Since 25 May 2018, the General Data Protection Regulation (GDPR) is into effect. To read the full GDPR text, follow the link at Legislation. The GDPR has implications for all data handling, including handling for research and non-research purposes. There are new requirements for how personal data is collected, processed, retained and destroyed.
About the GDPR: Principles
In general, the policy of the EU for Data Protection is based on the following principles:
- Notice - data subjects should be given notice when their data is being collected;
- Purpose - data should only be used for the purpose stated and not for any other purposes;
- Consent - data should not be disclosed without the data subject’s consent;
- Security - collected data should be kept secure from any potential abuses;
- Disclosure - data subjects should be informed as to who is collecting their data;
- Access - data subjects should be allowed to access their data and make corrections to any inaccurate data; and
- Accountability - data subjects should have a method available to them to hold data collectors accountable for not following the above principles.
The new regulation act strengthens existing rights and empowers individuals with more control over their personal data. For institutions it implies stricter rules, more rights for citizens and higher fines when it comes to violations to the act (privacy, unauthorized sharing of personal data, data-loss, etc.)
What does this mean for you as a researcher?
For you as researcher this means that you have to prepare informed consent forms which explain to participants what will happen with their data during and after the project/experiment:
This notably concerns:
- unambiguous consent of the participants including potential re-use, management and sharing of data;
- strategies for safe storage of data;
- access to own data and a clarified ‘right to be forgotten’;
- the right to know when data has been inappropriately released/leaked/hacked
- Procedures for complaints and how these will be handled
- data retention period
This means that if you are collecting or accessing personal data, including re-using existing data, that either identifies or could be linked to a living individual, then this guidance and GDPR applies. If you are processing truly anonymised data, then your research activity falls outside the scope of these guidelines. Note that this means the data should be completely anonymous on receipt (collection/accessing); if you have personal data but then make that personal data anonymous, that will still be a processing operation and the and GDPR applies. If you are a researcher processing personal data, then you must comply with the requirements of the new data protection legislation, in addition to the common law duty of confidentiality and all relevant ethical requirements.
Please remember: the default mode is privacy, full anonymization and ‘as open as possible but as closed as necessary’. Always check the risks when it comes to privacy.
Check more information on:
- the legal bases for the processing of personal data and principles of processing and
- the Guidelines on Protection of Personal Data in research
- the Poster on Personal Data Research Protocol
- Informed Consent procedures and Data Subject Rights our BMS Ethical Committee website.