Since 25 May 2018, the General Data Protection Regulation (GDPR) is into effect. To read the full GDPR text, follow the link at Legislation. The GDPR has implications for all data handling, including handling for research and non-research purposes. There are new requirements for how personal data is collected, processed, retained and destroyed.
About the GDPR: Principles
In general, the policy of the EU for Data Protection is based on the following principles:
- Notice - data subjects should be given notice when their data is being collected;
- Purpose - data should only be used for the purpose stated and not for any other purposes;
- Consent - data should not be disclosed without the data subject’s consent;
- Security - collected data should be kept secure from any potential abuses;
- Disclosure - data subjects should be informed as to who is collecting their data;
- Access - data subjects should be allowed to access their data and make corrections to any inaccurate data; and
- Accountability - data subjects should have a method available to them to hold data collectors accountable for not following the above principles.
The new regulation act strengthens existing rights and empowers individuals with more control over their personal data. For institutions it implies stricter rules, more rights for citizens and higher fines when it comes to violations to the act (privacy, unauthorized sharing of personal data, data-loss, etc.)
What does this mean for you as a researcher?
For you as researcher this means that you have to prepare informed consent forms which explain to participants what will happen with their data during and after the project/experiment:
This notably concerns:
- unambiguous consent of the participants including potential re-use, management and sharing of data;
- strategies for safe storage of data;
- access to own data and a clarified ‘right to be forgotten’;
- the right to know when data has been inappropriately released/leaked/hacked
- Procedures for complaints and how these will be handled
- data retention period
This means that if you are collecting or accessing personal data, including re-using existing data, that either identifies or could be linked to a living individual, then this guidance and GDPR applies. If you are processing truly anonymised data, then your research activity falls outside the scope of these guidelines. Note that this means the data should be completely anonymous on receipt (collection/accessing); if you have personal data but then make that personal data anonymous, that will still be a processing operation and the and GDPR applies. If you are a researcher processing personal data, then you must comply with the requirements of the new data protection legislation, in addition to the common law duty of confidentiality and all relevant ethical requirements.
Please remember: the default mode is privacy, full anonymization and ‘as open as possible but as closed as necessary’. Always check the risks when it comes to privacy.
Research with secondary data
Research involving research data from or the re-analysis of existing databases does not require informed consent from the original participants, as long as data have been anonymized and the new use or purpose does not lead to or increase the risk of disclosure of any individual’s identity. Re-use that also involves personal data is restricted to the original researchers or research group, and it must comply with the original research goal, as formulated in the informed consent documents.
Sharing personal data with external researchers or re-using them for a purpose other than the originally formulated purpose requires informed consent from the original participants.
Anonymization is especially important for data or documents pertaining to sensitive subject matter (e.g. data about physical/mental health or financial issues, illegal or socially controversial behavior, or data that provide a competitive advantage to an organization), as well as for data that were originally obtained from individuals who are vulnerable in some way.
Please note that anonymity is not fully protected unless you remove all details that make an individual or organization identifiable. Coding data (e.g. by working with pseudonyms) is NOT the same as anonymization. If you save the key to the coding, you should store it separately from the dataset and document all individuals who will have access to it. If there is no reason to preserve the key, we recommend disposing of it.
Check more information on:
- the legal bases for the processing of personal data and principles of processing and
- the Guidelines on Protection of Personal Data in research
- the Poster on Personal Data Research Protocol (offline, because of outdated info)
- Informed Consent procedures and Data Subject Rights our BMS Ethical Committee website.