Facilitating world-class research
The GDPR imposes obligations on both 'data controllers' and 'data processors'.
For research projects based at the University, the University will most likely be the data controller. It does not matter if the research project is taking place in a country outside the UK or EEA1, the GDPR will apply irrespective of where the data processing is taking place if the University is processing personal data or is the data controller.
1 The EEA includes the 27 member states of the European Union and the European Free Trade Association states (Norway, Lichtenstein and Iceland).
You are required by your employment contract with the University to comply with the GDPR. Where the University is the data controller and you intend to supply any personal data to a third party to perform any subcontracted work, such transfer must be made under an appropriate contract.
Where the University and a third party are collaborating on a research project, both the University and the third party are likely to be data controllers. In this situation, an agreement should be in place between the University and the third party setting out their respective responsibilities for compliance with the GDPR. Data subjects should be able to exercise their rights under the GDPR against either of the controllers, and therefore they should be informed of the arrangements in place between the University and the third party.
If you are collaborating with a third party, you should approach Research Services for guidance. If the University is not the data controller in respect of processing of personal data (eg where work is being performed on behalf of another party who determines the means and purpose of processing for the University), the obligations of the GDPR will still apply to the University as a data processor. This would mean, for example, that the University would be responsible for ensuring the security of the data and for keeping records of processing activities.
Researchers must process all personal data in accordance with the 'data protection principles', unless there is a relevant exemption (see GDPR exemptions). There are other requirements in the GDPR, but the data protection principles represent the core requirements.
Personal data must:
Most of the data protection principles are self-explanatory, but they benefit from further comment in a research context.
This is, perhaps, the most important data protection principle: it is the overriding objective of the GDPR and all the subsequent data protection principles are, in effect, requirements for complying with this principle. There are three aspects to this data protection principle, which are discussed below.
‘Fair’ processing requires researchers to consider more generally how their use of personal data affects the interests of the individuals to whom it relates.
In circumstances where your use may cause detriment to an individual, you need to consider whether or not that detriment is justified.
Fairness is naturally linked also to the transparency of the processing and the ability of the individual to object.
The processing of personal data must have a lawful basis (a legally acceptable reason for processing the data), which must be documented by the data controller. Of the six possible legal bases specified in the GDPR, three are of relevance to research.
Public interest task This will likely be the most common legal basis for processing, and applies where the processing is necessary for the performance of a task carried out in the public interest. As a result, personal data can be processed without consent where the processing is necessary for research carried out in the public interest, which would cover the majority of the University’s research.
Consent The consent of the individual to whom the information relates provides a lawful basis for the processing of personal data, whether that consent is obtained directly from the individual concerned or indirectly by a third party contributor to the research project. However, the GDPR sets a very high standard for valid consent, as detailed in GDPR consent requirements, and it may therefore be difficult to rely on consent as your basis for processing, particularly where you are relying on consent obtained by a third party on your behalf. Care needs to be taken over the form of any document seeking consent to ensure that consent has been freely given and that it includes the purposes for which the research team wish to use it. The GDPR recognises that it may not be possible to specify all the purposes of the research in advance. Researchers will therefore be expected to allow individuals to give consent only to certain areas of research or to certain parts of the project.
Care should also be taken, where necessary, to document in contracts with third party contributors the consent obligations which they are required to satisfy. The GDPR grants individuals a specific right to withdraw consent at any time, and it must be as easy to withdraw consent as to give it. If a research participant were to exercise this right, the research team would be obliged to stop processing that individual’s data, since it would no longer have a lawful basis for processing.
Legitimate interests This applies where the processing is necessary for the University’s legitimate interests or those of a third party, and those interests are not outweighed by the interests and rights of the data subjects. As a public authority, the University cannot rely on legitimate interests for any processing it does to perform its public interest tasks. However, legitimate interests may be the appropriate legal basis where it would be difficult to demonstrate that the research was necessary to meet a public interest, for example, because the research was funded by a private company and was commercial in nature. The ICO recommends that those considering this basis should undertake a Legitimate Interests Assessment (LIA), comprising three parts. The first part involves identifying the legitimate interests in question; the second determining whether the processing of personal data is necessary to meet those interests; and the third determining whether those interests are outweighed by the rights and interests of the research participants.
To process special category personal data, in addition to identifying a lawful basis for processing, as described above, researchers must satisfy one of a further set of conditions. The conditions most relevant to research projects are:
Consent to use special category personal data requires the research team to obtain that consent explicitly. This means that the consent must be provided in the form of an express statement to that effect (‘I consent to my data being processed for…’). As above, data subjects must have the right to withdraw their consent at any time.
This applies where an individual deliberately makes special category personal data about themselves public. By making the information public, the individual has effectively waived their privacy interests in the information, but researchers still need to abide by the duty of fairness as described above.
In this context medical purposes means the purposes of preventative or occupational medicine, the assessment of the working capacity of an employee, medical diagnosis, the provision of health care and treatment, and the management of healthcare services. The condition applies where the processing is pursuant to a contract with a health professional. Researchers should note that health professional is defined narrowly.
Archiving purposes in the public interest, or scientific and historical research purposes, or statistical purposes
This will apply so long as technical and organisational measures are in place to provide appropriate safeguards for the rights of research participants, as described below, and provided the research is in the public interest. This public interest requirement is separate and beyond that relating to the lawful basis for processing described above, ie the fact that public interest task is the lawful basis for processing is not sufficient to demonstrate that the processing of special category data is in the public interest.
Researchers should note that each of the conditions described above is in addition to any conditions which might be set by the applicable body for ethical review and approval. Ethics committees are generally alive to issues of data protection and in many cases their conditions will overlap with those discussed above, but ethics committees do not provide legal advice and cannot waive any obligation arising under the GDPR. Even so, the consideration given to data protection as part of the ethical review process will help to demonstrate the University’s compliance with the GDPR, and in particular the need to embed data protection requirements into processing activities (‘privacy by design’).
In view of the potential difficulties that researchers may have satisfying the higher standard of consent required under the GDPR, and the need to respect its withdrawal, the University recommends that researchers should not seek to rely on consent as their legal basis for the processing of personal data. For the same reason, it is recommended that researchers should not select explicit consent as their additional condition for legitimating the processing of special category data. Rather, it is recommended that researchers should rely on public interest task as the legal basis for the processing of personal data; and research as the additional condition for the processing of special category data.
There will continue to be a need to seek consent from participants in research in order to satisfy ethical considerations, but this will be separate from, and in addition to, the requirement under the GDPR to identify a lawful basis for the processing of personal data and to meet a condition for the processing of special category data. How the consent is sought in such cases will depend on the nature of the project. For small-scale projects that do not involve data of a sensitive nature, it may be sufficient to use an opt-out approach to obtain consent from participants, provided they have been given adequate information about the use of their data, in accordance with the enhanced transparency requirements outlined below. The rationale and justification for using an opt-out approach to recruitment and consent should always form part of any application for ethical review. For larger projects and/or for those involving special category data, it would be more appropriate to seek positive, opt-in consent, even where consent is not the legal basis for processing. However, in either case, the wording of such consent should be careful not to conflate the issues of consent to participate in the project and 'consent' to the University’s use of personal data under the GDPR.
When you are collecting personal data from the individuals concerned (or, in the case of research involving children, from their parents or guardians), you need to be clear, open and transparent with those individuals, by setting out what you intend to do with their data. Specifically, the GDPR requires that you provide them with the following information (this is known as the prescribed information):
For research this prescribed information is often provided to data subjects in the form of a privacy notice or participant information.
Researchers should consider how they will ensure that all participants (or parents/guardians of child participants) are provided with the correct prescribed information. Whether the prescribed information is provided in a written format, read out to them or otherwise made available to them will depend on the nature of the project and the usefulness of that format to the participants. Above all, the prescribed information should be provided in a user-friendly way that avoids unnecessary jargon, and you should always document that you have provided this, particularly if the prescribed information is read out to data subjects.
Many research projects across the University, however, do not collect personal data directly from the individual participants, but instead involve contributions of data from other research projects or other third parties. In these cases, you are still required to provide the individual participants with the prescribed information, as detailed above, together with the following additional information:
However, you do not need to provide the prescribed information if the participants already have the information, or if doing so would involve a disproportionate effort or prevent or seriously impair the achievement of the research objectives. Even so, you must still make the prescribed information publicly available.
This data protection principle is clearly consistent with the requirement to provide individuals with certain prescribed information. It follows that where you have obtained personal data for a specified purpose, you should not then be allowed to use it for other purposes (ie ‘further processing’) that are incompatible with that original purpose.
However, the GDPR states that the further processing of data for research purposes will be considered compatible with the original purpose for which the data was collected. There is therefore a general presumption that data collected for a non-research purpose may be reused for research purposes. However, it will still be necessary to provide the prescribed information to the data subjects, and to do so before the further processing takes place. It would also be necessary to seek consent for the new purpose, if it was the intention to rely on consent as the lawful basis for processing.
This data protection principle is intended to prevent the collection of unnecessary personal data. Given the sensitivities associated with personal data, it follows that no organisation should hold personal data which it does not require. However, this data protection principle also imposes an obligation to ensure that such data is suitable for the researchers’ purposes.
The GDPR emphasises that the principle of minimisation applies to all aspects of processing, and not just the amount of data collected. It is therefore important for researchers to consider their obligations under this principle in relation to each aspect of work that involves the processing of personal data. For example, it may not be necessary for every member of the research team or for collaborators to have access to the full data set and it may be possible to provide information to those persons in an anonymised or pseudonymised form.
Access to personal data should always be restricted to those people with a legitimate need to know. Researchers should also consider whether they need to use personal data at all or whether they would be able to meet their objectives with anonymised, aggregated or pseudonymised data.
This data protection principle relates to the above principle: where data is not kept up-to-date it may cease to be adequate and relevant for the purposes for which it is to be processed. Accordingly, its retention will cease to be necessary for the purposes for which it was collected.
Every reasonable step should be taken to ensure that data which is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay. However, many research projects intend to create static archives, where updating would defeat the purpose. In these cases, it follows that researchers do not need to keep the personal data up-to-date.
This data protection principle also relates to the third principle above: retaining personal data in an identifiable form for longer than necessary means the data will no longer be relevant. The GDPR does not specify how long personal data should be held for, although a specific retention period may be required under other legislation or as a result of regulatory or policy considerations. In all cases the retention period, or at least its basis and rationale (if not the precise detail), will need to be communicated to the research participants in order to satisfy the requirement for transparency under the first data protection principle.
Information security breaches may cause serious harm or distress to individuals or less serious embarrassment or inconvenience, but individuals are entitled to be protected from all forms of security breach.
The GDPR requires researchers to take appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. It should be noted that the requirements of the GDPR go beyond the way information is stored and transmitted, relating to every aspect of the processing of personal data. Security measures should seek to ensure that: (a) only authorised people can access, alter, disclose or destroy personal data; (b) those people only act within the scope of their authority; and (c) if personal data is accidentally lost or destroyed it can be recovered to prevent any damage or distress to the individuals concerned.
There is no panacea for information security, but researchers should periodically consider technological advancements in security and the costs of implementing those technologies and liaise with the IT and/or information security teams as appropriate. It is also important to ensure that all staff and students involved in research using personal data receive training in data protection and information security. The level of security that a research project adopts will depend on the risks associated with that project. In particular, the GDPR says that those measures should be appropriate to (a) the nature of the information in question and (b) the harm that might result from its improper use, or from its accidental loss or destruction eg identity fraud, distress at the exposure of private or sensitive information.
The physical security of personal data includes factors such as the quality of doors and locks and whether the premises are protected by alarms, security lighting or CCTV; but it also includes how access to the premises is controlled, the supervision of visitors, the disposal of paper waste and the security of portable equipment (eg laptops and any storage media or devices). Computer security is constantly evolving and may require specialist advice.
The GDPR introduces a new requirement for accountability: data controllers must be able to demonstrate that they are complying with the data protection principles and other requirements of the GDPR. It is essential therefore that researchers document any policies or procedures they adopt in order to comply with data protection requirements. Similarly, if they rely on consent as their legal basis for processing, they must be able to demonstrate that the individual has consented by maintaining a record of when consent was obtained, how it was given and what the individual was told at the time.
As part of this emphasis on accountability, data controllers are also required to keep records of their processing activities, which will be subject to inspection by the ICO, particularly in the event of any security breach. These records must show the categories of data subject (from whom they collect the data), the categories of personal data (what types of data they collect), the categories of recipient (what other parties the data is shared with, if applicable), details of any transfers of personal data to a third country (ie outside the EU), the time limits for erasure, and a general description of security measures. Whilst it is expected that researchers will already keep detailed records as part of their normal data management responsibilities, they need to ensure that these are sufficient to satisfy the GDPR’s record-keeping requirements.
The GDPR requires that organisations processing personal data for research purposes adopt technical and organisational measures to provide appropriate safeguards for the rights and freedoms of the data subject, and that those safeguards should in particular ensure respect for the principle of data minimisation. Pseudonymisation, where it would not undermine the function of the research, is mentioned as one example of an appropriate safeguard but in general the GDPR is not prescriptive as to what form the safeguards should take. However, the GDPR expects researchers to use anonymised or pseudonymised data if such data is sufficient for their purposes. It is particularly important therefore that researchers are able to demonstrate that they have given proper consideration to the question of whether they could achieve their objectives without the use of fully identifiable personal data.
The Data Protection Bill supplements the GDPR by stipulating that the requirement for appropriate safeguards will not be met if the processing is likely to cause substantial damage or substantial distress to a data subject or if it forms the basis for decisions or measures relating to a particular individual. (The latter condition will not apply to interventional medical research that has been approved by a NHS Ethics Committee.)
At present, the ICO recommends as good practice that organisations that share personal data for specific purposes should have a written agreement in place setting out their respective roles and responsibilities. Under the GDPR, it will be compulsory for joint data controllers (ie organisations that jointly decide how and why personal data should be used) to have such an agreement in place, and for this to indicate in particular their respective responsibilities in relation to data subjects, including which controller will be responsible for providing the prescribed information. This requirement will affect any research project carried out in collaboration with other institutions where the purposes and means of processing are decided jointly. Researchers should seek advice from Research Services with respect to all such agreements.
If a researcher is using a third party to collect or process personal data on its behalf (a ‘data processor’), it must have a written agreement with that third party. The GDPR is quite prescriptive in terms of what such a written agreement must say. Researchers should seek advice from Research Services with respect to all such agreements.
At present, the ICO recommends that, as a matter of good practice, organisations carry out a Privacy Impact Assessment when planning a new project that involves the processing of personal data. Under the GDPR, it will be compulsory to carry out a Data Protection Impact Assessment ('DPIA') (the new term for a Privacy Impact Assessment) for any project that is likely to pose a ‘high risk’ to the rights and freedoms of individuals. (Such an assessment is part of the general requirement for ‘privacy by design/default’, whereby data protection requirements are to be embedded into systems and processes from the beginning.)
The GDPR does not define ‘high-risk’ but gives as one example the ‘large-scale’ processing of special category data. It is likely therefore that a DPIA will be required for some research projects, particularly those in the medical field. The ICO is required to publish a list of the types of processing operations requiring a DPIA and further guidance will be issued once this list is available. Even if a full blown DPIA is not necessary, researchers need to be in a position to demonstrate that they have proactively addressed the data protection implications of their projects, in order to comply with the requirements for accountability and privacy by design.