Privacy notice for academic research participants

The European Union Data Protection Regulation (GDPR) provides rights for people whose data we hold and responsibilities for all members of the University Group. The GDPR came into force on 25 May 2018. At the same time, a new UK Data Protection Act 2018 was enacted to enable the UK to maintain the same standards of privacy when it leaves the European Union. As the University is a global organisation, the law applies to the personal data we communicate and receive in the course of our activities worldwide. This means that the law applies to research undertaken on all of our UK and international campuses, in academic partnerships and by fieldwork, no matter where in the world these activities take place.


Academic research, to create and apply knowledge for economic and societal benefit, is central to our mission. In order to undertake research and to train students in research methods, staff and students of the Heriot-Watt University Group, including our UK, Dubai and Malaysia campuses (HWU) collect and process various types of personal data. This guide explains what we do with your personal information and why.  

Who is the data controller?

The Data Controller (the organisation responsible for why and how your data is processed) is normally Heriot-Watt University.  If HWU is undertaking research under a contract with another organisation, for instance research commissioned by a charity, government body or industrial sponsor, that organisation may be the Data Controller. In this situation HWU would be a data processor. The participant information you receive will provide the name and contact details of the Data Controller.  

We hold your data securely and restrict access to personal information to people who need to use it in the course of their duties. When collecting personal information about you, we must comply with the UK Data Protection Act, 2018, the European Union General Data Protection Regulation, and other privacy laws, such as the Malaysia Personal Data Protection Act 2010, that apply in countries in which we operate.  

What personal information we collect and use

All research projects involving the collection of personal data must first undergo ethics review and approval. This is to ensure that we

  • process your data fairly and lawfully
  • only collect as much data as we really need for the research
  • make appropriate arrangements for the secure storage of your data – for instance, wherever possible we pseudonymise your data so that you cannot be identified by other people
  • anonymise the data wherever we can so it ceases to be personal data.

HWU collects a range of information in order to carry out its research activities. This may include personal details such as name and address, age and gender, or information on your views on specific research topics. We may also collect sensitive personal information, also known as special categories of data, where this is necessary for research in the public interest, or where we have your explicit consent. Sensitive data may include:  

  • racial or ethnic origin
  • trades union membership
  • religious or other similar beliefs
  • physical or mental health details 
  • sexual life 
  • offences and alleged offences
  • criminal proceedings, outcomes and sentences. 

We collect personal information in a variety of ways. For example, data might be collected via surveys or questionnaires, through interviews or focus groups, or by taking photographs, audio or video recordings. For each individual research project, you will be provided with a participant information sheet, which explains in more detail the kind of information that will be collected, how this will be done and the purpose of the research. 

Why we collect your information

HWU will only collect the information that is necessary to undertake each specific research project. 

What’s our legal basis?  

If we recruit volunteers to take part in research projects it is up to you whether you wish to take part or not. We will collect your data with your explicit, opt in consent.  

If you have agreed to participate in a research project, Heriot-Watt University’s Charter and Statutes give us the legal authority to process your personal data to undertake academic research, where this is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the University as Data Controller; 

For most research we process data where it is necessary for scientific or historical research purposes or statistical purposes; or where it is necessary for archiving purposes in the public interest.  

For some research projects we rely on the continued consent of participants to process their data. We make this clear in the participant information that you receive when you agree to take part. In these cases you can withdraw your consent and ask us to stop processing your data at any time. 

When we collect your data

We collect data about you as part of a research study. We undertake research in many different fields of study and for many different projects. The information we collect about you will depend entirely on the research study in which you are taking part. This will be explained in the Participant Information Sheet. 

For some research projects HWU may obtain statistical information about people directly from other organisations under strict conditions of confidentiality. Wherever possible the organisations providing the data will ensure it is pseudonymised before we receive it. Examples of datasets we may use in research include government census data, health service patient data, information about charity service users, anonymized profiles of business customers.  

Who your information may be shared with and why

Your data will be accessed by members of the research team (including supervisors of student projects) on a strictly need-to-see basis.  

We will not publish any information that could identify you that is not already in the public domain without your prior consent. 

We may share your personal data with others only where we have your consent or where one of the following conditions are met. 

  • If the disclosure is required by law.
  • If it is necessary for a project funder to have access to the data e.g. at the end of a project where the funder is the Data Controller.   
  • If the conditions of funding require us to make research data available to other academic researchers for reuse. In this case we would pseudonymise the data if it is not possible to anonymise it completely.

We may also appoint people and organisations to work for us and contract with them to act as data processors on our behalf. Examples include transcribers and translators. The participant information sheet will explain if and why we need to share the data or appoint a data processor, if this is applicable to a project. 

How long we keep your personal data 

We keep data only for as long as it is required to perform its purpose, or for as long as is required by law. At the end of the retention period your data will be securely deleted or anonymised so that it is no longer personal data. 

We may keep some research data for reuse for scientific or historical research purposes or statistical purposes. We may also keep some research data permanently, where this is necessary for archiving purposes in the public interest.  

We will take all necessary safeguards to protect your privacy including pseudonymisation or not allowing other people to see personally identifiable information in your lifetime.  

The participation information sheet will outline the length of time that we will retain your personal data. More information is on our website.

International data transfers

Where we have appropriate safeguards in place to protect your data and privacy rights, some of the personal information we process about you may be transferred to, and stored at, a destination outside the UK and European Economic Area (EEA). For example, if:  

  • it is processed by staff operating outside UK and the EEA who work at our campuses in Dubai or Malaysia  
  • we undertake research fieldwork globally 
  • one of our research collaborators and partners does research with us 
  • it is processed under contract by one of our suppliers who is based outside the EEA or uses storage facilities outside the EEA.  

Your rights

Under certain conditions you have the right to: 

  • find out what personal data we process about you and obtain a copy of the data, free of charge within one month of your request. We may make a charge for additional copies of the same information 
  • object to the way we are using your data. 
  • ask us to correct inaccurate or incomplete data
  • restrict the use of your data – for example, if you have raised issues about the accuracy or use of your personal data, until we have investigated and responded to your concerns
  • erase your data 
  • withdraw your consent to further processing after you have previously agreed we can your data for a particular purpose.

If you think we are acting unfairly or unlawfully you can complain to the UK Information Commissioner’s Office

Data protection officer and contact details

If you have any questions about what we do with your personal information or your rights under privacy laws, you can phone, email or write to us as follows:

Data Protection Officer,  

Heriot-Watt University,  

Edinburgh EH14 4AS, UK  

Phone:+ 44 (0)131 451 3218/3219/3274 


You can also visit our Data Protection webpages.

Find out more about your rights under privacy law 

You can also find out more in our Data Protection Policy and on our webpages 

About our Information Security policies and procedures 

On the website of the UK Information Commissioner’s Office