The OA Scotland Working Group will be providing some more information on GDPR at Repository Fringe 2018, 2-3 July 2018, at The Royal Society of Edinburgh. A full programme of events can be found at http://libraryblogs.is.ed.ac.uk/repofringe18/programme/ and you can book a place at https://www.epay.ed.ac.uk/conferences-and-events/information-services/information-services-events/repository-fringe-2018
To help you prepare for GDPR we have produced a summary of how GDPR may influence research and researchers in Universities.
The EU General Data Protection Regulation (GDPR) will come into force, in just a few days time, on 25 May 2018. The UK Data Protection Bill is passing through parliament and reached the third reading at the House of Commons on the 9th of May. The UK’s intention to leave Europe will not affect the enforcement of GDPR.
GDPR applies to personal data held by organisations – i.e. any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly through, for example, a name, identification number, location data, an online identifier to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identify of that natural person.
GDPR gives more control to individuals over their personal data and increases transparency on data collection and handling of personal data. Under GDPR, organisations, such as Universities, will have to show how they meet data protection standards and keep records of decisions made on processing of personal data.
For researchers who work with personal data there are a number of areas to consider:
- understanding individuals rights,
- carrying out data protection impact assessments,
- improving safeguards for personal data,
- understanding the legal basis for processing personal data,
- reviewing transfers of data to 3rdparties and non-European countries, and
- reporting data breaches.
Individuals’ rights: GDPR gives individuals new rights over the way their data is used.
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
When personal data is being used for research purposes, the UK Data Protection Bill proposes these rights are limited. As many institutions already comply with the UK Data Protection Act, it is not anticipated that the new rights will significantly affect the conduct of research. Guidance on the new rights and the exemptions will be published when the Bill is passed.
Impact Assessments: An impact assessment must detail why and how personal data will be processed, identify and assess privacy risks, and demonstrate ways in which those risks can be controlled. In the Data Protection Act (1998), ‘Privacy impact assessments’ were introduced as good practice measures, under GDPR they are now mandatory where there is high risk to individuals from data processing. They are also suggested as good practice wherever personal data is processed. A full list of specific instances, where an impact assessment should be carried out, is available from the ICO
Data Safeguards: protecting personal data is a key feature of GDPR and researchers and organisations have a general obligation to implement technical and organisational measures to show that data protection is considered and integrated into processing activities. This is often referred to as data protection by design and default. The data protection principles are a good foundation to improve data security for personal data.
Legal Basis for Processing: There are six legal bases for processing personal data. For university researchers the most likely basis will be public task or legitimate interest. The legal basis for research should be included in the privacy information for research participants on your University website. If you are processing special category data you need to identify an additional condition for processing this type of data. Special category data is broadly similar to the concept of sensitive personal data, but it includes genetic data and some biometrics data.
Privacy Notices: A privacy notice should inform research participants about the way their personal information will be used, what information will be collected, how it will be stored and protected, how the data will be shared and when it will be destroyed. To comply with GDPR, Universities will be working towards producing institutional research privacy notices, updating participant information sheets (PIS) and updating participant consent forms. Some hints and tips on writing these can be found here or by contacting your institutions Data Protection Officer (DPO).
Data Sharing: when sharing data researchers must have
- a clear and justifiable purpose,
- an appropriate legal basis, and
- secure handling methods.
Researchers may want to make sure that they have appropriate data sharing agreement(s) in place if personal data is shared on a large scale or if it is shared regularly. The sharing of Data outside the EU has a number of restrictions, and can only be shared outside the EU if it complies with the GDPR conditions of transfer. More information about International transfers of Data is available from the ICO.
Data Breaches: A Data breach is not just about data being stolen or hacked, breaches can include unauthorised access by a third party, deliberate or accidental action/inaction by a controller or processor, sending personal data to the wrong person, devices containing personal data being lost or stolen, alteration of personal data without permission, and loss of availability of personal data. Organisations are required to keep a record of all security incidents involving personal data. Some of these incidents must be notified to the Information Commissioner within 72 hours of detection, and to individuals affected by the incident. To ensure compliance with GDPR It is vital that all staff report a personal data breach, however minor, as soon as it is discovered to the organisations DPO.
Under GDPR and the UK Data Protection Bill (which is still being finalised) there are research exemptions which relieve organisations that carry out research, from some of the obligations to data subjects. Some are only likely to be relevant when a research participant wants to withdraw from participation in a research project; others exempt researchers from notifying participants in some circumstances about the use of their data. Both the GDPR and UK Bill are seen to be supportive of research and it is expected that upcoming research exemptions will provide at least the exemptions already present in the Data Protection Act. More information about research exemptions will be available soon.
You can find out more about GDPR at:
- Information Commissioners Office – https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
- Jisc – https://www.jisc.ac.uk/gdpr
- Health research Authority – https://www.hra.nhs.uk/about-us/news-updates/gdpr-guidance-researchers/and https://www.hra.nhs.uk/planning-and-improving-research/policies-standards-legislation/data-protection-and-information-governance/
You can also book a place at the Repository Fringe 2018, 2-3 July 2018 https://www.epay.ed.ac.uk/conferences-and-events/information-services/information-services-events/repository-fringe-2018