The EU General Data Protection Regulation (GDPR) and new Data Protection Act come into force on 25 Mayand is supplemented by the UK’s new Data Protection Act 2018. Both apply in the UK and will influence research involving personal data. So what’s changing for you as a researcher?
GDPR: What Researchers Need to Know
What is GDPR?
The EU General Data Protection Regulation (GDPR), along with the new UK Data Protection Act 2018, will govern the processing (holding or using) of personal data in the UK. Although the new regulations haven’t been designed specifically for research, we’ll need to make some minor changes to research practice at Lancaster.
What counts as 'personal data'?
This is data about living people from which they can be identified. As well as data containing obvious ‘identifiers’ – such as name and date of birth – this includes some genetic, biometric and online data if unique to an individual (such as IP address).
Data that has been pseudonymised (with identifiers separated), where the dataset and identifiers are held by the same organisation, is still personal data.
Data anonymised in line with the ICO ‘Anonymisation code of practice’ is not personal data. An example of this is when identifiers are held by another organisation with an agreement that specifies no re-identification. You should be aware that the action of ‘anonymisation’ counts as processing personal data. At the time of writing, the ICO is working to update the code to reflect GDPR requirements.
How will GDPR impact research?
The requirements largely mirror current good practice in research, so shouldn’t have a big impact on what you, as a researcher, already do. Many of the elements of data protection are assessed during ethical review so it’s important that you continue to gain approval for your research projects.
The new law demands that data processing is lawful, fair and transparent. Organisations that process personal data, or control it’s processing, are accountable for this, yet we all have a role to play.
How do I make sure my data processing for research is lawful?
All research organisations must specify a lawful basis for data processing. You, as a researcher, should know this basis because approval bodies, like HRA and NHS Digital, will ask you to specify it.
Lancaster University’s lawful basis for undertaking research is ‘task in the public interest‘. This assures research participants that the organisation is credible and using their personal data for public good.
When processing special categories of data, such as health data or political opinions, you must meet an additional condition. Lancaster research will use the condition that such processing is ‘necessary for scientific research in accordance with safeguards’.
Lancaster researchers may also undertake research projects requested and funded directly by an organisation(s), for this contract research or consultancy the lawful basis for processing personal data will be 'the performance of a contract'.
The above mentioned safeguards apply widely to research with personal data. They include obtaining Research Ethics Committee approval, only processing personal data that’s necessary (data minimisation) and anonymising or pseudonymising where possible. Everyone working with identifiable information should understand the importance of confidentiality and should hold data securely with an appropriate level of protection. It is important that you adhere to Lancaster University’s research code of practice and ISS policies and technical standards.
Consent is not a requirement of the new data protection laws. In research, we usually seek consent from people to participate. This is ethical, and needed for other legal reasons, for example if disclosing confidential information or if you’re running a drug trial. Consent to participate in research can also give participants control over how their data is used. However, ‘consent’, as defined by GDPR, is not to be used as the lawful basis for processing personal data for research purposes at Lancaster. Since consent is not the lawful basis for processing, participants do not need to re-consent every one or two years.
What do I need to do to be fair and transparent?
Being fair with research participants includes respecting their rights and ensuring that personal data is used in line with their expectations. Transparency is therefore intrinsically linked to fairness.
The new legislation sets out the information that should be provided to participants. This must be concise and easy to understand. Lancaster University has general information about privacy in all research projects on our webpages.
Researchers should display more detailed privacy information about research projects where people will notice it, for example in participant information sheets (PIS) and on project websites. Make your participants aware of this privacy information using communication methods appropriate for your study population, for example if your participants cannot read you must adapt your PIS into a script or provide printed copies for participants without ready access to the internet.
Researchers must refer to the central webpage in their PIS by including the following sentence:
For further information about how Lancaster University processes personal data for research purposes and your data rights please visit our webpage: www.lancaster.ac.uk/research/data-protection
Lancaster’s ethical review process for research will help you to ensure that the information you provide to the public is relevant and understandable, including how data is used to support research. This should cover the fact that data is commonly linked with other data sources, kept for a long time and reused to address important research questions. For support contact the Ethics team in Research Services or the university’s Data Protection Officer.
Do participants in active projects need updating?
For active research projects which will continue to collect data after 25.05.18, you should provide an updated PIS when data is next collected or sooner if you interact with them directly. You do not need to update participants if you are not collecting more data or not planning to contact them again unless:
- You informed them of a legal/lawful basis to process their data which is now changed
- You are removing any safeguards or subject rights you had previously told the participants
- You are changing the purpose of the research project
What about secondary data analysis?
Researchers using a secondary data set that was not collected at Lancaster and contains identifiable data should ensure that participants were supplied with relevant information at data collection. Ethical approval should be sought in these instances before analysis starts. If research was not the purpose at data collection information should be provided to individuals unless research exemptions can be applied.
Lancaster University is accountable to the Information Commissioner’s Office (ICO), so you shouldn’t make decisions about legal compliance alone. You should find out which organisation is the data controller for your research: this might be Lancaster or the sponsor of your project. You may even have more than one controller.
This is particularly important if a research participant asks you about their personal data rights, for example if they ask to withdraw from your study. The university’s Data Protection Officer is responsible for managing requests about rights and will know how to apply the exemptions that are available to research if appropriate. Please contact Mike in all instances where a participant asks you about their data rights.
There are specific requirements for international research when transferring personal data to non-EU countries. If this applies, seek advice from the Ethics Officers and/or Data Protection Officer.