138x Filetype PDF File size 0.50 MB Source: uswvarious1.blob.core.windows.net
Research and Innovation Services General Data Protection Regulation (GDPR) Guidance for Research th The EU General Data Protection Regulation (GDPR) comes into force on 25 May 2018. It will be complemented by a new UK Data Protection Act to replace the 1998 Act. This document provides practical guidance on the new legislation with respect to research involving person-based data (personal data). Contents 1. Context .......................................................................................................................... 2 2. Ensuring Compliance – A Starting Point ........................................................................ 2 2.1 GDPR Research Data Registration ......................................................................... 2 2.2 Compliance Principles ............................................................................................ 3 3. When Does the GDPR Apply? ....................................................................................... 3 4. Principles of GDPR that relating to the Processing of Personal Data ............................. 4 3.1 Fair Processing ....................................................................................................... 5 3.1.1 When personal data is obtained directly from the data subject ......................... 5 3.1.2 When personal data is not obtained directly from the data subject ................... 6 3.1.3 Research Exemption - provision of information to data subjects ...................... 7 3.1.4 Research Exemption and Public Transparency ................................................ 7 3.1.5 Further Aspects of Fair Processing .................................................................. 8 3.1.6 Further information – Good Practice ................................................................ 8 4. Lawful (Legal) Basis for Processing Personal Data ........................................................ 9 4.1 Lawful Basis (not special category data) ................................................................. 9 4.1.1 Note on Consent ............................................................................................ 11 3.2 Special Category Data .......................................................................................... 11 4.1.2 What are Article 89 safeguards? .................................................................... 12 4. Consent to Process GDPR data ................................................................................... 13 4.1 Explicit Consent to Process Special Category Data .............................................. 13 4.1.3 Consent in Practice ........................................................................................ 13 4.1.4 Informed Consent. GDPR Consent and Research ......................................... 13 5. Data Subject Rights and Exemptions ........................................................................... 15 5.1 Minimum Safeguards ............................................................................................ 16 1 Research and Innovation Services 5.2 Exemptions for Research (where consent has been used as a lawful basis for processing) ...................................................................................................................... 17 6. Data Transfers Outside of the EU ................................................................................ 19 7. High Risk Processing (special category data) .............................................................. 20 7.1 Data protection by design ..................................................................................... 20 7.2 Data Protection Impact Assessments (DPIA) ........................................................ 20 7.3 Contracts and Third Party Data Processing .......................................................... 21 8. Contacts ...................................................................................................................... 22 Appendix 1 – Template Privacy Notice ................................................................................ 23 1. Context The GDPR adopts a “broad” definition of research, encompassing the activities of public and private entities alike. The GDPR aims to encourage innovation, as long as organisations implement appropriate safeguards. It should be noted that actions required to comply with the GDPR do not replace or supersede actions that would be required under any other framework such as ethical approval – they must exist together. Controller - A ‘controller’ determines the purposes and means of processing personal data, and is also jointly responsible for the personal data that is conducted under its auspices. In the context of research the controller can be considered to be both the University, and the lead researcher (who has responsibility for the governance of the data collected as part of the research project they are leading). Processor - A ‘processor’ is responsible for processing personal data on behalf of a controller. These can be third parties, for example an external data repository, survey site, and possibly someone such as an external transcriber of qualitative data. Under the GDPR, in order for the processing of personal data in research to be legal, both criteria below must be satisfied: 1 A legal basis to process the personal data under the GDPR must be identified and documented – this is discussed in section 3 2 Any other relevant legal frameworks that need to be met must be satisfied, such as ethical approval (common law duty of confidentiality). 2. Ensuring Compliance – A Starting Point 2.1 GDPR Research Data Registration Any researcher who wishes to process personal data as part of their research must complete the Research Data Registration form. 2 Research and Innovation Services NB This applies to data held in any form, including paper, tapes, audio, video, CCTV, and Microfiche, as well as data held on electronically. 2.2 Compliance Principles When processing personal data for purposes relating to research, individuals must comply with the Data Protection Policy and these principles: Participants providing their data will receive a Privacy Notice when their data is collected. To process personal data the researcher must have a lawful basis. When undertaking research involving personal data the individual must complete the Research Registration Form prior to commencing their research. The University requires that personal data processed (collected/stored/destroyed) as part of any research project is processed using University approved systems only. Personal data must be kept secure at all times When collecting personal data, the minimum amount of personal data will be collected that is necessary to undertake the research Participants must be notified of the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period Wherever possible data should be collected, stored or handled in an anonymous form. If that is not possible, personal data should be pseudonymised and/or processing kept to a minimum Where third parties are used to process personal data on behalf of the Researcher, formal written agreements with all third parties who handle personal data on its behalf (data processors). This includes companies or individuals offering: a transcription service, to store information provision of survey tools. If a researcher is using a third party to collect or process personal data on its behalf (a ‘data processor’), there must have a written agreement with that third party Researchers may also need to share personal data with other data controllers (e.g. collaborative projects with other HEIs). Joint controllers will need to have agreements or protocols in place, which set out their respective obligations for data protection compliance. Data Protection Impact Assessment must be completed for any project that would be likely to pose a ‘high risk’ to the rights and freedoms of individuals. Researchers must keep records to be able to demonstrate compliance with data protection laws. This would include keeping records relating to consent (if it is relied upon as a lawful basis), copies of fair processing notices agreed by individuals, copies of DPIAs where appropriate and any agreements relied upon. Further guidance on these areas can be found on The Hub or the University Data Compliance webpages, including ‘GDPR guidance for Research’. If you require further information or have any questions then please read the remainder of this document and contact: Rhys Davies, the Information Compliance Officer. 3. When Does the GDPR Apply? The GDPR is relevant to research that seeks to collect or process personal data. The data can be obtained directly from a participant or obtained via a third party. ‘personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly 3 Research and Innovation Services or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person Truly anonymised datasets, in which individuals are no longer identifiable (not pseudo anonymised or coded) are exempt from European data protection law. However, the action of anonymising data implies that personal data has already been collected/processed and this will have already required compliance with the GDPR. For further information on Anonymisation please read the ICO Guidance - https://ico.org.uk/media/for-organisations/documents/1061/anonymisation-code.pdf 4. Principles of GDPR that relating to the Processing of Personal Data Principle 1 Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject...” GDPR, Art.5(1)(a) Principle 2 Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes ('purpose limitation'); GDPR, Art.5(1)(b) Principle 3 Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation'); GDPR, Art.5(1)(c) Principle 4 Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ('accuracy');GDPR, Art.5(1)(d) Principle 5 Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject ('storage limitation'); GDPR, Art.5(1)(e) Principle 6 Personal data shall be processed in a manner that ensures appropriate security of 4 Research and Innovation Services
no reviews yet
Please Login to review.