The EU General Data Protection Regulation (GDPR) and UK Data Protection Act 2018 come into force on 25 May 2018. Both apply in the UK and will influence research involving personal data. See below for detailed guidance, but please don't hesitate to contact the Research Ethics Officers and/or the university's Information Governance Manager if you have any queries.
Defining Personal Data
Personal data is structured information about living people from which they can be identified either on its own or combined with other information you are likely to have access to.
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.
Sensitive Personal Data / Special Categories of Personal Data
GDPR refers to sensitive personal data as “special categories of personal data”, this is roughly equivalent to the old UK Data Protection Act’s description ‘sensitive personal data’.
Special category personal data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union members; and the processing of genetic data or biometric data for the purpose of uniquely identifying a natural person; data concerning health; or data concerning sex life or sexual orientation.
Data that has been pseudonymised, where the dataset and identifiers are held by the same organisation, is still personal data and call fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
Data anonymised in line with the ICO ‘Anonymisation code of practice’ is not personal data. An example of this is when identifiers are held by another organisation with an agreement that specifies no re-identification. You should be aware that the action of ‘anonymisation’ counts as processing personal data. At the time of writing, the ICO is working to update the code to reflect GDPR requirements.
Lawful Basis for Processing Research Data
Lancaster University’s lawful basis for processing personal data for the majority of research projects is ‘task in the public interest‘ (GDPR Article 6(1)(e)). This assures research participants that the organisation is credible and using their personal data for public good. As a researcher you should know this because approval bodies may ask you to specify it.
Lancaster researchers may also undertake research projects requested and funded directly by an organisation(s), for this contract research or consultancy the lawful basis for processing personal data will be 'the performance of a contract'.
It is important to note that collection of personal data for research should not be conducted with the lawful basis of consent. GDPR requires that organisations must include the lawful basis for processing in the information provided to data subjects. Lancaster University researchers are required to include a link on their participant information sheet to our public-facing information page, and make appropriate provision for those data subjects that are unlikely to have access to the internet. See guidance on transparency for further information.
Consent is frequently sought for participation in research. Consent is an important part of the research process and serves many purposes. One reason that consent is sought may be to ensure that any disclosure of confidential data meets the requirements of the common law duty of confidence. Where consent is sought, information provided to research participants will normally include information about how the data will be used, aiding transparency (a key part of the GDPR).
It is important to not confuse consent sought for other purposes (e.g. an ethical or common law requirement) with the lawful basis for processing under data protection legislation. The lawful basis for processing under data protection law at Lancaster University is not consent but consent should still be sought for participation in the research. The requirements of data protection legislation apply alongside the requirement of the common law duty of confidence; both must be satisfied.
Additional guidance for gaining consent for children is available through the Research Services’ Ethics Team. It might be necessary for researchers to gain new consent during a project if a child reaches a level of maturity while the study is ongoing.
Special Category Personal Data
When processing special categories of data, such as health data or political opinions, you must meet an additional condition. Lancaster’s research uses the condition that such processing is ‘necessary for scientific research in accordance with safeguards’.
Safeguards apply widely to research with personal data. They include obtaining Research Ethics Committee approval, only processing personal data that’s necessary (data minimisation) and anonymising or pseudonymising where possible. Everyone working with identifiable information should understand the importance of confidentiality and should hold data securely with an appropriate level of protection. It is important that you adhere to Lancaster University’s research code of practice and ISS policies and technical standards.
It is a fundamental principle of data protection law that personal data are processed in a transparent manner in relation to the data subject. Researchers must take appropriate measures to ensure that any information provided to the research participant is:
- Concise, transparent, intelligible
- Provided in easily accessible form, using clear and plain language (translated as appropriate)
- Considers needs of the audience, e.g. information addressed specifically to a child
- Provided by appropriate means (in writing, online or verbally)
It is good practice to adopt a layered approach to transparency, this includes Lancaster University’s generic research privacy notice and your project specific participant information sheet (PIS) containing more granular details. To support effective communication researchers should provide opportunities for participants to check understanding and ask questions at all stages of their research project.
New guidance on writing a good PIS is currently being produced but templates for different faculties can be found at the bottom of this page. Researchers must refer to the central webpage in their guidance by including the following sentence:
For further information about how Lancaster University processes personal data for research purposes and your data rights please visit our webpage: www.lancaster.ac.uk/research/data-protection
Lancaster’s ethical review process for research will help you to ensure that the information you provide to the public is relevant and understandable, including how data is used to support research. This should cover the fact that data is commonly linked with other data sources, kept for a long time and reused to address important research questions. For support contact the Integrity, Ethics, and Governance team in Research Services or the university’s Data Protection Officer.
Secondary data analysis
This section is relevant only for a data set where individuals are identifiable (through the data, combination of the data or through using a key in the case of pseudonymisation) and not collected by Lancaster researchers.
It is important to gain assurance that the original data collector supplied relevant information to the participants, including that their data could be reused for research. In addition, it is good practice for the secondary data analyser to provide on-going study level information, for example on a project webpage.
If the purpose for collecting the data was not research, relevant information should be provided to the participants prior to processing for research purposes (unless the below research exemption applies).
All secondary data analysis research projects that use identifiable data should apply for ethical approval through the relevant Faculty Research Ethics Committee, data protection provision will be addressed through this review.
For secondary data analysis the following exemption to provide information to the participant applies when:
1. The data are processed following the principles of data minimisation, where possible including pseudonymisation and conducting research without using identifiable data.
2. The provision of information to participants proves impossible or would involve a disproportionate effort or that you have used your best endeavours to contact participants.
3. The provision of information to participants is likely to render impossible or seriously impair the research objectives.
In general, the expectations for safeguards should already be being met in your research project as approved by ethical review. Any substantial changes to safeguards in your research project should always be submitted as an amendment to your ethical approval to the appropriate Research Ethics Committee.
During ethical review data minimisation will have been considered however, researchers can always revised what information is captured during the project and whether it is necessary.
Everyone working with identifiable information should understand the importance of confidentiality and should hold data securely with an appropriate level of protection. It is important that you adhere to Lancaster University’s research code of practice and ISS policies and technical standards.
You will have considered the appropriate timing of anonymisation or pseudonymisation (if appropriate) during ethical review, it is important to ensure you are adhering to your approved specified data security methods during your project.
Data Subject Rights
GDPR incorporates a range of exemptions from data subject rights to take account particular aspects of research. These exemptions need to be balanced with what is fair to participants. What do they understand about withdrawal from the research project? Has the research significantly evolved from what they understand? What were they told about further uses?
The following data subject rights may be limited for research data sets:
- The right to erasure
- The right to access by the data subject
- The right to rectification
- The right to restrict processing
- The right to object to processing
The right to data portability is not applicable to research conducted in ‘the public interest’.
Where any participant seeks to use one of the above rights, you should seek advice from Lancaster’s Data Protection Officer before taking any next steps. This does not prohibit corrections to data or other operational arrangements such as updating contact details, or permitting a participant to withdraw from a study. You should be clear what withdrawal looks like with respect to data, e.g. no further collection of data but retention of data already collected; retention of data and use in this project but no use in future research, etc.
In general these exemptions are similar to those under previous legislation, and mean that normally there will be no right for research participants to access their data, rectify it or have their data erased. The implementation of appropriate safeguards university safeguards permits these research exemptions in relation to data subject rights to be used.
GDPR stipulates that data subject requests that relate to children’s personal data should be given extra consideration in balancing the objectives of the research against the rights of the child.
It is likely that under national policy patients in England will be able to opt out of use of their confidential patient information for research.