Skip to content
Home
Research
Privacy Notice
Research
Research EnvironmentResearch and Innovation Centres and GroupsResearch and Innovation Case StudiesResearch Excellence FrameworkResearch ExplorerGlobal AcademiesResearch DegreesProfessional DoctoratePrivacy NoticeContact Us

Research Privacy Notice

Cardiff Metropolitan University engages in research that is at the interface of new knowledge creation and its application. With an excellent track record in applied research, supported by a strong base of expertise and advanced scholarship, the University’s research has direct application in business, industry, the professions, and the community at large. 

The following Privacy Notice describes how your personal data is managed for research projects at Cardiff Metropolitan University in accordance with data protection legislation - the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA18). It applies to research which must comply with Cardiff Metropolitan University’s Research Ethics Framework, and which is conducted inside or outside of the institution by staff, postgraduate students, and undergraduate students.

This notice should be read in conjunction with the Participant Information Sheet which you will be given by a member of the Research Team prior to participation in the project.  The Participant Information Sheet will contain specific information about:

  • The Principal Investigator(s) of the project.
  • The purpose, aims and objectives of the research.
  • How the results will be used.
  • The reasons why you are being asked to participate.
  • What your participation will involve, including the time commitment required.
  • Any risks or benefits associated with participation in the project.
  • How your data and privacy will be protected.
  • How your data will be stored and for how long.

Introduction

Cardiff Metropolitan University is the Data Controller and is committed to protecting the rights of individuals in line with the UK GDPR and the DPA18. Its Privacy Statement can be found here.

Data Protection Contact

Cardiff Metropolitan University’s Information and Data Compliance Officer can answer any further queries regarding the processing of your personal data via the following email address:

Email: dataprotection@cardiffmet.ac.uk.

Overview

By means of this notice, Cardiff Metropolitan University wishes to notify you of the following:

  • The personal data and special category data it collects;
  • Why this data is collected and processed;
  • Who has access to this data including who the University shares the data with;
  • The legal basis for processing personal and special category data;
  • Technical and organisational measures to ensure personal data remains secure;
  • Retention periods; and
  • General information.

Personal Data Collected

Every research project is different; therefore, the personal data collected for each project will vary. However, it may include information that can identify you, for example, your name, moving or still images of you, recordings of your speech, your date of birth, and address. Specific information about what personal data is being collected and why will be included within the Participant Information Sheet relevant to the research project.

Special Category Data Collected

(Please note: Special category data is personal data that needs more protection because it is sensitive). For further information on what special category data includes, please click here.

What Cardiff Met uses your Personal Data for

This information will be provided as part of the Participant Information Sheet relevant to the research project.

Sharing Information with Other Organisations

Your personal data will always be kept confidential, and researchers will de-identify (anonymise) it, or pseudonymise it (remove any information which identifies you and replace it with a unique code or key) or delete it as soon as possible.

In some cases, however, the nature of the research project may mean it is not possible to anonymise personal data because this would make it difficult to achieve the aims of the research. This is rare, but, if this is the case for the project in which you are participating, you will be informed in the Participant Information Sheet, before you consent to participating in the project.

Your personal data will only be shared with members of the Research Team. If sharing your personal data with a third party/third parties is necessary, including those outside the UK, full details will be provided to you in the Participant Information Sheet.

Cardiff Metropolitan University’s Legal Basis for Processing Your Personal Data

To process your personal and special category data, Cardiff Metropolitan University must ensure that it is compliant with one of the ‘Lawful Bases’ for processing under Article 6 and Article 9 of the UK GDPR. This means that it must have a lawful reason for using/storing personal information for the purposes outlined in the “What Cardiff Metropolitan University uses your Personal Data for” section of this notice.

Article 6.1(e) –

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.

Article 9.2(j) –

Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

In clinical trials or medical studies, Cardiff Metropolitan University will use the following lawful basis for processing:

Article 9.2(h) –

Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards.

When research involves criminal convictions, the legal reason is listed in Schedule 1 of the DPA18.

All information and data collection will be explained in the Participant Information Sheet, and in line with the University's ethics approval framework. You will be asked to sign a consent form to participate in the research. However, the consent does not relate specifically to the collection and use of personal data as this is legally covered by the articles outlined above.

Cardiff Metropolitan University may also use your personal information for additional research purposes, such as other analysis or future projects on the same research topics. This is known as a secondary use or purpose. This is not common, however if this is the case, it will be explained to you in the Participant Information Sheet.

Security of Processing

As the Controller, Cardiff Metropolitan University has implemented technical and organisational measures to ensure personal data processed remains secure, however absolute security cannot be guaranteed. Should you have a concern about a method of data transmission, the University will take reasonable steps to provide an alternate method. For more information about IT security at Cardiff Metropolitan University, and keeping your data safe, please click here.

Retention of Personal Data

The Participant Information Sheet will provide specific information regarding how long your personal information will be kept and for what purpose. However, in general, your personal information will be kept for no longer than is entirely necessary to complete the aims of the research. Additionally, some personal information (including signed records of consent) will be kept for a minimum amount of time as required by external funders, regulatory bodies, or the University’s policies and procedures.

Individual Rights

The lawful basis for processing can affect which Rights are available to individuals.

Using Performance of a Public Task as the lawful basis for processing, your Individual Rights include:

  • The Right to Access
  • The Right to Rectification
  • The Right to Object
  • The Rights Related to Automated-Decision Making inc. Profiling

For more information about these Rights, please click here.

General

Cardiff Metropolitan University has a Data Protection Policy, which can be found here.

If you wish to make a complaint about the way your personal data has been processed you can find details of how to do so here.

If this process does not resolve your issue, or if you wish to take your complaint further, you have the right to contact the Information Commissioner. The contact details are:

Information Commissioner’s Office – Wales
2nd Floor, Churchill House
Churchill Way
Cardiff
CF10 2HH

0330 414 6421
www.ico.org.uk