Ethics and the GDPR
Information on how the School ethics procedure has been updated in light of the General Data Protection Regulation (GDPR), with notes on required legal considerations and links to further information.
The School's ethics procedure has been updated to accommodate the requirements as laid out in the General Data Protection Regulation (GDPR). This includes:
- Clarifying the legal basis for processing data for research;
- Integrating a template for data protection impact assessment (DPIA) in the paperwork for projects where this is required;
- Clarifying participant rights in relation to their data.
In addition to the mandatory Data Protection Training available on Learn, a module has also been developed specifically for researchers. The course, DP Training Research, provides further guidance on the implications of the GDPR on research activities. To enrol, go to Learn and search "DP Training Research" in the Quick Enrol Search tab.
Legal basis for processing data
Consent should not be used as the legal basis for processing data. Instead, the School's templates refer to data processing conducted in the public interest (Article 6(1)(e) "processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller").
Data protection impact assessment (DPIA)
The University-required DPIA needs to be carried out for every project that includes data from living human participants. This assessment reviews how the project can be conducted while minimising the privacy risk to participants, especially when the project relies on sensitive information such as the participants' health or ethnicity. A 'mini' DPIA has been integrated into the new online Informatics ethics form, and is expected to be sufficient for most projects. The online ethics form can be access from the Ethics procedure tab.
If your funder requires a DPIA to be carried out by the University's Data Protection Officer (DPO), please refer to their website.
Participant rights to data
Provided the appropriate safeguards are in place (e.g. the minimisation principle and established legitimate public interest), the rights of research participants can be restricted. It is up to the PI's discretion whether the rights below should apply, or if they would prevent or seriously impair the achievement of the research purpose:
- The right to rectification
- The right to restrict processing
- The right to object to processing
- The right to erasure (right to be forgotten)
The possible restriction of these rights are highlighted to participants in paragraph 4 of the University's Research Privacy notice, and should also be clear from your participant information sheet (PIS) (template available in the Ethics resources tab).
See section 12 of the University's Data Protection handbook for further information on the restriction of participant rights when it comes to research.
Storage of personal data
If you are working with data from live participants, you need to consider how you store personal data and ensure that you comply with legal requirements. This is especially important to consider if you are undertaking remote data collection, using e.g. survey design providers that may store data on servers outside of the EEA.
The University’s records management team provides specific guidance on the use of cloud services and storing personal data, and a checklist is available on their web pages.