the minimum personally-identifiable information possible and we will always try to respond to concerns or queries you may have and comply with your wishes as far as possible.

Do we transfer information outside the European Economic Area (EEA)?

It will be made clear in the participant information sheet whether it is necessary to transfer your personal data outside of the EEA. If it is necessary to transfer your personal data outside of the EEA we will take steps to ensure that appropriate security measures are taken to protect your privacy rights such as imposing contractual obligations on the recipient or ensuring that the recipients are subscribed to ‘international frameworks’ that aim to ensure adequate protection. Technical measures such as encryption will also be considered.