Data protection checklist

Section 1 should be considered when drafting information for participants and consent forms.

Sections 2 to 9 should be considered when completing the sections in the ethics application form referring to the managing and handling of personal and other research data.

Transparency
1. Does the information to be provided to participants indicate:

a. the purposes for which their personal data/special category data will be processed?

b. the people or organisations their personal data/special category data will be shared with?

c. the legal basis for the processing of their personal data/special category data?

NB: For the majority of University research, it is recommended that 'public interest task' is the appropriate legal basis.

d. any international transfers of their personal data/special category data?

e. when their personal data/special category data will be erased?

NB: The GDPR requires that data is not kept as identifiable personal data for longer than is necessary in relation to the purposes for which it is processed. However, personal data processed solely for research purposes may be stored for longer periods, provided there are appropriate safeguards, such as pseudonymisation. This longer period is not defined in the GDPR. You will also need to comply with the University’s policy which stipulates that research data and records should be retained for a minimum of three years after the end of the research, or longer if required by research funders and regulators.

f. their rights under the GDPR?

Data minimisation
2. Are the items of personal data/special category data to be collected the minimum necessary to achieve the research objectives?
3. Has the potential for using anonymised or pseudonymised data been considered?
4. Will access to the personal data/special category data of participants be restricted to authorised persons?
5. Will participant data be kept in the form of fully identifiable data for a fixed period of time?
6. Is there a clear rationale for the length of time data will be kept as fully identifiable data? (see 1.e. above)
Security
7. Will personal data/special category data be collected, transmitted and stored securely?
8. Is the level of security to be provided appropriate to the risks represented by the processing?
9. Will arrangements be put in place for the secure disposal and/or destruction of personal data/special category data when it is no longer required?
Other safeguards
10. If the data is to be shared with another organisation, will there be a written agreement with the other organisation, setting out each one's respective roles and responsibilities, and how individuals may exercise their rights in respect of their data?

11. Will the personal data/special category data of participants be used for measures or decisions with respect to individual participants?1

[If the answer to this question is 'yes', the processing of the personal data will not comply with the Data Protection Bill/Act and the GDPR.]

12. Is it likely that your use of personal data/special category data will cause substantial damage or substantial distress to any of the participants?

 

1Questions 11 and 12 reflect the requirement in the Data Protection Act that personal data may not be used for research purposes if: (a) it is processed for the purposes of measures or decisions with respect to particular individuals; or (b) it is likely to cause substantial damage or substantial distress to an individual

List of site pages