Key information about GDPR

Privacy notice Department of Psychology, University of York

This document provides a description of default procedures used in the Department of Psychology, University of York, when handling personal data (data that could directly or indirectly identify who you are). The procedures described below are the standard processes in line with the procedures used at the University of York. For some projects, you might receive a different privacy notice specific to that project. 

The legal basis for processing personal data

Under the General Data Protection Regulation (GDPR), the University has to identify a legal basis for processing personal data and, where appropriate, an additional condition for processing special category data.

In line with our charter which states that we advance learning and knowledge by teaching and research, the University processes personal data for research purposes under Article 6 (1) (e) of the GDPR:   

Processing is necessary for the performance of a task carried out in the public interest  

Special category data is processed under Article 9 (2) (j):

Processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes

Research will only be undertaken where ethical approval has been obtained from the Department of Psychology's Ethical Committee, where there is a clear public interest, and where appropriate safeguards have been put in place to protect data. 

In line with ethical expectations and in order to comply with common law duty of confidentiality, we will seek your consent to participate where appropriate. This consent will not, however, be our legal basis for processing your data under the GDPR.  

How will personal data be used

Researchers associated with each ethically approved study will be collecting data of a particular type and will be using this data in the pursuit of academic research. Each study will have its own aims and objectives and these will be stated clearly on the particular information sheet that will be provided to every participant. Moreover, only the minimum amount of personal data will be collected that is necessary to answer the research objectives.

How will confidentiality be assured?

It is typically the case that personal data will be processed via a unique participant identifier that will not reveal a given individual's identity. However, members of the project team will have access to information that links a given individual with the associated identifier. All reasonable steps will be taken to ensure this association is kept strictly confidential, that is, accessible only by members of the project team. In the majority of cases, data will be processed in a pseudonymised form, namely, with respect to the participant identifiers. However, data can be fully anonymised by removing participant identifiers. A given individual's identity will never be revealed without written consent being given by that person. It is possible that personal data may be shared anonymously with others for secondary research and/or teaching purposes. This is described in the information sheet provided to a participant at the start of the study. Where video or audio recordings are made, the participant will receive an additional information sheet and consent form explaining how those recordings will be used and processed.

Will personal data be shared with 3rd parties?

The default position is that personal data will only be accessible to members of the project team. In some cases however the work may be of a collaborative nature and hence the data will be made accessible to others from outside of the department. The information sheet will explain to the participant whether personal data are shared outside the project team or not. Where personal details need to be shared, the information sheet will explain who the third parties are and what they will do with the data. As noted above, anonymised data might also be shared with others for secondary research and/or teaching purposes. When sharing data, it is possible the participant’s research data will be used by other researchers to answer new questions unknown to this study’s researchers.

How will data security be assured?

The University will put in place appropriate technical and organisational measures to protect your personal data and/or special category data. Information will be treated confidentiality and shared on a need-to-know basis only. The University is committed to the principle of data protection by design and default and will collect the minimum amount of data necessary for the project. In addition, we will anonymise or pseudonymise data wherever possible.  

Where will personal data be stored?

The default position is that the data will be stored on university devices provided by the Department of Psychology. That is, data will be held within the European Economic Area in full compliance with data protection legislation.

However, the university has access to cloud storage and currently this is provided by Google. This means that if the data are to be loaded onto this cloud storage then it can be located at any of Google’s globally spread data centres. The University has data protection compliant arrangements in place with this provider. For further information see,

Please note that if you are taking part online, many of our online studies are run through or Qualtrics. Both are GDPR compliant, frequently used online participation platforms. These platforms are the data processor, while the researcher in charge of the experiment remains the data controller (owner responsible for the data). The data will only be accessible to the researchers working on this project. Both and Qualtrics will never view or use any participant data, unless explicit permission is given by the researcher and the participant has given consent for their personal data to be accessed this way. Data will be stored at University of York servers and removed by the researchers from these platforms as soon as possible

How long will data be retained?

Data will be retained in line with legal requirements or where there is a business need. Retention timeframes will be determined in line with the University’s Records Retention Schedule.  Please follow this link for further information

What rights do you have in relation to your data?

Under the GDPR, you have a general right of access to your data, a right to rectification, erasure, restriction, objection or portability. You also have a right to withdrawal. Please note, not all rights apply where data is processed purely for research purposes. For further information see, If you would like to access your right to portability, please contact In simple terms if you would like access to your data then please contact the university's data protection officer via the email:

Right to complain

If you have a concern about any aspect of a given study, then you should ask to speak with the researchers who will do their best to answer your questions. If you remain unhappy and wish to complain formally, you can do this through the complaints procedure of the University of York.  Details can be obtained from the email address: If you are dissatisfied with the way your personal data have been handled please contact the lead researcher in the first case, or the University’s Data Protection Officer at If you are unhappy with the way in which the University has handled your personal data, you have a right to complain to the Information Commissioner’s Office. For information on reporting a concern to the Information Commissioner’s Office, see