Data protection checklist
Key points to consider
Section 1 should be considered when drafting information for participants and consent forms.
Sections 2 to 9 should be considered when completing the sections in the ethics application form referring to the managing and handling of personal and other research data.
1. Does the information to be provided to participants indicate:
a. the purposes for which their personal data/special category data will be processed?
b. the people or organisations their personal data/special category data will be shared with?
c. the legal basis for the processing of their personal data/special category data?
d. any international transfers of their personal data/special category data?
e. when their personal data/special category data will be erased?
f. their rights under the GDPR?
2. Are the items of personal data/special category data to be collected the minimum necessary to achieve the research objectives?
3. Has the potential for using anonymised or pseudonymised data been considered?
4. Will access to the personal data/special category data of participants be restricted to authorised persons?
5. Will participant data be kept in the form of fully identifiable data for a fixed period of time?
6. Is there a clear rationale for the length of time data will be kept as fully identifiable data? (see 1.e. above)
7. Will personal data/special category data be collected, transmitted and stored securely?
8. Is the level of security to be provided appropriate to the risks represented by the processing?
9. Will arrangements be put in place for the secure disposal and/or destruction of personal data/special category data when it is no longer required?
10. If the data is to be shared with another organisation, will there be a written agreement with the other organisation, setting out each one's respective roles and responsibilities, and how individuals may exercise their rights in respect of their data?
11. Will the personal data/special category data of participants be used for measures or decisions with respect to individual participants?1
12. Is it likely that your use of personal data/special category data will cause substantial damage or substantial distress to any of the participants?
Data protection impact assessment
Please also check, when planning your research, whether a separate data protection impact assessment will be required if your processing of personal data is likely to result in a high risk to individuals. The UK Information Commissioner’s Office guidance sets out when this may be required. A template University data protection impact assessment form is available from the Compliance website. Further information and advice on data protection impact assessments is available from firstname.lastname@example.org.
1 Questions 11 and 12 reflect the requirement in the Data Protection Act that personal data may not be used for research purposes if: (a) it is processed for the purposes of measures or decisions with respect to particular individuals; or (b) it is likely to cause substantial damage or substantial distress to an individual