GDPR Compliant Research

Background

The General Data Protection Regulation (GDPR) and Data Protection Act 2018 came into force on 25 May 2018. Together they provide the framework for data protection compliance across the UK and apply to all activities involving the processing of personal data, special category data or criminal convictions or offences data.

This means if your research involves human participants, you will have to comply with both pieces of legislation. The guidance below sets out the key issues to consider when planning and delivering a research project involving personal data, special category data or criminal offences and conviction data.

1. Data protection by design and default

The GDPR creates a legal obligation to think about and mitigate data protection issues and privacy concerns at the project planning stage, before any data is gathered. This should not, in many respects, create a new obligation for researchers as data protection issues were always considered as part of the ethics approval process. The University has, however, issued updated guidance to ethics chairs to incorporate some additional questions into existing ethics application forms to ensure all relevant questions are addressed. 

In addition, in certain circumstances, Data Protection Impact Assessments (DPIA) should be undertaken at the project planning stage where privacy risks are considered high. The University has published a set of screening questions to determine whether individual projects require a DPIA along with a template assessment form as well as guidance on completion and submission. All ethics application forms have been amended to incorporate a question around DPIA screening to ensure the requirement is not overlooked. For further information and for a copy of the screening questions and template see, https://www.york.ac.uk/records-management/dp/dataprivacyimpactassessments/.

 

2. Data sharing arrangements

Where proposed research projects involve collaboration with 3rd parties (e.g. another university, NHS Trust or other external partner) and the sharing of personal data, special category data, criminal convictions or offences data or pseudonymised data is anticipated, an appropriate contract or data sharing agreement must be put in place before any data is exchanged. 

Requests for agreements should be channelled through the University’s IP and Legal Team. For contact details see here.

 

3. International data transfers

Under the GDPR, personal data should not be transferred outside the European Economic Area (EEA) (i.e. the EU countries or Iceland, Norway and Liechtenstein) without appropriate safeguards in place. In terms of safeguards, data can, for example, be transferred:

  • where the EU Commission has made an adequacy decision; 

  • to the US under the EU-US Privacy Shield framework; 

  • where all parties have entered into the EU Commission’s ‘standard contractual clauses’ (also known as ‘model clauses’).

If your proposed research involves transfer of personal data outside the EEA, contact dataprotection@york.ac.uk  for further advice.

4. Determining the legal basis

Under the GDPR, the University must identify a relevant legal basis to use personal data or, in the case of special category data or criminal conviction data, an additional legal basis.

Personal data

The majority of University research involving personal data will be conducted under Article 6 (1) (e) of the GDPR i.e.

Processing is necessary for the performance of a task carried out in the public interest

The University’s ‘public task’ is derived from our constitution and legal powers. In particular, our constitutional document which states:

The objects of the University shall be to advance learning and knowledge by teaching and research, and to enable students to obtain the advantages of University education.

Source: https://www.york.ac.uk/about/organisation/governance/charter-statutes-archive/

Special categories of personal data

If the research contains data relating to: 

  • racial or ethnic origin;

  • political opinions;

  • religious or philosophical beliefs;

  • trade union-membership;

  • data concerning health;

  • sex life and sexual orientation;

  • genetic data;

  • biometric data.

the University will typically rely on Article 9 (2) (j) of the Regulation in addition to 6 (1) (e) i.e.

Processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes in accordance with Article 89 (1)

Article 89 (1) sets out the technical and organisational safeguards that must be put in place before special category data can be used for scientific and historical research purposes. These are:

  1. that we only gather the minimum amount of personal data necessary for the specified research purpose (e.g. if we don’t need to collect information about ethnicity, we don’t ask for it); 

  2. that data is anonymised wherever possible, either at point of capture or once collated; 

  3. where data cannot be anonymised, it is, wherever possible, pseudonymised i.e. separated from the raw personally identifiable data and linked via a unique identifier.

In addition, at all times, you must ensure:

  1. appropriate technical and organisational measures are in place to protect personal data (see security section below);

  2. the research is in the public interest (this will best be determined by the researcher in conjunction with the relevant ethics committee);

Consent

Under the GDPR, the University will not rely on consent as the legal basis for undertaking research. However, in line with best ethical practice and in order to demonstrate compliance with the common law duty of confidentiality, the University will, typically, obtain consent from data subjects to participate in research.

Where it is envisaged consent cannot be obtained from the data subject, this should be addressed during the ethics approval process.

5. Privacy Notices

In order to comply with the fairness and transparency principle under the GDPR, data subjects should be provided with a Participant Information Sheet at point of first contact that sets out, at a minimum,  

  • the identity and contact details of the data controller (typically, the University of York);

  • a description of the project and the expected role of the participant;

  • any significant risks to the participant arising from involvement;

  • the safeguards in place to mitigate risk; 

  • the participants consent to take part; 

  • the legal basis for undertaking research (see section above); 

  • a point of contact for further information in relation to the project (e.g. the project lead) as well as the contact details of the Data Protection Officer (i.e. dataprotection@york.ac.uk) for any data protection questions, comments or complaints; 

  • the mechanism for handling data subject rights requests

  • assurances around the handling of data; 

  • data sharing arrangements.

All Ethics Chairs have been issued with a standard GDPR compliant Participant Information Sheet. These templates have been amended by individual departments to better reflect departmental need and can be made available, on request, for reuse. For further information contact your department’s ethics committee.

6. Security

Personal data should be kept secure. The University’s IT Service has issued a number of resources relating to IT security including guidance on protecting confidential information, remote access arrangements, safe data sharing procedures and password management. For further information see, https://www.york.ac.uk/about/departments/support-and-admin/information-services/information-policy/info-policy-and-you/security/.

Paper records should be kept secure, locked away when not in use, shared on a need-to-know basis only and securely disposed of when no longer needed. For further information see, https://www.york.ac.uk/records-management/records/guidance/guides/ and, in particular, https://www.york.ac.uk/media/recordsmanagement/yrkstaffstudentonly/Data%20Security%20RM8v1.pdf.  

7. Participant rights

Under the GDPR, data subjects (e.g. research participants) have the following general rights:

  • a right to be informed (i.e. to be told about the collection and use of their personal data)

  • a right of access (i.e. a right to obtain a copy of personal data together with other supplementary information)

  • a right to rectification (i.e. a right to have inaccurate personal data corrected or, if incomplete, completed)

  • a right to erasure (i.e. a right, in certain circumstances, to have personal data deleted)

  • a right to restrict processing (i.e. a right, in certain circumstances, to limit the way that personal data can be used)

  • a right to data portability (i.e. a right, in certain circumstances, for individuals to obtain personal data in a commonly used and machine-readable format for reuse by another service)

  • a right to object (i.e. a right, in certain circumstances, to request that processing of personal data stops)

  • rights in relation to automated decision making and profiling (i.e. a right, in certain circumstances, to restrict the use of automated decision making or profiling)

In relation to research, certain rights can be restricted where compliance would ‘prevent or seriously impair the achievement of the research purpose’ as long as ‘appropriate safeguards’ are in place to protect the research data. The decision to restrict subject rights will ultimately rest with the lead researcher. Specifically, the following rights can be restricted:

  • the right to rectification;

  • the right to restrict processing;

  • the right to object to processing;

  • the right to erasure;

When determining whether to restrict research participant rights, the following factors should be considered:

1. the timing of the request

It would, for example, be appropriate in most circumstances to delete the data of a research participant one week after it was gathered. Realistically, deletion would be unlikely to adversely affect the goals of the research project, undermine the project's integrity and would be easy to action. By comparison, a request from 25% of research participants to delete data would be likely to adversely affect the research objectives and be difficult to action. Equally, a request for deletion close to publication would, again, be difficult to accommodate.

2. the type of data

Where potential risk of harm and distress is high, there is a stronger argument to delete participant data. For example, requests for deletion where special category data is being processed carry a greater weight than a request for deletion from a paper-based survey that gathers little personal data. Again, the timing of the request will be a factor in this assessment as will the feasibility of deleting the data.

3. the resource implication of deletion

Resource implication will best be determined by the lead researcher and will hinge on the way data is organised and the systems used to store it. A request for deletion where the data is stored in a simple spreadsheet will be easier to action than a request where the data is held in various linked complex databases. Resource implications should not, however, be the only factor considered when deciding whether to action a subject's request for erasure. 

Finally, under the legislation requests for access to personal data will not have to be complied with where:

  • the research outputs will not be published in an identifiable form;

  • the appropriate health professional considers disclosure likely to cause serious harm.

8. Further information

If you have any further questions, contact the University’s Data Protection Officer at dataprotection@york.ac.uk.