Frequently Asked Questions
What happens if a participant wants to use their “right to be forgotten”? Will my data become unusable?
With regards to the GDPR right to erasure (often called the right to be forgotten), this is not an absolute right and only applies in certain situations. If the erasure of the person’s data would harm the research outcomes (over and above simply having less participants), then we may not have to comply with these requests. GDPR Article 17(3)(d) states that research studies are exempt from the right to erasure, where erasure “is likely to render impossible or seriously impair the achievement of the objectives of that processing”.
The right to erasure/be forgotten is different to the participants’ right to withdraw during a research project. A good Participant Information Sheet (PIS) should have guidance, including timescales, on how participants can withdraw. It is often a standard practice to keep and use data collected if a participant withdraws unless they request its deletion, this is GDPR compliant but you should make it clear in your PIS if you intend to do this.
You should outline in your ethical application the date on which you intended you anonymise your data set and delete any identifiable data; it is good practice to make this known to the participant in your PIS. After this date, once you have started your analysis, it could be impossible for you to remove an individual’s data and so the right to erasure may no longer apply.
If you receive a request to remove someone from your data set and you think that doing so will be impossible or seriously impair your research please contact Mike Abbotts, Information Governance Manager, for advice before you speak to the individual.
My research involves using pictures and videos of participants - can they ask for their images to be removed when I’ve made this public?
See above for a more detailed answer about how research can be exempt to the right to erasure (often called the right to be forgotten).
Obviously, even if you’ve anonymised your data set, if you’ll be using images in a report, publication or video personal data will remain. Again we’d refer back to GDPR Article 17(3)(d) which states that research studies are exempt from the right to erasure where erasure “is likely to render impossible or seriously impair the achievement of the objectives of that processing”.
If the use of images is a contractual obligation of your project, removing them would seriously impair the achievement of the research. You should make it clear in your PIS that images will be used in publications (and be specific about what that will be) and as described in the answer above give a date at which participants can request to have their images removed – this could be your publication, print or final video edit.
You should carefully consider whether you need to use images that identify a person in your publications and if possible use unidentifiable angles. You should also think carefully about what additional information you are including alongside the images, for example if you have a controversial quote with a person’s image this might increase the likelihood they will request you remove their image. You should also very carefully consider using identifiable images of children.
Who is the data controller when two or more organisations are involved in a collaborative project?
There isn’t clear guidance yet on this issue and we’ll be watching out for more information. However, the university’s approach is that as each organisation will be gaining their own ethical approval they will be the data controller for their proportion of the data and joint data controllers for the overall project.
For HRA research projects, the sponsor would usually be the data controller as they are responsible (via the Principal Investigator) for writing the protocol which details who any data will be used and handled for that particular research project.
I collected my data at my old institution and I want to do analysis at Lancaster. Who is the data controller?
The key factor where is whether you are using identifiable personal data or if it’s already been anonymised. If it’s the latter then GDPR does not apply.
If the data is identifiable then it might be appropriate to complete a Data Sharing Agreement between organisations. There is also a transparency requirement to inform the original participants that the Data Controller-ship has transferred (but in plain English so they understand!). Thankfully, this does not mean writing to all of the original participants, but rather should be based on 'best endeavours'. Best endeavours will depend on a number of factors e.g. are you still in regular contact with the original participants? Are there regular communication routes with them - newsletters, study websites etc? Or has a long time passed since the research took place and there are no regular communications with previous participants at all? Whatever the situation there needs to be an attempt to inform the original participants about such changes and as touched on above there are many different ways to do this.
I’m going to collect personal data that people have put publically on the internet. Is there an issue with that?
The issue here is that people are ‘providing’ that data in a particular context and they may not expect their information to be used in a research study (even though they are in the public domain).
Transparency is the key here; you should be open and honest about what you are doing and give people a chance to opt-out of the research. You should easily be able to use the same social media platform from which you are taking the data to inform the people that you will be using their data for research purposes. This might be in a general way (e.g. on a forum) or on a one-to-one basis (e.g. on Twitter).
If you are collecting the information but it won’t be indefinable then GDPR wouldn’t apply but there may be some ethical concerns which would be looked at during your ethical review.
I’m paying another organisation to collect the data and I’ll be provided with it completely anonymously. Does GDPR apply?
There isn’t clear guidance on this issue yet. However, the university’s common sense approach is that it would be out of scope of GDPR as long as the data has been robustly anonymised (i.e. in line with a standard such as the ICO’s Anonymisation Code, etc.).
As the university would be the Data Controller in this scenario, it is your responsibility to ensure that the company collecting the data on your behalf have done so in a GDPR compliant manner.
I’ve heard that ‘opt in’ (rather than opt out) is now appropriate under GDPR. Does that affect me?
This would be the case if you were collecting data with the lawful basis as ‘consent’. However, you should not be collecting research data at Lancaster University with consent as the lawful basis – see our detailed guidance for more information.
You should be making it clear to your participants that they can opt out of your research, but that they might not be able to remove their data after a certain date. See above question about the right to be forgotten.
Ethical review will consider all projects that use deception and how opt out can be introduced.