GDPR and Research Ethics
General Data Protection Regulations (GDPR)
General Data Protection Regulation & Research Ethics
The EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 govern the processing (acquiring, holding, using, etc.) of personal data in the UK. Although the new legislation has not been designed specifically for research, it is important that you, as researcher understand what GDPR means for you and the personal data that’s processed during your research. The Information Commissioner’s Office (ICO) is the regulator and provides guidance for compliance with the new legislation in their GDPR guide, which applies to all types of sectors and is not research-specific.
Organisations that process personal data, or control its processing, are accountable for compliance with the new legislation through their Data Protection Officers and research management functions. In the case of academic researchers, these organisations will be universities. For researchers in Independent Research Organisations (IROs), these will be the organisations to seek advice from. Data Protection Officers and research management teams are a good, local source of advice for you.
Implications for Research Integrity
UKRI supports the principles in the Concordat on open Research Data that recognise that research data should wherever possible be made available for use by others in a manner consistent with relevant legal, ethical and disciplinary frameworks and norms. The GDPR does not prevent research data from being archived and shared for research use by others, as long as the data protection principles are met. An example is where researchers collect data directly from participants, you should discuss their intention to reuse in further research and to deposit in an archive. Where participants expect their data to be kept confidential, sharing can only take place with the participant’s permission or through another legal avenue if their permission cannot be obtained (e.g. for confidential patient information s251 support from the Confidentiality Advisory Group in England and Wales; Caldicott Guardian or Public Benefit and Privacy Panel approval in Scotland; or equivalent in Northern Ireland). Sharing all individual participant level data should be through managed processes, with controls over access and usage, in order to protect participants from the risks of re-identification.
What are my obligations under the GDPR?
All research projects require a Research Data Protection Impact Assessment. You will Have to state in your project information sheets that you have undertaken this. The purpose of this assessment is to identify risks in the handling of personal data. You also have to include information about a data Privacy notice in your study information. The best format of these will depend on each individual project. We are working closely with the QUB Information Compliance Unit to produce drafts for each of these. Their website holds helpful information.
Further information on GDPR
- GDPR Information from the QUB Information Compliance Unit: http://www.qub.ac.uk/about/Leadership-and-structure/Registrars-Office/Information-Compliance-Unit/GeneralDataProtectionRegulationGDPR/
- GDPR text: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
- GDPR Guide to organisations by the Information Commissioner’s Office : https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/
- UK Data Services presentation on ethical and legal context for managing and sharing data from human participants: ukdataservice.ac.uk/media/605103/ukds_ethicallegal.pdf