Privacy notice - Research Participants

Please look at the participant information sheet given to you by the person telling you about this project.  If you have any questions, you can ask them to explain.

Privacy law (the UK General Data Protection Regulation (GDPR) and Data Protection Act 2018) requires us to have a legal reason to process your personal data. Our reason is that we need it to perform a public task. 

This is because the University has a public function, defined in our charter and statutes which includes carrying out research projects. We need to use personal data in order to carry out this research project.  

Information about your health, ethnicity, sexual identity and other sensitive information is called “special category” data.  We have to have an additional legal reason to use this data, because it is sensitive.

Our additional reason is that it is needed for research purposes. All research projects at the University follow our research ethics policies.

The legal reasons are given in full detail below:

• Our legal reason "public function" refers to UK GDPR Article 6 (1) (e): processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. 
• Our public function is defined in our charter and statutes, which state: 4.f. To provide instruction in such branches of learning as the University may think fit and to make provision for research and for the advancement and dissemination of knowledge in such manner as the University may determine.
• Our legal reason "because it is needed for research purposes" refers to UK GDPR Article 9 (2) (j): processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Please look at the participant information sheet given to you by the person telling you about this project.  If you have any questions, you can ask them to explain.

The participant information sheet tells you any people and organisations your data will be shared with. 

As well as this, we use computer software or systems to hold and manage data.  Other companies only provide the software, system or storage. They are not allowed to use your data for their own reasons.

We have agreements in place when we share data. These agreements meet legal requirements to ensure your data is protected.

The University maintains a high standard of information security. Access to information and systems for all users are restricted on a need-to-know basis, and security arrangements are reviewed to ensure their continued suitability. For further information see, our IT security webpages.

In certain cases, your personal data will be transferred outside the UK. For these transfers, the University will always comply with UK GDPR obligations and use necessary safeguards to protect your data.

The University will only keep your data as long as necessary to meet legal requirements or satisfy a defined business need. Specific retention timeframes are set out in the University’s Records Retention Schedule.

Under the UK GDPR, you have a right of access to your data, a right to rectification, erasure (in certain circumstances), restriction of processing, objection or portability (in certain circumstances). You also have a right to withdraw consent, and rights relating to automated decision making. For more information see Individuals’ Rights.

If you have any queries about this privacy notice or about how your data is being processed, please contact the University’s Information Governance Team at dataprotection@york.ac.uk.

If you wish to make a data protection complaint, please contact the University’s Data Protection Officer at dataprotection@york.ac.uk.

If you are unhappy with the way in which the University has handled your personal data, you also have a right to complain to the Information Commissioner’s Office (ICO).

We keep our privacy notices under regular review. This notice was last updated on 16 June 2026.