Data protection checklist:

Research and Related Activities

Activities which involve processing personal data must comply with the general data protection regulation
(GDPR). This checklist outlines the requirements of the GDPR and the measures you must take when
processing personal data for research; it also provides a mechanism for recording the steps you will take to
ensure the personal data you are using are safeguarded and the reputation of the University is upheld.

Ensuring personal data are processed fairly and lawfully with due regard for individuals’ privacy and
ensuring that personal data remain secure are paramount. Demonstrating that we have considered the
requirements of the GDPR when conducting our activities will provide assurances to research participants
that their personal data is protected at Salford. Truly anonymised data (which cannot be reconstructed or
linked to any other data you hold or may hold in the future to enable you to identify individuals from it)
does not constitute personal data because it cannot be used to identify individuals.

What is personal data?

Personal data are data relating to a living individual who can be identified from those data. Personal data
can be factual (such as name, address, date of birth) or can be an opinion (such as a professional opinion
as to the causes of an individual’s behavioural problems). Information can be personal data even if it
does not include a person’s name or other obvious identifiers; for example, a paragraph describing a
specific event involving an individual or a set of characteristics relating to a particular individual may not
include their name but would clearly identify them from the set of circumstances or characteristics being
described or represented.

What is processing?

The GDPR is concerned with the processing of personal data. Processing means obtaining, recording or
holding the information or data or carrying out any operation or set of operations on the information or
data, including –
(a) the organisation, adaptation or alteration of the information or data,
(b) retrieval or use of the information or data,
(c) disclosure of the information or data by transmission or otherwise making available.

If your proposed activity involves processing personal data, you must complete the following checklist.
If you are unable to answer Yes to each applicable question, you must contact the Information Governance
Team for advice before proceeding. If you require any further information or guidance to enable you to
answer Yes to each question, please contact the Information Governance Team

Type of activity:
Activity name/title:

Data Protection Checklist Form V2.0 Final 150819 Page 1 of 4

 Processing personal data fairly

The GDPR requires us to process personal data fairly and lawfully. In practice and in the context of
research, we must:

 have legitimate grounds (this is our public task);

 not use the data in ways that have unjustified adverse effects on the individuals concerned;
 be transparent about how you intend to use the data, and give individuals appropriate privacy
notices when collecting their personal data;
 handle people’s personal data only in ways they would reasonably expect; and
 make sure you do not do anything unlawful with the data.

If your activity involves sensitive personal data, have you checked and confirmed that Choose an
you can satisfy a condition for processing this kind of personal data from the GDPR? item.
Sensitive personal data includes: - data about racial or ethnic origin; political opinions;
religious or similar beliefs; trade union membership; physical or mental health or
condition; sexual life; commission or alleged commission of any offences; or any
proceedings for any offence committed or alleged to have been committed.

If the intended use of the personal data would or would be likely to have an adverse Choose an
effect on one or more individuals, have you considered and documented why that item.
adverse effect is justified?

Have you documented why you are collecting the specific items of information to Choose an
demonstrate that you have legitimate grounds for doing so e.g. if you are carrying out item.
research into how students’ music preferences affect their degree classification and also
collecting participants’ shoe sizes, can you show you have a legitimate need for this
information?

Have you included a research privacy notice in the Participant Information Sheet to Choose an
provide to individuals? The privacy notice tells individuals how we will use their personal item.
data once we have it, the purpose or purposes for which you intend to process the
information; and any extra information you need to give individuals in the circumstances
to enable you to process the information fairly, such as whether or not the information will
be disclosed to a third party.

Security
Ensuring personal data are secure at all times is extremely important. The GDPR requires us to ensure
that appropriate technical and organisational measures shall be taken against unauthorised or unlawful
processing of personal data and against accidental loss or destruction of, or damage to, personal data. It
is important that any personal data you collect or use during your activities remains secure until it is
destroyed, which includes ensuring that only those who are authorised to access and use the data can do
so.

For further guidance on information security, please see IT Security and Information Governance

If you are intending to publish information, which could identify individuals, have you Choose an
made those individuals aware that this will happen via our PIS and Consent Form and item.
obtained their consent, if appropriate?

Data Protection Checklist Form V2.0 Final 150819 Page 2 of 4

 Will papers, files, audio visual recordings, CDs, USB (memory) sticks or other media, Choose an
which contain personal data, be kept in locked cabinets, cupboards, drawers etc. when item.
the offices are vacated?

Do all individuals who will have access to or be using the personal data understand that Choose an
it must not be provided to any unauthorised person (which includes disclosing item.
information to family members or other representatives of data subjects, unless the
data subject has given consent for us to do this)?

Do all individuals, who will have access to or be using the personal data, understand Choose an
their responsibilities under the GDPR and have they received data protection training? item.

Do you have appropriate procedures in place to ensure the security of the personal Choose an
data if it is removed from Salford offices for any reason? Electronic data must only be item.
removed if it is stored on encrypted devices or media e.g. an encrypted disc or USB stick,
an encrypted laptop etc. Alternatively, it can be accessed remotely via a secure
connection. If an unencrypted device containing personal data is lost or stolen, it is likely
to lead to a substantial fine for a breach of the GDPR. Non-electronic records must be
rigorously safeguarded at all times and not left unattended or in view of unauthorised
people. Laptops, USB sticks and other devices, papers or any other form of personal data
must not be left in cars.

Will the personal data be stored on the Salford network in a secure location with Choose an
restricted access, to prevent unauthorised parties who have no right or need accessing item.
the data?

Are all individuals who will have access to or use the personal data aware that personal Choose an
information should not be stored off the Salford network and should only be stored on item.
equipment owned or leased by Salford, unless exceptional circumstances apply?
Storage under such exceptional circumstances must include the use of appropriate
security measures. No personal information should be stored on any removable media
e.g. USB sticks, CDs or devices e.g. laptops, smartphones unless they are encrypted.
Are all individuals, who will have access to or use the personal data, aware that any Choose an
information accessed via remote working methods such as Outlook Web Access or item.
similar must be treated securely in line with relevant legislation and all University
guidelines? Salford business information, including personal data, should not be stored
on personal, non-Salford equipment or devices unless exceptional circumstances apply.

Are all individuals who will have access to or use the personal data aware that non- Choose an
university system email is not a secure method of communication and do they know item.
how to encrypt documents so that they can be attached to an email and sent securely?
N.B. Encryption passwords must be provided separately and never included in the same
email as the encrypted attachment.

Are all individuals who will have access to or use the personal data aware that all non- Choose an
electronic material which contains personal data and has been authorised for disposal item.
must be disposed of via the University’s confidential waste service (including
handwritten notes, computer print-outs etc.)?

Are all individuals who will have access to or use the personal data aware that any Choose an
paper documents, electronic media or hardware which has been designated for item.

Data Protection Checklist Form V2.0 Final 150819 Page 3 of 4

 disposal must be kept in a secure location until it has been appropriately destroyed and
any information it contains is no longer accessible or recoverable? Electronic media and
hardware should be disposed of in line with LIS guidelines and procedures.

Can you confirm that if personal data will be transferred overseas (outside the EEA), Choose an
you have taken advice from Information Governance to ensure the transfer can legally item.
take place? This includes via email and by virtue of using ‘cloud’ providers which store
your data on their servers based overseas.

Once this form has been completed, it should be attached to your ethics application and submitted as
directed. If your activity does not require further ethical approval, this form should be retained with your
project documentation as a record of your considerations and data protection compliance.

You can find a variety of guidance documents and FAQs on the Information Governance web pages.

Data Protection Checklist Form V2.0 Final 150819 Page 4 of 4