The GDPR regulations affect pseudomymised or identifiable personal or special category data. If your research data does not fall under these categories then the GDPR does not apply. Please note that the GDPR regulations are contained in the new Data Protection Act 2018.
Under GDPR you have to tell people what you are going to do with their data. Thus if you are collecting and using identifiable personal or special category data, then detail in the information sheet and consent form what you will be doing with the data.
As researchers processing personal and special category data in the context of your project you must observe the following GDPR principles:
- Lawfulness, fairness and transparency – process lawfully, fairly and in a transparent manner in relation to the data subject
- Purpose limitation – collected for specified, explicit and legitimate purposes, not further processed in a manner incompatible with the purposes outlined to the data subject
- Data minimisation – adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- Accuracy – accurate and kept up to date where necessary
- Storage limitation – kept in a form that permits identification for no longer than is necessary for the purposes for which the data are processed
- Integrity and confidentiality – processed securely, protecting against unauthorised or unlawful processing, accidental loss, destruction or damage. Using appropriate technical and organisational measures.
You are collecting, archiving and processing such data because processing is necessary for archiving purposes in the public interest, for scientific or historical research purposes or statistical purposes in accordance with Article 89(1). Your information sheet should clearly state this, see Ethics guidance.
Of course, there are instances when individuals will have to give consent. Individuals do have the right to withdraw their consent and data. However, because the reason for keeping the data is as above, you do not have to give individuals this right forever. You can give individuals a date, after which, as the data is to be anonymised or pseudomymised it would be too difficult or detrimental to the research to remove. This option should be clearly stated on the consent form. However, you cannot deny this right if in fact it would be relatively easy to remove the data and you do have processes in place for that purpose. Similarly, you cannot deny this right if you did not give clear details on the consent form that there is a limited period for withdrawal. The Individuals effectively waive their right after a certain date.
As you are dealing with identifiable personal and special category data, you should complete a data management plan; detailing how the data is to be stored and safe guarded, including protocols limiting the number of researchers working on the identifiable data and security procedures, such as showing how early in the process data can be anonymised. You should also consider having those with access to identifiable data sign a data sharing agreement, particularly useful with collaborators outside the University. To make sure you are storing the data securely, apply for storage on the active data store.
If you are working with large amounts of personal or special category data or your project involves working with sensitive issues you should complete a Data Protection Impact Assessment (DPIA). Completing a data management plan (DMP) alongside considering your DPIA is a useful and time saving exercise. If you are applying for funding you will have to complete a DMP, so doing both together when you are considering research data management is logical. A DPIA has to be attached to ethics applications. Use the DMP online tool to help you prepare a DMP and DPIA, with integrated guidance from funders and UoL.
If the data is pseudonymised or easily identifiable, then you might not be able to share any data, unless the consent form allowed such sharing of information for similar research projects. In which case sharing will be restricted and only the details of the project (a metadata record) can be entered onto a repository. Ethics have examples of appropriate consent form options. If you wish to discuss your particular situation further please email the Liverpool Research Data Team.