The legal basis for processing personal data

Under the General Data Protection Regulation (GDPR), the University has to identify a legal basis for processing personal data and, where appropriate, an additional condition for processing special category data.

In line with our charter which states that we advance learning and knowledge by teaching and research, the University processes personal data for research purposes under Article 6 (1) (e) of the GDPR:   

Processing is necessary for the performance of a task carried out in the public interest  

Special category data is processed under Article 9 (2) (j):

Processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes

Research will only be undertaken where ethical approval has been obtained from the Department of Psychology's Ethical Committee, where there is a clear public interest and where appropriate safeguards have been put in place to protect data.

In line with ethical expectations and in order to comply with common law duty of confidentiality, we will seek your consent to participate where appropriate. This consent will not, however, be our legal basis for processing your data under the GDPR.  

Consent and testing in liaison with Schools

To be quite clear, the legal basis for processing personal data is 'in the public interest' and not 'consent'. In some circumstances it is preferable to undertake an opt-out (i.e., parents/guardians actively state that they do not want their child to participate in research) rather than an opt-in (i.e., parents guardians actively state they do want their child to participate) approach to data collection. Of course we will comply with a given school's policy in this regard and our default position is that 'opt-in' is the preferred option, but opt-out studies are not ruled out and will be sanctioned if approved by the Departmental Ethical Committee.

How will personal data be used

Researchers associated with each ethically approved study will be collecting data of a particular type and will be using this data in the pursuit of academic research. Each study will have its own aims and objectives and these will be stated clearly on the particular information sheet that will be provided to every participant. Moreover, only the minimum amount of personal data will be collected that is necessary to answer the research objectives.

How will confidentiality be assured?

It is typically the case that personal data will be processed via a unique participant identifier that will not reveal a given individual's identity. However, members of the project team will have access to information that links a given individual with the associated identifier. All reasonable steps will be taken to ensure this association is kept strictly confidential, that is, accessible only by members of the project team. In the majority of cases, data will be processed in a pseudonymised form, namely, with respect to the participant identifiers. However, data can be fully anonymisedby removing participant identifiers. A given individual's identity will never be revealed without written consent being given by that person. It is possible that personal data may be shared anonymously with others for secondary research and/or teaching purposes. 

We are particularly mindful of cases where the data comprise audio/visual recordings and therefore a given individual's identity may be either impossible or difficult to conceal. We will seek explicit consent in matters concerning how these kinds of recordings will be used.

Will personal data be shared with 3rd parties?

The default position is that personal data will only be accessible to members of the project team. In some cases however the work may be of a collaborative nature and hence the data will be made accessible to others from outside of the department. Information specific to the project will include details of when this is the case, who the 3rd parties are, and what they will do with the data. As noted above, it is possible that personal data may be shared anonymously with others for secondary research and/or teaching purposes. 

How will data security be assured?

The University will put in place appropriate technical and organisational measures to protect your personal data and/or special category data. Information will be treated confidentiality and shared on a need-to-know basis only. The University is committed to the principle of data protection by design and default and will collect the minimum amount of data necessary for the project. In addition, we will anonymise or pseudonymise data wherever possible.  

Where will personal data be stored?

The default position is that the data will be stored on university devices provided by the Department of Psychology. That is, data will be held within the European Economic Area in full compliance with data protection legislation.

However, the university has access to cloud storage and currently this is provided by Google. This means that if the data are to be loaded onto this cloud storage then it can be located at any of Google’s globally spread data centres. The University has data protection compliant arrangements in place with this provider. For further information see,

How long will data be retained?

Data will be retained in line with legal requirements or where there is a business need. Retention timeframes will be determined in line with the University’s Records Retention Schedule.  Please follow this link for further information

What rights do you have in relation to your data?

Under the GDPR, you have a general right of access to your data, a right to rectification, erasure, restriction, objection or portability. You also have a right to withdrawal. Please note, not all rights apply where data is processed purely for research purposes. For further information see, If you would like to access your right to portability, please contact In simple terms if you would like access to your data then please contact the university's data protection officer via the email:

Right to complain

If you have a concern about any aspect of a given study, then you should ask to speak with the researchers who will do their best to answer your questions. If you remain unhappy and wish to complain formally, you can do this through the complaints procedure of the University of York.  Details can be obtained from the email address: If you are dissatisfied with the way your personal data have been handled please contact the lead researcher in the first case, or the University’s Data Protection Officer at you are unhappy with the way in which the University has handled your personal data, you have a right to complain to the Information Commissioner’s Office. For information on reporting a concern to the Information Commissioner’s Office, see  

  • No labels