Data protection and storage

Data protection ensures the privacy of the individual is protected in relation to their personal information.

Please be mindful of the following when it comes to data protection and control:

  • Data should not be reviewed by non-RCSI staff (this can only take place when a duty of confidentiality has been put in place).
  • Any data collected should be anonymised wherever possible, removing identifying information such as name, student number, address, date of birth, etc. (Guidelines on the anonymisation and pseudonymisation of data are available on
  • All data must be kept secure, ensuring that only relevant RCSI professionals are able to access this data. This is to avoid risks posed by the storage of data on portable devices and media (e.g. laptops, USB flash drives etc.). All electronic data must be stored in password protected and encrypted files on the RCSI server.
  • Data must only be collected for the stated purpose of audit and only that which you need to answer your audit objectives (keeping in mind the Data Protection Principle 'Adequate, relevant and not excessive')
  • It is good practice to separate collected data from personal identity information as soon as possible after collection and to use codes to identify individual cases. The key linking such codes to identity information such as names, addresses and telephone numbers should be kept secure and separate from the dataset, accessible only to a strictly limited number of project staff (researcher and supervisor).
  • Data controllers must be clear about the length of time for which (personal) data will be kept and the reasons why the information is being retained. Data should be kept for no longer than is necessary and each case be considered on its own merits [sometimes there is a legal obligation to store for a particular length of time (e.g. clinical trials, financial records)].
  • Legal penalties may arise if personal data is not looked after properly. Such data might include patient records, personal information or other confidential information.

On 25 May 2018,  GDPR come into force throughout the EU. On 8 August 2018, the Department of Health issued regulations specifically focused on GDPR when conducting research. Compliance with these regulations, and ensuring any documents provided by research ethics subcommittee are templated, is the responsibility of the principle investigator/data controller/s.

  • The Data Protection Act 2018 (DPA 2018) is the Irish legislation that gives effect to certain aspects of the EU's GDPR in Ireland. The DPA 2018:
  • Establishes the Data Protection Commission as the State's data protection authority with the means to supervise and enforce the protection standards enshrined in the GDPR (2016/679);
  • Gives further effect to the GDPR (2016/679) in the limited number of areas in which Member State flexibility is permitted; and
  • Repeals, for the most part, the previous Data Protection Acts 1998 and 2013.

The DPA 2018 together with the entry into force of the EU General Data Protection Regulation (GDPR) on 25 May 2018 modernises Ireland’s data protection laws in line with the data protection regime across the European Union.


For further information, please visit:

Data storage

A unique project folder for each lead RCSI applicant/researcher is provided on the RCSI server. All study data must be stored and encrypted within this location including (where applicable) associated study documentation (scanned if necessary) for example:

  • Participant and/or patient information leaflets
  • Consent forms
  • Permission letters from relevant organisations associated with the study

The REC convenor has full control of this folder and will provide the applicant (and principal investigator) with a link to this folder with their REC approval email notification. Access may also be given to other individuals involved where necessary.

The REC convenor keeps a record of applicants who are in possession of such folders and their associated details (i.e. link details/project title/lead applicant and PI contact details/approval dates).

Unless there is a regulatory requirement, the personal data processed for each study should only be retained for as long as necessary for that study and, thereafter, disposed of securely. The rationale for the retention of any personal data should be documented.