GDPR and research data

For further guidance on GDPR and research data please see this page.

A checklist for researchers using personal data Research checklist (PDF, 142kB).

Background

On 25 May 2018, two new data protection laws came into force:

Combined, both laws represent an evolution of data protection law in the way that they give individuals greater control over their personal data and require organisations to demonstrate greater accountability and transparency in relation to how they process personal data. The GDPR also introduces more severe penalties for infringements, in the form of administrative fines of up to €20 million or 4% of global turnover (whichever is higher).

From a research perspective, these laws reinforce the importance of data protection as part of protecting the rights, dignity, health, safety and privacy of research subjects which is at the core of the University’s research activities and fully embedded in its research culture. Please see the University’s Research ethics page for further information.

This Guide sets out some of the key issues for University researchers to be aware of when planning and conducting research projects that involve the processing of personal data.

This Guide should be read alongside the University’s other policies and guidance on good research practice.

Key definitions and application

The key definitions under the GDPR as used in this Guide are set out in Schedule A. Most definitions remain largely unchanged from the Data Protection Act 1998 (1998 Act), although it is worth noting that the new definitions of “biometric data” and “genetic data” represent special categories of personal data (previously known as “sensitive personal data” under the 1998 Act).

The GDPR does not apply to deceased persons. It also does not apply to personal data once it has been anonymised; however the collection and subsequent anonymisation of personal data is itself a processing activity which is regulated under the GDPR.

Pseudonymisation

The GDPR includes a new definition of ‘pseudonymisation’ (i.e. key-coding). When personal data have been pseudonymised, the data remain personal data as they can be combined with additional information to re-identify an individual. The use of pseudonymisation/key-coding techniques is common in the field of research and actively encouraged under the GDPR.

Under the DPA, it is criminal offence for a person to re-identify information that has been de-identified (whether pseudonymised or anonymised) without the consent of the controller.

Key principles

As with the 1998 Act, the GDPR sets out some key principles which must be followed when processing personal data from the point of collection until the point of archiving/deletion/destruction.

The University must ensure that all personal data are:

  1. Processed lawfully, fairly and in a transparent manner (‘lawfulness, fairness and transparency principle’)
  2. Collected only for specified, explicit and legitimate purposes (‘purpose limitation principle’)
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which it is to be processed (‘data minimisation principle’)
  4. Accurate and where necessary kept up to date (‘accuracy principle’)
  5. Not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data is processed (‘storage limitation principle’)
  6. Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage (‘integrity and confidentiality principle’)

The overarching ‘accountability principle’ requires that the University must be able to demonstrate compliance with all of the above principles by maintaining robust records in relation to the governance of personal data.

Additionally, the University must ensure that:

  1. Personal data are not transferred outside of the EEA (which includes access by any individuals outside of the EEA and the use of any website or application that is hosted on servers located outside of EEA) to another country without appropriate safeguards being in place;
  2. Data subjects are able to exercise their rights in relation to their personal data (see Rights of data subjects)

Conditions for processing

In order to collect and process personal data for any purpose, at least one of six conditions (or lawful grounds) for processing must be met. Where any special categories of personal data, or personal data relating to criminal convictions or offences, are to be processed, then a further condition must also generally be met.

Consent: the traditional option

Historically researchers have relied upon consent as the condition for processing personal data, both due to the fact that consent is a central feature of research ethics and because consent to participate in research and consent to processing personal data for research were regarded as not mutually exclusive.

The introduction of the GDPR and the DPA does not affect the common law duty of confidentiality owed towards individuals or the need for researchers to obtain consent where required by law (for example, the Human Tissue Act 2004 and the Medicines for Human Use (Clinical Trials) Regulations 2004).

However relying upon consent as a condition for processing personal data in a research context is not advised; not because of the high standard of consent demanded under the GDPR, but because that where a data subject withdraws their consent to the processing of their personal data (as they must be free to do without any adverse consequences), they may exercise their right to erasure (‘right to be forgotten’) such that all personal data generated during their participation would have to be deleted (unless an exception applies).

Public task: the recommended option

The alternative, and more appropriate, condition for processing personal data in a research context is where the “processing is necessary for the performance of a task in the public interest” (‘public task condition’ – GDPR Article 6.1.(e)). The University has a strong public interest remit which is framed within its Charter and supporting statutes and ordinances. Research plays a key role in the fulfilment of the University’s objectives and the University therefore considers that the public task condition can be relied upon in the research context in most circumstances.                                                                                  

Where the processing of personal data is undertaken in reliance upon the public task condition, the right to erasure (‘right to be forgotten’) and right to data portability do not apply. However, data subjects still have other rights in relation to the processing of their personal data (see Rights of data subjects below).

It must be noted, however, that any processing of personal data must be “necessary”. If it would be possible to undertake research in a less intrusive way, then the University may not be able to rely upon the public task condition.

Relying upon the public task condition for the processing of personal data does not provide justification for the disclosure of confidential patient information in the public interest.

Condition for processing special categories of personal data

As noted above, the processing of special categories of personal data will generally require a further condition to be met.

One of the conditions under the DPA is where the processing of personal data is necessary for archiving purposes, scientific or historical research purposes or statistical purposes in the public interest (‘research condition’ – GDPR Article 9.2.(j)). As the University will generally rely on the public task condition for processing personal data in the research context, this public interest test should therefore be satisfied.

However, to be able to rely on the research condition, the DPA provides that the processing must not be:

Another condition applies when research involving the processing of personal data is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices (‘public health’ – GDPR Article 9.2.(i)). This will also apply to research being conducted for a medical purpose falling within this definition. 

Transparency

The lawfulness, fairness and transparency principle (see Key principles) requires data subjects to be provided with certain information about the collection and processing of their personal data. This information is typically provided in the form of ‘fair processing notices’ or ‘privacy notices’. In a research context, this information may often be included within a patient information sheet or similar document which is provided to support informed consent, though it can be provided separately.

The GDPR requires the information to be provided to data subjects in a concise, transparent, intelligible and easily accessible form and to be written in clear and plain language (in particular where directed to a child).

The information that must be included in a fair processing notice is set out in Schedule B of this Guide.

Children’s personal data

The DPA states that individuals aged 13 or over are capable of giving their own consent, unless there is a specific reason why this isn’t the case, for instance a condition or impairment. Therefore, anyone of this age must provide their own consent if it is being used as the legal basis for processing personal data under GDPR. For anyone aged under 13 their parent or guardian must provide consent on their behalf.

However, as noted above, whereas consent may still be necessary to fulfil other requirements, another GDPR condition for processing is preferable.

Data Protection by Design and Default

The GDPR introduces a new requirement: ‘data protection by design and default’.

This is an approach which is designed to ensure that privacy issues are taken into consideration during the research design process. Once any privacy issues have been identified, appropriate technical and organisational measures can then be put in place to ensure that data protection law is complied with and those safeguards integrated into the research process.

It is closely related to the purpose limitation and data minimisation principles (see Key principles) and requires researchers to ensure that they only process such personal data as is necessary to achieve the specific purposes of the research.

This requirement represents a ‘privacy-first’ approach to ensure that adequate safeguards are put in place to facilitate compliance with data protection and ensure that the rights of data subjects are respected.

Data Protection Impact Assessments

The GDPR also introduces the requirement for a Data Protection Impact Assessment (DPIA) to be undertaken where the processing of personal data is likely to result in a risk to the rights and freedoms of data subjects. A DPIA is an important part of data protection by design and by default as it aims to identify how any privacy issues can be mitigated or eliminated before any processing commences.

Not all research projects will require a DPIA to be undertaken. For example, questionnaire or survey-based research that does not involve the collection of any special categories of personal data or personal data relating to criminal convictions or offences would unlikely require a DPIA to be undertaken. However, a DPIA will be a mandatory requirement where any research involves:

The University considers that a DPIA should always be undertaken:

Rights of data subjects

Data subjects have a number of important rights in relation to the processing of their personal data:

Such requests should be handled in accordance with the University’s Data subject rights procedure.

Personal data breach

Where any personal data breach occurs in relation to research data that includes personal data, it must be reported and handled in accordance with the University’s Personal data breach procedure.

Further reading

Schedule A - key definitions

biometric data

personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data

consent

any freely given, specific, informed and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear positive action, signifies agreement to the processing of personal data about them

controller

the person or organisation that determines the purposes and means of processing personal data

criminal convictions and offences

personal data relating to criminal convictions, the commission or alleged commission of an offence, proceedings for the commission or alleged commission of an offence and sentencing

data subject

an individual to whom personal data relates and who can be identified or is identifiable from personal data

EEA

the 28 countries in the European Union and Iceland, Lichtenstein and Norway

explicit consent

a higher standard of consent that requires a very clear and specific statement rather than an action which is suggestive of consent, and is the requirement when processing special category data on the basis on consent

fair processing notices

a notice setting out information that must be provided to data subjects before collecting personal data from them including notices aimed at a specific group of individuals or notices that are presented to a data subject on a ‘just-in-time’ basis (also known as ‘privacy notice’ or ‘data protection notice’)

genetic data

personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question

personal data

any information identifying a data subject or information relating to a data subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal data includes criminal convictions and offences data, special categories of personal data and pseudonymised personal data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person's actions or behaviour

personal data breach

a breach of security lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed and which compromises the confidentiality, integrity, availability and/or security of the personal data

privacy notices

see fair processing notices above

process, processes, processing

any activity or set of activities which involves personal data including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or making available, alignment or combination, restriction, erasure or destruction

pseudonymised, pseudonymisation

replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the data subject cannot be identified without combining the identifier or pseudonym with other information which has been kept separately and securely. Personal data that have been pseudonymised is still treated as personal data (unlike personal data which has been anonymised)

special categories of personal data

previously known as “sensitive personal data” under the Data Protection Act 1998, this means information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data, and, for the purposes of this policy personal data relating to criminal offences and convictions.


Schedule B – Fair Processing Information
 

The following information always needs to be provided to individuals whose personal data is being used: 

Suggested wording covering all of the above:

The University of Bristol is the data controller in regard to the use of your personal data for the purpose of this trial/study. Its contact details are:

University of Bristol
Beacon House
Queens Road
Bristol
BS8 1QU

The University’s Data Protection Officer can be contacted at data-protection@bristol.ac.uk.

Your personal data is being processed under the lawful basis established by Article 6.1(e) of the General Data Protection Regulation (the University’s public task), and Article 9.2(j) (scientific research). Your consent or explicit consent may also being sought to undertake some elements of the trial (Article 6.1(a) and 9.2(a)).

The following individual rights may be available to you in regard to the use of your personal data:

It is also your right to submit a complaint to the Information Commissioner’s Office if you believe that the University has failed to comply with the requirements of data protection legislation. Further details can be found at www.ico.org.

The following information also needs to be provided to the participants, but the detail will be specific to the individual trial/study, hence it’s not possible to provide template wording:

Further transparency wording for medical research to go alongside the above has also been issued by the Health Research Authority. Please see here for details. The text in the first box also needs including, whereas which text from boxes A, B and C is required will depend on the specifics of the trial/study.