May 2018 saw the introduction of the EU General Data Protection Act (GDPR), the biggest change to data protection legislation for nearly 20 years. GDPR has now been passed into UK law as the 2018 Data Protection Act and this guidance provides an overview of its implications for academic research and what practical steps must be taken to ensure compliance.
What is personal data?
Personal data is any information relating to living persons who can be identified directly from the information in question; or may be identified from that information in combination with other information.
As well as the typical ‘identifiers’ such as name, email address etc. personal information also includes things like location data and online identifiers, e.g. IP addresses and cookie data.
What is special category personal data?
Certain types of personal data, so called ‘special category’ information, are afforded extra protection by data protection legislation and require different ‘lawful bases for processing’ (see below) to other personal data. Special category is information that relates to the following:
- Ethnic origin
- Political views
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data (for ID purposes)
- Sexual life, including sexual orientation
The Data Protection principles
The processing (collection, storage, sharing, deletion, etc. of data) of personal data must consider the following:
- Lawfulness, fairness and transparency - Personal data must be processed according to one or more lawful bases. The use of the data should be in the reasonable expectations of the data subject and appropriate privacy information should be provided.
- Limitation of purpose - Data should only be processed for a lawful, specified purpose.
- Data minimisation - Personal data should be relevant and not excessive for the specified purpose.
- Data quality - Personal data shall be accurate and kept up to date.
- Storage limitation - Personal data shall only be retained for as long as necessary to fulfil the stated purpose or else in accordance with statutory provisions.
- Integrity and confidentiality (information security) - Appropriate technological and organisational controls shall be used to protect personal data.
The GDPR and the 2018 Data Protection Act require an appropriate lawful bases to process personal data. For the majority of research conducted at Brookes we expect the most appropriate lawful basis for processing to be the following
[GDPR Article 6 (1) e)] processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
Please note that this is the legal basis for processing personal details, for research ethics reasons Oxford Brookes will continue to collect informed consent from human subjects involved in research.
Where research involves the use of special category personal data (e.g. health or ethnicity data) then an additional lawful basis for processing must be identified. For the majority of research conducted at Brookes we expect the following lawful basis for processing special category data to apply:
[GDPR Article 9 (2) j)] processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes [...] which shall be proportionate to the aim pursued, respect the essence of the right to dataprotection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
Below we will look at what constitutes suitable measures to safeguard the rights and the interests of the data subjects (research participants).
Transparency and privacy notices
Data protection legislation requires data subjects (research participants) to be adequately informed about why they are providing personal information, how it will be used and who will the information be shared with. In most cases it will be most appropriate to ensure that participant information sheets contain the relevant information for data protection compliance, i.e:
- The name and contact details of the data controller (typically Oxford Brookes University)
- The purpose of the data collection
- What personal data is being collected
- Who (outside of Oxford Brookes) will personal data be shared with
- How long the data will be retained for
- What the research participants rights under GDPR / DPA 2018 are
- Whether or not processing involves automatic decision making or is used for profiling purposes
- The possible implications of not providing the data.
Informed consent guidance and the privacy notice template are available on the research ethics website.
Where special category data is being collected as part of the research we are required to put appropriate safeguards in place to protect the rights and freedoms of data subjects (research participants). Appropriate safeguards include:
- Assurance the research will not cause substantial damage or distress to the data subject (i.e. substantial physical harm, financial loss or psychological pain)
- Where appropriate, the study has research ethics approval.
- Technical and organisational safeguards are in place that ensure respect for the principle of data minimisation and ensure that exemptions to research participants’ rights are not exercised unless the rights are likely to render impossible or seriously impair the achievement of the purposes of the processing
- If processing special category personal data, this must be in the public interest (demonstrated over and above using ‘task in the public interest’ as the legal basis)
Limitation of purpose
Personal data must only be processed for a lawful, specified (typically via a privacy notice or participant information sheet) and not further processed for incompatible purposes. Please note that as such, secondary processing (i.e. using personally-identifiable research data obtained in one study for another) is permitted but the research must be compatible with the purpose of the study under which personal data was obtained.
Further guidance on the use of personal data from previous studies should be sought from UREC or the appropriate Research Ethics Officer.
Privacy by design - pseudonymisation and privacy impact assessments
The revised data protection legislation requires data controllers such as Brookes to adopt a privacy by design approach and ensure that all projects involving the use of personal data consider the privacy of data subjects from the outset and not just as a ‘tick-box’ exercise for sign-off. Two main implications of this approach relevant to research are the use of pseudonymisation and privacy impact assessment.
Pseudonymisation is a procedure to replace personally identifiable fields in a dataset with one or more artificial identifiers. Analysis and research work is then carried out using the pseudonymised dataset with access to the original, personally identifiable dataset, highly restricted. Pseudonymisation should be used wherever possible unless it is necessary that researchers work with attributable data (e.g. for linking to other datasets).
Where research studies involve collection of large personally identifiable datasets or use privacy-intrusive technology (e.g. biometrics, bodyworn cameras,monitoring devices, etc) it may be necessary to complete a privacy impact assessment. There is a Brookes privacy impact assessment template (see here) which includes a list of screening questions at the beginning, the IT Services information management team will review these if needed to determine whether or not a comprehensive privacy impact assessment is required.
For further guidance on the use of personal data in research please contact UREC, your Department/Faculty Research Ethics Officer or the IT Services information management team (ext: 4354, firstname.lastname@example.org).