Filetype PDF | Posted on 30 Jan 2023 | 2 years ago
Authentication
digital resources
138x Filetype PDF File size 0.50 MB Source: uswvarious1.blob.core.windows.net
Research and Innovation Services
General Data Protection Regulation
(GDPR) Guidance for Research
th
The EU General Data Protection Regulation (GDPR) comes into force on 25 May 2018. It
will be complemented by a new UK Data Protection Act to replace the 1998 Act.
This document provides practical guidance on the new legislation with respect to research
involving person-based data (personal data).
Contents
1. Context .......................................................................................................................... 2
2. Ensuring Compliance – A Starting Point ........................................................................ 2
2.1 GDPR Research Data Registration ......................................................................... 2
2.2 Compliance Principles ............................................................................................ 3
3. When Does the GDPR Apply? ....................................................................................... 3
4. Principles of GDPR that relating to the Processing of Personal Data ............................. 4
3.1 Fair Processing ....................................................................................................... 5
3.1.1 When personal data is obtained directly from the data subject ......................... 5
3.1.2 When personal data is not obtained directly from the data subject ................... 6
3.1.3 Research Exemption - provision of information to data subjects ...................... 7
3.1.4 Research Exemption and Public Transparency ................................................ 7
3.1.5 Further Aspects of Fair Processing .................................................................. 8
3.1.6 Further information – Good Practice ................................................................ 8
4. Lawful (Legal) Basis for Processing Personal Data ........................................................ 9
4.1 Lawful Basis (not special category data) ................................................................. 9
4.1.1 Note on Consent ............................................................................................ 11
3.2 Special Category Data .......................................................................................... 11
4.1.2 What are Article 89 safeguards? .................................................................... 12
4. Consent to Process GDPR data ................................................................................... 13
4.1 Explicit Consent to Process Special Category Data .............................................. 13
4.1.3 Consent in Practice ........................................................................................ 13
4.1.4 Informed Consent. GDPR Consent and Research ......................................... 13
5. Data Subject Rights and Exemptions ........................................................................... 15
5.1 Minimum Safeguards ............................................................................................ 16
1 Research and Innovation Services
5.2 Exemptions for Research (where consent has been used as a lawful basis for
processing) ...................................................................................................................... 17
6. Data Transfers Outside of the EU ................................................................................ 19
7. High Risk Processing (special category data) .............................................................. 20
7.1 Data protection by design ..................................................................................... 20
7.2 Data Protection Impact Assessments (DPIA) ........................................................ 20
7.3 Contracts and Third Party Data Processing .......................................................... 21
8. Contacts ...................................................................................................................... 22
Appendix 1 – Template Privacy Notice ................................................................................ 23
1. Context
The GDPR adopts a “broad” definition of research, encompassing the activities of public and
private entities alike. The GDPR aims to encourage innovation, as long as organisations
implement appropriate safeguards.
It should be noted that actions required to comply with the GDPR do not replace or
supersede actions that would be required under any other framework such as ethical
approval – they must exist together.
Controller - A ‘controller’ determines the purposes and means of processing personal data,
and is also jointly responsible for the personal data that is conducted under its auspices. In
the context of research the controller can be considered to be both the University, and the
lead researcher (who has responsibility for the governance of the data collected as part of
the research project they are leading).
Processor - A ‘processor’ is responsible for processing personal data on behalf of a
controller. These can be third parties, for example an external data repository, survey site,
and possibly someone such as an external transcriber of qualitative data.
Under the GDPR, in order for the processing of personal data in research to be legal, both
criteria below must be satisfied:
1 A legal basis to process the personal data under the GDPR must be identified and
documented – this is discussed in section 3
2 Any other relevant legal frameworks that need to be met must be satisfied, such as ethical
approval (common law duty of confidentiality).
2. Ensuring Compliance – A Starting Point
2.1 GDPR Research Data Registration
Any researcher who wishes to process personal data as part of their research must
complete the Research Data Registration form.
2 Research and Innovation Services
NB This applies to data held in any form, including paper, tapes, audio, video, CCTV, and
Microfiche, as well as data held on electronically.
2.2 Compliance Principles
When processing personal data for purposes relating to research, individuals must comply
with the Data Protection Policy and these principles:
Participants providing their data will receive a Privacy Notice when their data is collected.
To process personal data the researcher must have a lawful basis.
When undertaking research involving personal data the individual must complete the
Research Registration Form prior to commencing their research.
The University requires that personal data processed (collected/stored/destroyed) as part
of any research project is processed using University approved systems only.
Personal data must be kept secure at all times
When collecting personal data, the minimum amount of personal data will be collected
that is necessary to undertake the research
Participants must be notified of the period for which the personal data will be stored, or if
that is not possible, the criteria used to determine that period
Wherever possible data should be collected, stored or handled in an anonymous form. If
that is not possible, personal data should be pseudonymised and/or processing kept to a
minimum
Where third parties are used to process personal data on behalf of the Researcher,
formal written agreements with all third parties who handle personal data on its behalf
(data processors). This includes companies or individuals offering: a transcription service,
to store information provision of survey tools.
If a researcher is using a third party to collect or process personal data on its behalf (a
‘data processor’), there must have a written agreement with that third party
Researchers may also need to share personal data with other data controllers (e.g.
collaborative projects with other HEIs). Joint controllers will need to have agreements or
protocols in place, which set out their respective obligations for data protection
compliance.
Data Protection Impact Assessment must be completed for any project that would be
likely to pose a ‘high risk’ to the rights and freedoms of individuals.
Researchers must keep records to be able to demonstrate compliance with data
protection laws. This would include keeping records relating to consent (if it is relied upon
as a lawful basis), copies of fair processing notices agreed by individuals, copies of
DPIAs where appropriate and any agreements relied upon.
Further guidance on these areas can be found on The Hub or the University Data
Compliance webpages, including ‘GDPR guidance for Research’.
If you require further information or have any questions then please read the remainder of
this document and contact: Rhys Davies, the Information Compliance Officer.
3. When Does the GDPR Apply?
The GDPR is relevant to research that seeks to collect or process personal data. The data
can be obtained directly from a participant or obtained via a third party.
‘personal data' means any information relating to an identified or identifiable natural
person ('data subject'); an identifiable natural person is one who can be identified, directly
3 Research and Innovation Services
or indirectly, in particular by reference to an identifier such as a name, an identification
number, location data, an online identifier or to one or more factors specific to the
physical, physiological, genetic, mental, economic, cultural or social identity of that natural
person
Truly anonymised datasets, in which individuals are no longer identifiable (not pseudo
anonymised or coded) are exempt from European data protection law. However, the action
of anonymising data implies that personal data has already been collected/processed and
this will have already required compliance with the GDPR.
For further information on Anonymisation please read the ICO Guidance -
https://ico.org.uk/media/for-organisations/documents/1061/anonymisation-code.pdf
4. Principles of GDPR that relating to the Processing of
Personal Data
Principle 1
Personal data shall be processed lawfully, fairly and in a transparent manner in
relation to the data subject...” GDPR, Art.5(1)(a)
Principle 2
Personal data shall be collected for specified, explicit and legitimate purposes and not
further processed in a manner that is incompatible with those purposes; further processing
for archiving purposes in the public interest, scientific or historical research purposes or
statistical purposes shall, in accordance with Article 89(1), not be considered to be
incompatible with the initial purposes ('purpose limitation'); GDPR, Art.5(1)(b)
Principle 3
Personal data shall be adequate, relevant and limited to what is necessary in relation to
the purposes for which they are processed ('data minimisation'); GDPR, Art.5(1)(c)
Principle 4
Personal data shall be accurate and, where necessary, kept up to date; every reasonable
step must be taken to ensure that personal data that are inaccurate, having regard to the
purposes for which they are processed, are erased or rectified without delay
('accuracy');GDPR, Art.5(1)(d)
Principle 5
Personal data shall be kept in a form which permits identification of data subjects for no
longer than is necessary for the purposes for which the personal data are processed;
personal data may be stored for longer periods insofar as the personal data will be
processed solely for archiving purposes in the public interest, scientific or historical
research purposes or statistical purposes in accordance with Article 89(1) subject to
implementation of the appropriate technical and organisational measures required by this
Regulation in order to safeguard the rights and freedoms of the data subject ('storage
limitation'); GDPR, Art.5(1)(e)
Principle 6
Personal data shall be processed in a manner that ensures appropriate security of
4 Research and Innovation Services
no reviews yet
Please Login to review.
