1. The data protection principles
- Lawfulness, fairness, and transparency - the researcher explains to their interviewees how they process personal data at the point of collection, what the legal basis is for processing and for what purposes the data will be used. In circumstances where the data is not sourced from the individual, information is made available which explains how the data is used.
- Purpose limitation - the researcher only uses the personal data they have for the purposes it was collected for, unless certain safeguards around re‐use apply.
- Data minimisation - the researcher only collects personal data which is relevant to the purposes it is required for, unless certain safeguards around re‐use apply.
- Accuracy - the researcher ensures that the data is correct, up to date and is able to be rectify any mistakes quickly
- Storage limitation - the researcher does not retain personal data for longer than it is needed, unless certain safeguards around long term or permanent storage apply.
- Integrity and confidentiality (security) - the researcher protects the personal data against unauthorised access, loss, or destruction by a range of security measures.
- Accountability - the researcher will be able to document and demonstrate compliance with the other principles.
2. Legal Basis for processing personal data
The University is a “data controller” and must have a lawful basis for any processing activity. Research is not explicitly designated as its own lawful basis for processing, so we need to look for a lawful basis that is appropriate in the circumstances. There are six lawful bases to choose from.
We should be able in most cases to carry out such data processing for the primary purpose of research on the lawful basis of processing set out in Article 6 (1)(e) of the UK GDPR, ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’.
The University is a Public Authority for the purposes of GDPR and academic research is a task carried out in the public interest. The University bases this assessment on the ‘Powers of the University’ defined in Section 4, (a), (ii) of its founding Royal Charter, “to engage in scholarship and conduct research”.
3. Legal Basis for processing special category data
The UK GDPR requires an additional legal basis for sensitive or Special Category Data, which covers personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, data concerning health or data concerning a natural person’s sex life or sexual orientation and the processing of genetic data, biometric data for the purpose of unique identification.
The University’s legal basis for this data will be Article 9 (2), (j) ‘processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1)’.
4. Legal Basis for processing criminal convictions data
Where the University processes criminal convictions data in the course of research, it will need to rely on a public interest condition from the Data Protection Act 2018. The University will rely on Schedule 1, Part 1, (4) “Conditions relating to employment, health and research etc - Research etc.”.
5. What about ‘consent’?
The University recognises that the ‘consent form’ is a long-established resource for academic researchers in working with participants and remains a vital part of the University’s ethics procedures for research projects. For GDPR purposes, however, ‘research ethics consent’ does not translate to ‘consent’ as a legal basis for processing personal data.
6. Transparency – the ‘privacy notice’ or participant information sheet
The University has an overarching privacy notice setting out how we process data for research in broad terms; this forms part of our overarching privacy hub.
In addition to this, researchers should provide participants with further information about how their data will be processed. In many cases this will be in the form of a Participant Information Sheet. The Participant Information Sheets should include the following information:
- Who the data controller is (the University of Essex and any other joint researching organisations)
- Any significant risks to the participants involved and safeguards put in place to limit risks
- The legal basis that you rely on to make the research lawful (see above)
- Who participants can contact for more information (lead researcher’s contact details), a complaints contact and the contact details of the University Data Protection Officer (email@example.com)
- Details of how people can exercise their rights and any restrictions on those rights
- A note that if the research project changes in any way, how these changes will be communicated
7. The Rights of Individuals
Under Data Protection law individuals, or ‘data subjects’ have a number of rights regarding their data:
- Right of access to personal information
- Right to rectify personal information
- Right to erasure of personal information
- Right to restrict the use of personal information
- Right to data portability
- Right to object to the use of personal information (including to object to direct marketing, automated decision making and profiling)
- Right to withdraw consent (to process the data)
There are restrictions to these rights in the context of research, if granting them would prevent or seriously impair the achievement of the research purpose. Some of them simply do not apply to data processed under the public task legal basis. Others are exemptions defined in the Data Protection Act 2018, to enable the long-term retention, re-use, and re-purposing of research data.
Which rights are available or restricted should be clearly set out in the Participant Information Sheet. Whilst a research project is in progress there will usually be several staging points where the participant can check, correct or retract their data.
If you receive a rights request from a current or former research participant, please inform the University’s data protection officer at firstname.lastname@example.org
8. Records created in a research project
There will be a number of records arising from your research project which will typically fall into the following categories:
- Records documenting the management of the research project, such as applications for funding, invoices, staff records, correspondence, contact lists of participants
- Records documenting research outcomes or products, such as reports or monographs
- Research data in ‘raw’ and ‘analysed’ forms
Whilst we are naturally concerned in this guidance with the data protection perspectives in regard to research data in ‘raw’ and ‘analysed’ forms, data protection law will also apply to the records developed in the management of the research project. This may include details and correspondence with participants that will be unrelated to the research data. You should review all these records to check how long you will need to keep them. Holding onto records indefinitely can often result in unnecessary risk.
9. Security and confidentiality
Data protection law does not mandate specific security steps but requires technical measures to be in place to protect the data against loss, unauthorised access, or misuse. This will vary according to risk associated with the dataset but should consider the following approaches:
How the data is analysed and presented:
- Research does not identify individuals, where this does not affect the purposes of the research
- Research does not lead to a decision that affects that individual
How the data is stored:
- Pseudonymisation - the data cannot identify individuals without a separate verification (such as linking a generated ID number to a name)
- Anonymisation - the data cannot identify individuals, even for the researchers who collected the information
- Controlled access - Only those with permission to view the data can access it, and this access is controlled and audited by a project lead
- Secure storage - the data is stored in a secure network and backed up
- Encryption in transfer and at rest - password protect files or use other encryption approaches
10. The end of the project and beyond
Many research grants require the dataset from the research to be submitted to a repository for storage and future use. In these situations, the repository becomes the data controller, and the data is likely to be held according to new terms and conditions. The same requirements of legislation and safeguarding of data will apply. We should, at the start of our project, make sure that participants are aware that research data which relates to them:
- will be retained
- will be re‐used by the researcher
- will be re‐used in other contexts (a repository, another researcher) whilst also explaining the safeguards that will be put in place to protect their rights and freedoms
There are a number of questions about the end of the project that need to be considered at the beginning. Preservation, to effectively preserve the data so it does not become obsolete, is different from storage. An approach to the preservation of the data includes the following factors:
- What format the data is stored in
- What application / platform allows access to data
- Will researchers be able to run, access, open or analyse this data in 10 / 20 years’ time (or longer)?
- Where will the data be kept?
- Are the research participants aware what will happen to their data when the research project ends?
10. Documents and templates
The following documents will help document your compliance with data protection laws.
- Data Protection Impact Assessment – defined in data protection law, required by the University for all new projects processing personal data, and a legal requirement where processing will result in a high risk
- Data Management Plan – sets out what data will be collected and how it will be managed
- Information Sharing Agreement – if conducting a collaborative project with research partners a sharing agreement defines roles, responsibilities and what data will be shared