jagomart
digital resources
picture1_Processing Pdf 180326 | Gdpr For Research 13082018


 138x       Filetype PDF       File size 0.50 MB       Source: uswvarious1.blob.core.windows.net


File: Processing Pdf 180326 | Gdpr For Research 13082018
research and innovation services general data protection regulation gdpr guidance for research th the eu general data protection regulation gdpr comes into force on 25 may 2018 it will be ...

icon picture PDF Filetype PDF | Posted on 30 Jan 2023 | 2 years ago
Partial capture of text on file.
                                              Research and Innovation Services 
                                               
                                              General Data Protection Regulation 
                                              (GDPR) Guidance for Research 
                                               
                                               
                                                                                                              th
                  The EU General Data Protection Regulation (GDPR) comes into force on 25  May 2018. It 
                  will be complemented by a new UK Data Protection Act to replace the 1998 Act.  
                   
                  This document provides practical guidance on the new legislation with respect to research 
                  involving person-based data (personal data). 
                   
                  Contents 
                  1.    Context .......................................................................................................................... 2 
                  2.    Ensuring Compliance – A Starting Point ........................................................................ 2 
                     2.1     GDPR Research Data Registration ......................................................................... 2 
                     2.2     Compliance Principles ............................................................................................ 3 
                  3.    When Does the GDPR Apply? ....................................................................................... 3 
                  4.    Principles of GDPR that relating to the Processing of Personal Data ............................. 4 
                     3.1     Fair Processing ....................................................................................................... 5 
                        3.1.1      When personal data is obtained directly from the data subject ......................... 5 
                        3.1.2      When personal data is not obtained directly from the data subject ................... 6 
                        3.1.3      Research Exemption - provision of information to data subjects ...................... 7 
                        3.1.4      Research Exemption and Public Transparency ................................................ 7 
                        3.1.5      Further Aspects of Fair Processing .................................................................. 8 
                        3.1.6      Further information – Good Practice ................................................................ 8 
                  4.    Lawful (Legal) Basis for Processing Personal Data ........................................................ 9 
                     4.1     Lawful Basis (not special category data) ................................................................. 9 
                        4.1.1      Note on Consent ............................................................................................ 11 
                     3.2     Special Category Data .......................................................................................... 11 
                        4.1.2      What are Article 89 safeguards? .................................................................... 12 
                  4.    Consent to Process GDPR data ................................................................................... 13 
                     4.1     Explicit Consent to Process Special Category Data .............................................. 13 
                        4.1.3      Consent in Practice ........................................................................................ 13 
                        4.1.4      Informed Consent. GDPR Consent and Research ......................................... 13 
                  5.    Data Subject Rights and Exemptions ........................................................................... 15 
                     5.1     Minimum Safeguards ............................................................................................ 16 
                                                                   1                                        Research and Innovation Services 
                   5.2    Exemptions for Research (where consent has been used as a lawful basis for 
                   processing) ...................................................................................................................... 17 
                6.   Data Transfers Outside of the EU ................................................................................ 19 
                7.   High Risk Processing (special category data) .............................................................. 20 
                   7.1    Data protection by design ..................................................................................... 20 
                   7.2    Data Protection Impact Assessments (DPIA) ........................................................ 20 
                   7.3    Contracts and Third Party Data Processing .......................................................... 21 
                8.   Contacts ...................................................................................................................... 22 
                Appendix 1 – Template Privacy Notice ................................................................................ 23 
                       
                1.  Context 
                 
                The GDPR adopts a “broad” definition of research, encompassing the activities of public and 
                private entities alike. The GDPR aims to encourage innovation, as long as organisations 
                implement appropriate safeguards. 
                 
                It should be noted that actions required to comply with the GDPR do not replace or 
                supersede actions that would be required under any other framework such as ethical 
                approval – they must exist together.  
                 
                Controller - A ‘controller’ determines the purposes and means of processing personal data, 
                and is also jointly responsible for the personal data that is conducted under its auspices. In 
                the context of research the controller can be considered to be both the University, and the 
                lead researcher (who has responsibility for the governance of the data collected as part of 
                the research project they are leading).  
                 
                Processor - A ‘processor’ is responsible for processing personal data on behalf of a 
                controller. These can be third parties, for example an external data repository, survey site, 
                and possibly someone such as an external transcriber of qualitative data.  
                 
                 
                Under the GDPR, in order for the processing of personal data in research to be legal, both 
                criteria below must be satisfied:  
                 
                1 A legal basis to process the personal data under the GDPR must be identified and 
                documented – this is discussed in section 3 
                 
                2 Any other relevant legal frameworks that need to be met must be satisfied, such as ethical 
                approval (common law duty of confidentiality). 
                 
                       
                2.  Ensuring Compliance – A Starting Point 
                         
                    2.1 GDPR Research Data Registration 
                 
                Any researcher who wishes to process personal data as part of their research must 
                complete the Research Data Registration form. 
                                                            2                                        Research and Innovation Services 
          
         NB This applies to data held in any form, including paper, tapes, audio, video, CCTV, and 
         Microfiche, as well as data held on electronically. 
              
           2.2 Compliance Principles 
          
         When processing personal data for purposes relating to research, individuals must comply 
         with the Data Protection Policy and these principles: 
            
           Participants providing their data will receive a Privacy Notice when their data is collected. 
           To process personal data the researcher must have a lawful basis. 
           When undertaking research involving personal data the individual must complete the 
           Research Registration Form prior to commencing their research. 
           The University requires that personal data processed (collected/stored/destroyed) as part 
           of any research project is processed using University approved systems only.  
           Personal data must be kept secure at all times 
           When collecting personal data, the minimum amount of personal data will be collected 
           that is necessary to undertake the research 
           Participants must be notified of the period for which the personal data will be stored, or if 
           that is not possible, the criteria used to determine that period 
           Wherever possible data should be collected, stored or handled in an anonymous form. If 
           that is not possible, personal data should be pseudonymised and/or processing kept to a 
           minimum  
           Where third parties are used to process personal data on behalf of the Researcher, 
           formal written agreements with all third parties who handle personal data on its behalf 
           (data processors). This includes companies or individuals offering: a transcription service, 
           to store information provision of survey tools.  
           If a researcher is using a third party to collect or process personal data on its behalf (a 
           ‘data processor’), there must have a written agreement with that third party 
           Researchers may also need to share personal data with other data controllers (e.g. 
           collaborative projects with other HEIs).  Joint controllers will need to have agreements or 
           protocols in place, which set out their respective obligations for data protection 
           compliance.  
           Data Protection Impact Assessment must be completed for any project that would be 
           likely to pose a ‘high risk’ to the rights and freedoms of individuals. 
           Researchers must keep records to be able to demonstrate compliance with data 
           protection laws.  This would include keeping records relating to consent (if it is relied upon 
           as a lawful basis), copies of fair processing notices agreed by individuals, copies of 
           DPIAs where appropriate and any agreements relied upon.   
                
         Further guidance on these areas can be found on The Hub or the University Data 
         Compliance webpages, including ‘GDPR guidance for Research’.  
                       
         If you require further information or have any questions then please read the remainder of 
         this document and contact: Rhys Davies, the Information Compliance Officer.  
              
         3.  When Does the GDPR Apply? 
          
         The GDPR is relevant to research that seeks to collect or process personal data. The data 
         can be obtained directly from a participant or obtained via a third party.   
          
          ‘personal data' means any information relating to an identified or identifiable natural 
          person ('data subject'); an identifiable natural person is one who can be identified, directly 
                                3                                        Research and Innovation Services 
        or indirectly, in particular by reference to an identifier such as a name, an identification 
        number, location data, an online identifier or to one or more factors specific to the 
        physical, physiological, genetic, mental, economic, cultural or social identity of that natural 
        person 
        
        
       Truly anonymised datasets, in which individuals are no longer identifiable (not pseudo 
       anonymised or coded) are exempt from European data protection law. However, the action 
       of anonymising data implies that personal data has already been collected/processed and 
       this will have already required compliance with the GDPR.  
        
       For further information on Anonymisation please read the ICO Guidance - 
       https://ico.org.uk/media/for-organisations/documents/1061/anonymisation-code.pdf 
        
           
       4.  Principles of GDPR that relating to the Processing of 
          Personal Data 
        
        Principle 1   
        Personal data shall be processed lawfully, fairly and in a transparent manner in 
        relation to the data subject...” GDPR, Art.5(1)(a) 
         
        Principle 2 
        Personal data shall be collected for specified, explicit and legitimate purposes and not 
        further processed in a manner that is incompatible with those purposes; further processing 
        for archiving purposes in the public interest, scientific or historical research purposes or 
        statistical purposes shall, in accordance with Article 89(1), not be considered to be 
        incompatible with the initial purposes ('purpose limitation'); GDPR, Art.5(1)(b) 
         
        Principle 3 
        Personal data shall be adequate, relevant and limited to what is necessary in relation to 
        the purposes for which they are processed ('data minimisation'); GDPR, Art.5(1)(c) 
         
        Principle 4 
        Personal data shall be accurate and, where necessary, kept up to date; every reasonable 
        step must be taken to ensure that personal data that are inaccurate, having regard to the 
        purposes for which they are processed, are erased or rectified without delay 
        ('accuracy');GDPR, Art.5(1)(d) 
         
        Principle 5 
        Personal data shall be kept in a form which permits identification of data subjects for no 
        longer than is necessary for the purposes for which the personal data are processed; 
        personal data may be stored for longer periods insofar as the personal data will be 
        processed solely for archiving purposes in the public interest, scientific or historical 
        research purposes or statistical purposes in accordance with Article 89(1) subject to 
        implementation of the appropriate technical and organisational measures required by this 
        Regulation in order to safeguard the rights and freedoms of the data subject ('storage 
        limitation'); GDPR, Art.5(1)(e) 
         
        Principle 6  
        Personal data shall be processed in a manner that ensures appropriate security of  
                         4                                        Research and Innovation Services 
The words contained in this file might help you see if this file matches what you are looking for:

...Research and innovation services general data protection regulation gdpr guidance for th the eu comes into force on may it will be complemented by a new uk act to replace this document provides practical legislation with respect involving person based personal contents context ensuring compliance starting point registration principles when does apply of that relating processing fair is obtained directly from subject not exemption provision information subjects public transparency further aspects good practice lawful legal basis special category note consent what are article safeguards process explicit in informed rights exemptions minimum where has been used as transfers outside high risk design impact assessments dpia contracts third party contacts appendix template privacy notice adopts broad definition encompassing activities private entities alike aims encourage long organisations implement appropriate should noted actions required comply do or supersede would under any other frame...

no reviews yet
Please Login to review.