GDPR and Research Ethics
General Data Protection Regulations (GDPR)
General Data Protection Regulation & Research Ethics
The EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 govern the processing (acquiring, holding, using, etc.) of personal data in the UK. Although the new legislation has not been designed specifically for research, it is important that you, as researcher understand what GDPR means for you and the personal data that’s processed during your research. The Information Commissioner’s Office (ICO) is the regulator and provides guidance for compliance with the new legislation in their GDPR guide, which applies to all types of sectors and is not research-specific.
Organisations that process personal data, or control its processing, are accountable for compliance with the new legislation through their Data Protection Officers and research management functions. In the case of academic researchers, these organisations will be universities. For researchers in Independent Research Organisations (IROs), these will be the organisations to seek advice from. Data Protection Officers and research management teams are a good, local source of advice for you.
What counts as ‘personal data’?
Personal data is data that relates to living people from which they can be directly or indirectly identified - direct identifiability being from the data itself, or indirect identifiability being from the combination of the data with other available data. The ICO provide detailed guidance on this – for more information see What is personal data?
Data that has been pseudonymised (with identifiers separated) may still be personal data, depending on how hard it is to reconnect the identifiers with the dataset. Robust controls that separate the two - for example, a legal agreement that prevents re-identification and controls access to the identification key - will help protect the data so that it may be possible to classify it as not personal data to those that do not have access to the key.
It is also worth noting that the action of anonymising counts as processing personal data for the purposes of GDPR. At the time of writing, the ICO is working to develop new guidelines on anonymisation, which will be published in due course. The advice given by the UK Anonymisation Framework is also useful in this regard.
- How does GDPR impact research?
GDPR was not designed to impede research and allows research certain privileges. It recognises that any data can be useful for research, and that research can be a long-term endeavour – for example, the ICO say data can be stored for research indefinitely, where the controller has set out legitimate justification for such indefinite retention. Research can therefore be exempt from the purpose and storage limitations as long as the other data protection principles and specific safeguards are met.
The new law demands that data processing is lawful, fair and transparent. UKRI-funded research organisations will have an obvious lawful basis for their research activity (see below). The greatest changes are around implementing new transparency requirements and meeting the necessary safeguards, where these do not already reflect current good research practice. In health and social research, for example, the safeguard requirements can largely be demonstrated by reference to existing university research governance systems (e.g. assurance that ethical approval is in place).
- How do I make sure my data processing for research is lawful?
All research organisations must meet all legal requirements relevant to the processing activity (e.g. common law of confidentiality) and specify a lawful basis for data processing for their activities. If you are processing personal data for research purposes, you should know the lawful basis you are relying on because you may be asked to specify it. There are six lawful bases and at least one must apply.
The most likely lawful basis for research in UKRI Institutes and in universities (as public authorities) is ‘task in the public interest’. Organisations can demonstrate they meet the requirements to use this lawful basis by reference to their legal constitutions, or because they are operating under a relevant statute that specifies research as one of the purposes of the organisation, e.g. for universities: University Charter, Education Reform Act, Universities Scotland Act; for UKRI research institutes: Higher Education and Research Act. Using this lawful basis helps to assure research participants that the organisation is credible and using their personal data for public good.
For non-public authorities such as charities and commercial research organisations (e.g. Independent Research Organisations) ‘legitimate interests’ is likely to be the appropriate lawful basis for processing personal data for research. This helps to assure participants that there are compelling reasons for processing their personal data for research.
- The role of consent
Consent is another lawful basis for processing personal data but researchers need to bear in mind that:
- The ICO say that you are likely to consider consent when no other lawful basis applies.
- Consent as one of GDPR’s lawful bases for legally processing personal data is different to, and should not be confused with, consent that researchers usually seek from people to participate in a project (see below).
When processing special categories of data, like personal data about health, ethnicity, political opinions, religious beliefs, etc., you must meet an additional condition. In these cases, the most likely condition will be that such processing is ‘necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with safeguards’.
In research, we usually seek consent from people to participate in a project. This is ethical, and needed for other legal reasons, for example if disclosing confidential information or if running a drug trial. Consent discussions should include all relevant aspects of the research project including any sharing of confidential information, so participants can make an informed decision about whether to take part. Therefore, it is important to continue to include the processing of personal data, if that is part of the project, in research consent discussions. However, ‘consent’, as defined by GDPR, is not likely to be the lawful basis for processing personal data for research purposes; therefore, the consent requirements of GDPR are unlikely to apply to research.
- What do I need to do to be fair and transparent?
Being fair with research participants includes respecting their rights and ensuring that personal data is used in line with their expectations. Transparency is therefore intrinsically linked to fairness. The fairness and transparency requirements give control to participants: they have greater awareness of how their data is being used and can object if they wish.
The new legislation sets out the transparency information that should be provided to participants (information does not need to be provided to participants if they already have it). Transparency information must be concise, easy to understand and easy to find.
Transparency information is best provided at both the corporate and research project levels (a layered approach). Work with your Data Protection Officer to ensure that the information you provide to participants is coordinated, relevant and understandable, and explains how data is used to support research. Good research transparency should help participants understand that data is commonly linked with other data sources, kept for a long time, reused to address important research questions and how their interests are protected, as well as meeting all other transparency requirements as outlined in the link above.
Organisations should display corporate privacy information about research where people will notice it, for example, links on website homepages. Help your participants to notice privacy information using communication methods appropriate for your study population, for example, links from participant information sheets. You can provide further detail in departmental or project materials.
It’s important to use best endeavours or appropriate measures to help people notice transparency information. What these measures look like depend on the level of contact you have with participants. Where you have direct contact, e.g. if you interview participants as part of your research, or you regularly communicate with them via a newsletter, there are obvious routes to provide them with information. If you have no direct contact with participants, using other methods that are appropriate for your study population will be needed (e.g. notices in waiting rooms, social media or local newspapers). Discuss the appropriate measures with your Data Protection Officer.
Where data was not collected from participants, but from other sources, there are exemptions to transparency requirements if the provision of information is ‘impossible’ or involves ‘disproportionate effort’. In these circumstances GDPR transparency information must be publicly accessible as a minimum, further efforts to help people notice it are not required. If you think this exemption might apply, discuss this with your Data Protection Officer.
Implications for Research Integrity
UKRI supports the principles in the Concordat on open Research Data that recognise that research data should wherever possible be made available for use by others in a manner consistent with relevant legal, ethical and disciplinary frameworks and norms. The GDPR does not prevent research data from being archived and shared for research use by others, as long as the data protection principles are met. An example is where researchers collect data directly from participants, you should discuss their intention to reuse in further research and to deposit in an archive. Where participants expect their data to be kept confidential, sharing can only take place with the participant’s permission or through another legal avenue if their permission cannot be obtained (e.g. for confidential patient information s251 support from the Confidentiality Advisory Group in England and Wales; Caldicott Guardian or Public Benefit and Privacy Panel approval in Scotland; or equivalent in Northern Ireland). Sharing all individual participant level data should be through managed processes, with controls over access and usage, in order to protect participants from the risks of re-identification.
What are GDPR safeguards?
Safeguards are protections for participants, and include (but are not limited to):
- not causing substantial damage or distress to research participants (research ethics approval helps here);
- not making decisions or measures that affect individuals on the basis of research personal data (this is not likely to be relevant for the majority of research). There is an exception to this for ethically approved medical research;
- respecting the principle of data minimisation, i.e. processing personal data that’s adequate (sufficient to fulfil the research purpose), relevant and limited to what is necessary; anonymising or pseudonymising, where possible;
- understanding the importance of privacy, confidentiality and security (working to your employer’s codes of conduct, IT policies and technical standards will help here);
- meeting a separate public interest test for processing special categories of personal data over and above using ‘task in the public interest’ as the lawful basis, such as peer review from a public funder or research ethics committee approval.
- Who is responsible?
Data controllers (i.e. organisations, through their Data Protection Officers) are accountable to the ICO, so you, as a researcher, shouldn’t make decisions relating to legal compliance alone. Ensure you know which organisation is the data controller for your research. This might be the organisation you work for, or in health research it will most likely be the sponsor of your project (which is usually the substantive employer of the Chief Investigator). You may even have more than one controller. Talk to your Data Protection Officer, research managers or to your data support services.
This is particularly important if a research participant asks you about their personal data rights, for example if they ask to withdraw from your study. Data Protection Officers are responsible for managing requests about rights and will know how to apply the exemptions that are available to research, which are conditional on meeting further safeguards.
Data Protection Officers also have to meet the new accountability requirements, which you may need to feed into (e.g. Data Protection Impact Assessments).
There are specific requirements for transferring personal data to non-EU countries which may impact international collaborative research. Again, if this applies, seek advice from your Data Protection Officer.
The General Data Protection Regulation (GDPR) came into force in May 2018, and all EU-based researchers have to comply with this law. The Regulation deals with how and under what circumstances personal data can be accessed and processed. There are some implications for researchers from GDPR, although strictly speaking, most research undertaken prior to GDPR was already compliant with the new regulation, as the regulations in the Data Protection Act were very similar. However, GDPR is more explicit about the rights of the participants and places more emphasis on the transparency of data handling.
Your research should comply with the following four basic principles for research involving human participants, to be GDPR compliant:
- You have gained informed consent, including for any data sharing and data preservation;
- You anonymise personal data and treat any personal information with confidence. (Note: Once data is anonymised GDPR does not apply anymore to this data);
- You regulate access to personal data very clearly and transparently;
- You store personal and sensitive data securely.
The legal foundation for processing are set out in Article 6 of the GDPR. At least one of these legal bases must apply whenever you wish to process personal data:
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
- What does this mean for academic research?
Teaching and research at university are normally regarded as public tasks, so in most cases we can use this as a legal basis to access and process personal information. However, this must be made clear and it must be transparent on project information sheets. Still, personal data can only be collected, processed and held if there is a case that this is necessary.
If research is funded by a private funder, the ‘legitimate interest’ basis may apply. This is not normally used for academic research, but it can be used in cases where the research aids:
- new knowledge about “widespread medical conditions”, or
- the “long-term correlation of a number of social conditions”
Finally, if research is not clearly in the public interest or where it does not fulfil the conditions of being a ‘legitimate interest’, ‘consent’ can be used as a legal basis to undertake research. Consent must be ‘unambiguous, freely given, and specific’, that is: active consent must be sought for each element of the research project (personal data accessing, processing, analysing, storing archiving etc.) If you collect/access particularly sensitive data (religious belonging, political belief, union membership, ethnic background, health data, bio-metric and genetic data, sexual orientation), consent must be explicit for this.
You can find further information on Handling Personal and Sensitive Data in Research here.
- Is consent still required if my research is a ‘public task’?
The legal basis of ‘consent’ in GDPR is not to be confused with ‘common law’ consent that we expect researchers to seek from their participants. Using the legal basis of ‘public task’ or ‘legitimate interest’ as a gateway to access personal information does not relieve you from seeking consent from participants to take part in research as an ethical procedure. There are no changes here. Good practice is written active (opt-in) consent, but there are circumstances where passive (opt-out) consent or verbal consent is acceptable. There has to be a rationale for this.
- Keeping and storing personal data
Personal and identifiable information must not be kept longer than is required. Please refer to our QUB’s Research Data Management Policy for further guidance on data handling. The default position is that data should be held and stored securely for 5 years.
Under GDPR rules, personal data can be held indefinitely for archiving and historical purposes, but only a small proportion of research projects fall into the category that would merit this, namely, if it is for:
- archiving purposes in the public interest;
- scientific or historical research purposes; or
- statistical purposes
Note: Once your datasets are anonymised and individuals are no longer identifiable, GDPR does no longer apply (e.g. large anonymised survey dataset, anonymised interview transcript with pseudonyms etc.
What are my obligations under the GDPR?
All research projects require a Research Data Protection Impact Assessment. You will Have to state in your project information sheets that you have undertaken this. The purpose of this assessment is to identify risks in the handling of personal data. You also have to include information about a data Privacy notice in your study information. The best format of these will depend on each individual project. We are working closely with the QUB Information Compliance Unit to produce drafts for each of these. Their website holds helpful information.
Further information on GDPR
- GDPR Information from the QUB Information Compliance Unit: http://www.qub.ac.uk/about/Leadership-and-structure/Registrars-Office/Information-Compliance-Unit/GeneralDataProtectionRegulationGDPR/
- GDPR text: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
- GDPR Guide to organisations by the Information Commissioner’s Office : https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/
- UK Data Services presentation on ethical and legal context for managing and sharing data from human participants: ukdataservice.ac.uk/media/605103/ukds_ethicallegal.pdf