Go to the Students section
Go to the Staff section
Go to the Alumni section
Go to the Study here section
Go to the International section
Go to the About section
Go to the Research section
Go to the Business and Employers section
Go to the Support us section
May 2018 saw the introduction of the EU General Data Protection Act (GDPR), the biggest change to data protection legislation for nearly 20 years. GDPR has now been passed into UK law as the 2018 Data Protection Act and this guidance provides an overview of its implications for academic research and what practical steps must be taken to ensure compliance.
Personal data is any information relating to living persons who can be identified directly from the information in question; or may be identified from that information in combination with other information.
As well as the typical ‘identifiers’ such as name, email address etc. personal information also includes things like location data and online identifiers, e.g. IP addresses and cookie data.
Certain types of personal data, so called ‘special category’ information, are afforded extra protection by data protection legislation and require different ‘lawful bases for processing’ (see below) to other personal data. Special category is information that relates to the following:
The processing (collection, storage, sharing, deletion, etc. of data) of personal data must consider the following:
The GDPR and the 2018 Data Protection Act require an appropriate lawful bases to process personal data. For the majority of research conducted at Brookes we expect the most appropriate lawful basis for processing to be the following:
[GDPR Article 6 (1) e)] processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
Please note that this is the legal basis for processing personal details, for research ethics reasons Oxford Brookes will continue to collect informed consent from human subjects involved in research.
Where research involves the use of special category personal data (e.g. health or ethnicity data) then an additional lawful basis for processing must be identified. For the majority of research conducted at Brookes we expect the following lawful basis for processing special category data to apply:
[GDPR Article 9 (2) j)] processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes [...] which shall be proportionate to the aim pursued, respect the essence of the right to dataprotection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
Below we will look at what constitutes suitable measures to safeguard the rights and the interests of the data subjects.(research participants).
Data protection legislation requires data subjects (research participants) to be adequately informed about why they are providing personal information, how it will be used and who will the information be shared with. In most cases it will be most appropriate to ensure that participant information sheets contain the relevant information for data protection compliance, i.e:
Informed consent guidance and the privacy notice template are available on the research ethics website
Where special category data is being collected as part of the research we are required to put appropriate safeguards in place to protect the rights and freedoms of data subjects (research participants). Appropriate safeguards include:
Personal data must only be processed for a lawful, specified (typically via a privacy notice or participant information sheet) and not further processed for incompatible purposes. Please note that as such, secondary processing (i.e. using personally-identifiable research data obtained in one study for another) is permitted but the research must be compatible with the purpose of the study under which personal data was obtained.
Further guidance on the use of personal data from previous studies should be sought from UREC or the appropriate Research Ethics Officer.
The revised data protection legislation requires data controllers such as Brookes to adopt a privacy by design approach and ensure that all projects involving the use of personal data consider the privacy of data subjects from the outset and not just as a ‘tick-box’ exercise for sign-off. Two main implications of this approach relevant to research are the use of pseudonymisation and privacy impact assessment.
Pseudonymisation is a procedure to replace personally identifiable fields in a dataset with one or more artificial identifiers. Analysis and research work is then carried out using the pseudonymised dataset with access to the original, personally identifiable dataset, highly restricted. Pseudonymisation should be used wherever possible unless it is necessary that researchers work with attributable data (e.g. for linking to other datasets).
Where research studies involve collection of large personally identifiable datasets or use privacy-intrusive technology (e.g. biometrics, bodyworn cameras,monitoring devices, etc) it may be necessary to complete a privacy impact assessment. There is a Brookes privacy impact assessment template (see here) which includes a list of screening questions at the beginning, the IT Services information management team will review these if needed to determine whether or not a comprehensive privacy impact assessment is required.
For further guidance on the use of personal data in research please contact UREC, your Department/Faculty Research Ethics Officer or the IT Services information management team (ext: 4354, firstname.lastname@example.org).