GDPR details for researchers

In 2018, two new data protection laws came into force:

  • The EU General Data Protection Regulation (GDPR) – provides an overarching framework for data protection law in all EU member states (and will remain UK law after Brexit).
  • The UK Data Protection Act 2018 (DPA) – formally repeals the Data Protection Act 1998 and supplements the GDPR by setting out a number of important exemptions.

Combined, both laws represent an evolution of data protection law in the way that they give individuals greater control over their personal data and require organisations to demonstrate greater accountability and transparency in relation to how they process personal data. The GDPR also introduces more severe penalties for infringements, in the form of administrative fines of up to €20 million or 4% of global turnover (whichever is higher).

From a research perspective, these laws reinforce the importance of data protection as part of protecting the rights, dignity, health, safety and privacy of research subjects which is at the core of the University’s research activities and fully embedded in its research culture. Please see the University’s Ethics Guidance page for further information.

Key definitions and application

The key definitions under the GDPR as used in this Guide are set out below. Most definitions remain largely unchanged from the Data Protection Act 1998, although it is worth noting that the new definitions of “biometric data” and “genetic data” represent special categories of personal data (previously known as “sensitive personal data” under the 1998 Act).

The GDPR does not apply to deceased persons. It also does not apply to personal data once it has been anonymised; however, the collection and subsequent anonymisation of personal data is itself a processing activity which is regulated under the GDPR.

Biometric Data  Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.
Consent Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear positive action, signifies agreement to the processing of personal data about them.
Controller The person or organisation that determines the purposes and means of processing personal data.
Criminal convictions & offences Personal data relating to criminal convictions, the commission or alleged commission of an offence, proceedings and sentencing.
Data Subject An individual to whom personal data relates and who can be identified or is identifiable from personal data.
Explicit Consent

A higher standard of consent that requires a very clear and specific statement rather than an action which is suggestive of consent, and is the requirement when processing special category data on the basis on consent.

Privacy Notice A notice setting out information that must be provided to data subjects before collecting personal data from them including notices aimed at a specific group of individuals or notices that are presented to a data subject on a ‘just-in-time’ basis.
Genetic Data Personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.
Personal Data Any information identifying a data subject or information relating to a data subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal data includes criminal convictions and offences data, special categories of personal data and pseudonymised personal data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person's actions or behaviour.
Personal Data Breach A breach of security lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed and which compromises the confidentiality, integrity, availability and/or security of the personal data.
Process, processes, processing Any activity or set of activities which involves personal data including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or making available, alignment or combination, restriction, erasure or destruction.
Pseudonymised, pseudonymisation Replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the data subject cannot be identified without combining the identifier or pseudonym with other information which has been kept separately and securely. Personal data that have been pseudonymised is still treated as personal data.
Special categories of personal data Information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data, and, for the purposes of this policy personal data relating to criminal offences and convictions.

 

Key principles

As with the 1998 Act, the GDPR sets out some key principles which must be followed when processing personal data from the point of collection until the point of archiving/deletion/destruction.

The University must ensure that all personal data are:

  1. Processed lawfully, fairly and in a transparent manner (‘lawfulness, fairness and transparency principle’)
  2. Collected only for specified, explicit and legitimate purposes (‘purpose limitation principle’)
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which it is to be processed (‘data minimisation principle’)
  4. Accurate and where necessary kept up to date (‘accuracy principle’)
  5. Not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data is processed (‘storage limitation principle’)
  6. Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage (‘integrity and confidentiality principle’)

Under the DPA, it is criminal offence for a person to re-identify information that has been de-identified (whether pseudonymised or anonymised) without the consent of the controller.

The overarching ‘accountability principle’ requires that the University must be able to demonstrate compliance with all of the above principles by maintaining robust records in relation to the governance of personal data.

Additionally, the University must ensure that:

  1. Personal data are not transferred outside of the EEA (which includes access by any individuals outside of the EEA and the use of any website or application that is hosted on servers located outside of EEA) to another country without appropriate safeguards being in place;
  2. Data subjects are able to exercise their rights in relation to their personal data (see 'Individuals' rights' below)

Individuals' rights

Under GDPR, everyone usually has the following rights over their own personal data:

  1. right to be informed of the collection and use of their personal data
  2. right of access to a copy of the personal data held about the data subject together with certain explanatory information 
  3. right to rectification of any personal data that are incorrect or inaccurate - though this right does not apply in relation to special categories of personal data that have been processed in reliance upon the research condition (see conditions for processing section below);
  4. right to erasure of any personal data that are no longer necessary for the purposes for which they were collected and in certain other circumstances – though this right does not apply where the processing is necessary for archiving purposes, scientific or historical research purposes or statistical purposes in the public interest, if erasure would render impossible or seriously impair the achievement of the objectives of such processing;
  5. right to restriction of the processing of personal data as an alternative to its erasure, where the personal data are no longer necessary for the purposes for which they were collected and in certain other circumstances – though this right does not apply in relation to special categories of personal data that have been processed in reliance upon the research condition;
  6. right to data portability of personal data which the data subject has provided by way of the transfer of such personal data to another controller – though this right does not apply where the condition for processing personal data is the public task condition (see conditions for processing section below);
  7. right to object to the processing of personal data on the basis of the University’s reliance upon the public task condition, in which case the processing must be suspended unless the University can demonstrate compelling legitimate grounds for the processing which overrides the fundamental rights and interests of the data subject – though this right does not apply in relation to special categories of personal data that have been processed in reliance upon the research condition;
  8. right not be subject to automated decision-making where the processing of personal data solely by automated means would have extensive effects for the data subject.

However, if you are processing data for research purposes then your activities are exempted from many of these rights provided that certain conditions are met (see the  'Research or statistical purposes exemption' section below). Specifically, your data subjects will retain:

  • The right to be informed of the collection and use of their personal data.
  • The right to be informed of any automated individual decision-making or profiling, and the right to challenge such decisions.

If data subjects can be identified in the published results of your research then they also retain the right to access their personal data.

Documentation

GPDR requires data controllers keep a written record of data processing. We strongly recommend you create a Data Management Plan (DMP), if you don’t already have one, and keep it up to date. Your research funder may have requested a DMP as part of your funding application. Your DMP, along with your ethical planning documents, privacy notices (see below) and, if needed, a Data Protection Impact Assessment (see below) should be used to record the nature of the data you will collect, any re-use of existing data, your justification for processing data, and data security and retention policies.

It will be essential when thinking about further use of data collected to check this documentation to ensure that you are not straying beyond the arrangements described at the point of collection. If the arrangements for data use are not documented there, it will be important to update participants.

Lawful basis for processing personal data

To use personal data for any purpose, including research, a relevant lawful basis must apply. Article 6 of GDPR provides six possibilities, at least one of which must apply to make the activity lawful. If special categories of personal data are being processed then a further lawful basis from Article 9 of GDPR must also apply (see below).

All of the University’s research activity can be covered by the ‘public task’ lawful basis contained in Article 6.1(e) of GDPR. This allows personal data to be used where “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”, usually summarised as the public task condition.

The University of Wolverhampton is founded and regulated by its Charter and related Acts of Parliament. Together they define the University’s role as the provision of teaching and research. Therefore, the University is able to cover all of its research activity involving personal data under the ‘public task’ condition (GDPR Article 6.1(e)). Research studies that involve the processing of personal data will usually need to state their reliance on this lawful basis in information provided to the individuals whose personal data is collected and used, i.e. in participant information sheets and similar means.

Another of the lawful bases offered by Article 6 of GDPR is having the consent of the individual whose personal data is processed. However, relying on consent as the required condition from Article 6 of GDPR for processing personal data in a research context is not necessary or advised. This is because the public task condition can always be used, and because if consent is used then participants can withdraw their consent at any time.

This does not mean that no consent is needed, as it will still likely be required for ethical and confidentiality purposes. However, consent does not need to be used as the GDPR lawful basis, or necessarily need to be of the high standard that GDPR imposes (usually equating to an opt-in mechanism). This issue can be confusing so researchers are advised to seek advice if they are unsure.

Condition for processing special categories of personal data

Further conditions must be met to allow for the processing of "personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation” (known as Special category data).

One of the conditions under the DPA is where the processing of personal data is necessary for archiving purposes, scientific or historical research purposes or statistical purposes in the public interest (‘research condition’ – GDPR Article 9.2.(j)). As the University will generally rely on the public task condition for processing personal data in the research context, this public interest test should therefore be satisfied.

However, to be able to rely on the research condition, the DPA provides that the processing must not be:

  • likely to cause substantial damage or substantial distress to a data subject; and
  • carried out for the purposes of making decisions regarding a particular data subject, except in the context of “approved medical research” (being medical research carried out with the approval of a research ethics committee that is recognised by law)

Another condition applies when research involving the processing of personal data is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices (‘public health’ – GDPR Article 9.2.(i)). This will also apply to research being conducted for a medical purpose falling within this definition. 

See Article 9 EU GDPR "Processing of special categories of personal data" and Article 6 EU GDPR "Lawfulness of processing"

Research or statistical purposes exemption

GDPR contains an exemption (in Article 89) which means that if you are processing personal data for research purposes and certain conditions are met then the individuals who the data relates to do not have some of the usual individual rights they would normally have regarding their personal data (see the 'Individuals' rights' section above).

For this exemption to apply, you must:

  • Follow the principle of data minimisation (collect no more personal data than is needed for your research)
  • Anonymise your data as far as possible and at the earliest opportunity 
  • Not carry out any decision-making related to individual data subjects as a result of your processing, unless this is for medical research that has been approved by a University research ethics committee, an NHS ethics committee, a UKRI-appointed ethics committee, or another research ethics committee recognised by the Health Research Authority.

In addition, if your data processing is likely to cause harm or distress to data subjects then you have not met the requirements for processing for research purposes, and the exemptions will not apply.

Data Protection by Design and Default

The GDPR introduces a new requirement: ‘data protection by design and default’.

This is an approach which is designed to ensure that privacy issues are taken into consideration during the research design process. Once any privacy issues have been identified, appropriate technical and organisational measures can then be put in place to ensure that data protection law is complied with and those safeguards integrated into the research process.

It is closely related to the purpose limitation and data minimisation principles (see Key principles) and requires researchers to ensure that they only process such personal data as is necessary to achieve the specific purposes of the research.

This requirement represents a ‘privacy first’ approach to ensure that adequate safeguards are put in place to facilitate compliance with data protection and ensure that the rights of data subjects are respected.

Data Protection Impact Assessments

The GDPR also introduces the requirement for a Data Protection Impact Assessment (DPIA) to be undertaken where the processing of personal data is likely to result in a risk to the rights and freedoms of data subjects. A DPIA is an important part of data protection by design and default as it aims to identify how any privacy issues can be mitigated or eliminated before any processing commences.

Not all research projects will require a DPIA to be undertaken. For example, questionnaire or survey-based research that does not involve the collection of any special categories of personal data or personal data relating to criminal convictions or offences would unlikely require a DPIA to be undertaken. However, a DPIA will be a mandatory requirement where any research involves:

  • the systematic and extensive profiling of data subjects with extensive effects;
  • processing special categories of personal data or personal data relating to criminal convictions and offences on a large scale; or
  • systematically monitoring publicly accessible places on a large scale.

The University considers that a DPIA should always be undertaken:

  • in the case of medical research involving a large number of participants and/or large volumes of personal data and/or the collection of personal data over a long period of time and/or a large geographic area;
  • where any research will involve the processing of biometric data or genetic data;
  • where any research will involve vulnerable groups such as children, the elderly or persons with mental or physical disabilities or impairments.

Further reading