GDPR: What researchers need to know
The EU General Data Protection Regulation (GDPR) and new Data Protection Act come into force on 25 May. Both apply in the UK and will influence research involving personal data. So what’s changing and how should you, as a researcher, prepare? Sarah Dickson, Head of the MRC Regulatory Support Centre, is here to help.
What is GDPR?
The EU General Data Protection Regulation (GDPR), along with the new UK Data Protection Act, will govern the processing (holding or using) of personal data in the UK.
Although the new regulations haven’t been designed specifically for research, we’ll need to make some changes to research practice. The Information Commissioner’s Office (ICO) is the UK regulator. The Health Research Authority (HRA), in collaboration, is providing official guidance for people working in health and social care research. We‘re working with both organisations.
What counts as ‘personal data’?
This is data about living people from which they can be identified. As well as data containing obvious ‘identifiers’ – such as name and date of birth – this includes some genetic, biometric and online data if unique to an individual.
Data that has been pseudonymised (with identifiers separated), where the dataset and identifiers are held by the same organisation, is still personal data.
Data anonymised in line with the ICO ‘Anonymisation code of practice’ is not personal data. An example of this is when identifiers are held by another organisation with an agreement that specifies no re-identification. You should be aware that the action of ‘anonymisation’ counts as processing personal data. At the time of writing, the ICO is working to update the code to reflect GDPR requirements.
How will GDPR impact research?
The requirements largely mirror current good practice in research, so shouldn’t have a big impact on what you, as a researcher, already do. The new law demands that data processing is lawful, fair and transparent. Organisations that process personal data, or control its processing, are accountable for this, yet we all have a role to play.
How do I make sure my data processing for research is lawful?
All research organisations must specify a lawful basis for data processing. You, as a researcher, should know this basis because approvals bodies, like HRA and NHS Digital, will ask you to specify it.
The most likely lawful basis for publicly funded research in MRC institutes and universities will be ‘task in the public interest‘. This assures research participants that the organisation is credible and using their personal data for public good.
When processing special categories of data, like health data, you must meet an additional condition. The most likely condition will be that such processing is ‘necessary for scientific research in accordance with safeguards’.
Safeguards apply widely to research with personal data. They include obtaining Research Ethics Committee approval, only processing personal data that’s necessary (data minimisation) and anonymising or pseudonymising where possible. Everyone working with identifiable information should understand the importance of confidentiality and should hold data securely with an appropriate level of protection. Working to your employer’s codes of conduct, IT policies and technical standards will help here.
Consent is not a requirement of the new data protection laws. In research, we usually seek consent from people to participate. This is ethical, and needed for other legal reasons, for example if disclosing confidential information or if you’re running a drug trial. Consent to participate in research can also give participants control over how their data is used. However, ‘consent’, as defined by GDPR, is not likely to be the lawful basis for processing personal data for research purposes.
Since consent is not likely to be the lawful basis for processing, participants do not need to be re-consented every one or two years.
What do I need to do to be fair and transparent?
Being fair with research participants includes respecting their rights and ensuring that personal data is used in line with their expectations. Transparency is therefore intrinsically linked to fairness.
The new legislation sets out the information that should be provided to participants. This must be concise and easy to understand. Organisations should display corporate privacy information about research where people will notice it, for example links on website homepages and in waiting rooms.
Make your participants aware of this corporate privacy information using communication methods appropriate for your study population, for example links from participant information sheets or newsletters. You can provide further detail in department or project materials.
Work with your Data Protection Officer to ensure that the information you both provide to the public is relevant and understandable, including how data is used to support research. This should cover the fact that data is commonly linked with other data sources, kept for a long time and reused to address important research questions.
Where you have contact with participants, meeting transparency requirements is relatively straightforward. But if you have no contact with participants, the requirements are less clear. We’re working on this with the ICO.
Organisations are accountable to the ICO, so don’t make decisions about legal compliance alone. Find out which organisation is the data controller for your research: this might be the organisation you work for or the sponsor of your project. You may even have more than one controller. Talk to your Data Protection Officer, research governance managers in your University’s Sponsor’s office, or to your data support services.
This is particularly important if a research participant asks you about their personal data rights, for example if they ask to withdraw from your study. Data Protection Officers are responsible for managing requests about rights and will know how to apply the exemptions that are available to research.
There are specific requirements for international research when transferring personal data to non-EU countries. If this applies, seek advice from your Data Protection Officer.
These ICO key definitions are useful.