If personal information about people is collected or used in research, then the General Data Protection Regulation (GDPR) applies, if:
Information on the principles, requirements and definitions of the GDPR can be read here.
The GDPR makes provisions for processing personal data for research and archiving purposes as long as certain safeguards are in place. The safeguards include technical and organisational measures, data minimisation and pseudonymisation.
Further processing of personal data for the purposes of archiving, scientific or historical research purposes and statistical purposes is not considered to be incompatible with the initial purposes of data collection, even when this purpose has not been expressly mentioned earlier. Also, in research personal data may be stored for longer periods.
We provide here practical guidance, examples and question/answers on how to apply GDPR in research.
Here are some questions and answers about how to implement the GDPR requirements in practice in a research project.
I am a postdoc researcher doing a qualitative study, interviewing women about abusive relationships. I will use pseudonyms for each woman interviewed. Respondents may still be identifiable from the story they tell. Does this constitute personal information? If so, which legal ground should I use for this research?
Yes, this would constitute personal information. In this case the legal ground could be consent, which should be sought from the women participating in the study. Another aspect to keep in mind here is data collected which would allow identification of other people who may not have been asked for consent, for example partners carrying out the abuse. So you may also be processing personal data from people who have not been asked for consent. In that case, the processing ground could be public interest and the argument would be that the research has value for society. If the project allows, such partners could be made aware of the processing of their data, if this poses no risks to the participating women.
I am doing an online poll survey, using Qualtrics, asking 5000 people across Europe for which political party they voted in the recent European elections, also recording their ethnicity and other demographic information. Does this qualify as processing special categories data? If so, how do I gain explicit consent for collecting this information?
A first consideration would be how much identifying/personal information is collected during the survey, alongside the political view and ethnicity. This helps to decide whether this classifies as special categories data. If no data is collected that allows identification of the respondents, then the GDPR will not apply. If identifying information is collected, then this qualifies as special categories data and therefore explicit consent would be needed. One way to achieve this would be through double consent, whereby consent for processing personal data collected would be asked at the beginning and the end of the questionnaire.
Qualtrics is a USA based company and thanks to negotiations by various European survey institutions, Qualtrics now only processes collected survey data in the EU for EU-based surveys. This means that Qualtrics can be used as a tool for surveys that need to comply with the GDPR.
What are the GDPR rules when using administrative or register data that contain personal information?
If consent is not collected from the individuals when the administrative or register data are collected, then the most common legal basis for further use is public task. If consent can be sought, that would be preferable.
The GDPR indicates strongly that a consent form should be easy and clear, yet I have to provide so much extra information to my interviewees now. How do I do this?
The best way to provide this information to participants is through an information leaflet and a consent form. You can provide the information in a written leaflet. If you are interviewing people you can explain the leaflet content also face-to-face to make sure it is people understand the content.
If a researcher brings an electronic device across the border to a third country, sends an email or publishes personal data on the web, does this constitute as a data transfer?
An email containing personal data sent from Europe to someone in a non-European country would indeed constitute a data transfer. An electronic device containing personal data carried across the border to a third country would constitute a data transfer if the personal data will be passed on to another person. If personal data are published on the web, it depends on whether the data are stored and who can access them. If it is openly published it could be considered a data transfer.
What are the data protection implications for international partnerships and research projects when non-EU countries are involved?
If personal data are going to be handled/processed as part of the partnership research activities within the EU, then the GDPR would apply. One solution would be that the European-based partners require their non-EU partners to have appropriate privacy/data protection measures in place and that consent is given by all subjects, irrespective of whether they are based in Europe or not. That may not always be easy or possible. However, solutions can be found such as data anonymisation, data encryption, using secure servers and partners can learn from each other. Good practice is also for all users and purposes of use of the personal data to be recorded.
Does the GDPR apply to personal data, collected outside the European Economic Area (EEA) and transferred to the EEA for analysis?
Yes, it would, because it would be classified as personal data once stored within the EEA.
Is there examples of research where using consent as legal basis for processing personal data would not be suitable?
Covert research is an example where consent would not be an appropriate processing ground, as asking for consent would have a negative outcome for the research. In covert research, public task would likely be the best ground. It is still important that the research adheres to ethical principles, and the researcher is open about the process used in publications.
How can we comply with the GDPR when studying populations that are easily identified, for example surveys of candidates running in a general election or surveys of the members of a scientific associations?
First, you need a legal basis for the processing of personal data. The most common legal basis for this scenario may be consent. If you gain consent from the people studied you can give information about the risk of being identified in published outcomes of the survey and ask consent on that basis. If the legal basis for processing personal data is public task, you should give information about the study to the population to make sure that they can manage their rights according to the GDPR.
How is the ‘right to be forgotten’ applied in research settings?
The right to be forgotten applies in research, but is not an absolute right. Best practice is to inform participants about this right as clearly as possible and explain what it means and what it may not mean. For example, if data have been published in which people are identifiable, for example a paper containing a quote for which permission was given. Then if a participant wants to be forgotten, it would be very difficult to retract the paper. So be clear to participants about what they can do with this right and up to which point they can withdraw from research and request to be forgotten.