If personal information about people is collected or used in research, then the General Data Protection Regulation (GDPR) applies, if:
Information on the principles, requirements and definitions of the GDPR can be read here.
The GDPR makes provisions for processing personal data for research and archiving purposes as long as certain safeguards are in place. The safeguards include technical and organisational measures, data minimisation and pseudonymisation.
Further processing of personal data for the purposes of archiving, scientific or historical research purposes and statistical purposes is not considered to be incompatible with the initial purposes of data collection, even when this purpose has not been expressly mentioned earlier. Also, in research personal data may be stored for longer periods.
We provide here practical guidance, examples and question/answers on how to apply GDPR in research.
When you start a research project that involves collecting information from people, for example via a survey, through interviews, in focus groups or via video recordings, then these questions can help you to comply with data protection legislation in practice.
Will the research project collect personal data?
The first consideration should be whether the project needs to collect information that would be defined as personal data. If not, then do not collect it. If the research does not collect personal data, then data protection legislation will not apply. It is still good practice to develop a data management plan that documents how data will be handled and stored. If you do collect personal data, until the data are anonymised (and the act of anonymisation itself), the information falls under data protection legislation.
Will the research project collect any special categories of data?
If so, then besides the legal basis for processing personal data, an additional condition to permit the legal processing of this information will be required, for example explicit consent or research and archiving purposes. Again, identify why the project needs to collect this information and make sure to communicate the conditions clearly to research participants.
Will you need to conduct a Data Protection Impact Assessment (DPIA)?
Universities/institutes may require a DPIA to be conducted before a research project is undertaken. The first port of call for researchers will be to identify the local rules and requirements. Under the GDPR there are certain circumstances where a DPIA must be undertaken. These include, for example, where new technologies are being used and this is likely to result in a risk to rights and freedoms of a data subject or where large-scale processing of special categories data is being done.
Who will be the data controller for the research project?
If personal data are being collected the researcher needs to identify who will be the data controller for the collection, storage and handling of the data. This is unlikely to be the researcher themselves and, in most instances, will be the researcher’s university or institute.
Will the research involve collaboration with other partners who will have access to the personal data collected?
If yes, it will be important to identify whether they will be joint controllers of the data or data processors. It will be crucial to ensure data sharing agreements are in place, and where necessary a processor/controller agreement.
What legal basis will be used for processing the personal data in a project?
An assessment will need to be made about the most appropriate processing ground to use for each research project. There are three grounds that appear most applicable for research: consent, public task or legitimate interest. If you are using consent as the processing ground, it is crucial that this is distinguished from consent for other ethical and legal purposes, and that participants can withdraw their consent for processing personal data (this is different from the right to withdraw from the research). If public task is used as the processing ground you must ensure that your university or institute is classified as a ‘public authority’, and that the research will be in the public interest. If you are using legitimate interests as a processing ground, a Legitimate Interest Assessment should be undertaken. This will need to identify the legitimate interest being pursued, demonstrating that personal data processing is necessary to achieve this, and this is being balanced with the rights and freedoms of the participants.
If the project is collaborative with other data controllers it is vital that the controllers work together to discuss and identify the most appropriate processing ground. This is the case if the project spans various EU Member States, as each country has different rules on the use and appropriateness of specific processing grounds. This can mean that for example in one Member State public task is the appropriate processing ground, yet in another State it is not.
If the project will involve collaboration with the private sector, it is important to consider this when deciding on the most appropriate processing grounds, as some processing grounds will not be applicable to a private entity (e.g. public task).
Which data subject rights apply, and which will be exempted?
It will be important to identify the rights that participants will have and which, if any, will be derogated (exempted). Remember that you do not have to remove any of the participant’s rights. Where participants’ rights are going to be removed it is crucial that they are informed of which rights will be removed and on what grounds, before they take part in the research. Note that the rights that can be removed from participants will depend on the processing grounds chosen, and what is set out in the national legislation.
What information needs to be communicated to participants?
The information that needs communicating will be influenced by which processing ground is chosen. Broadly, participants should be informed about: how any personal data collected about them will be used, stored, processed, transferred, who the data controller is (and their contact details), the legal ground and purpose of the processing, any recipients of the personal data, the period of retention and their rights (including that they can complain to the Supervisory Authority).
We see two primary ways of communicating this information to participants
How and where will the personal data be stored?
Personal data should be treated with a higher degree of care than non-personal data, and therefore careful consideration is required of where it is to be stored. For example, where possible, cloud storage should be avoided, the personal data should remain within the EU, and encryption should be used alongside access controls being applied to the information, so that only those that need access to the personal data have access. In addition, where appropriate, researchers should pseudonymise or anonymise personal data or remove the personal data and store it separately.