The GDPR regulations affect pseudomymised or identifiable personal or special category data. If your research data does not fall under these categories then the GDPR does not apply. Please note that the GDPR regulations are contained in the new Data Protection Act 2018.
If GDPR applies, you have to tell people what you are going to do with their data. If you are collecting and using identifiable personal or special category data, the information sheet and consent form should detail what you wish to do with the data.
In the context of your project you must observe the following GDPR principles:
- Lawfulness, fairness and transparency – process lawfully, fairly and in a transparent manner in relation to the data subject
- Purpose limitation – collected for specified, explicit and legitimate purposes, not further processed in a manner incompatible with the purposes outlined to the data subject
- Data minimisation – adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- Accuracy – accurate and kept up to date where necessary
- Storage limitation – kept in a form that permits identification for no longer than is necessary for the purposes for which the data are processed
- Integrity and confidentiality – processed securely, protecting against unauthorised or unlawful processing, accidental loss, destruction or damage. Using appropriate technical and organisational measures.
In the UK researchers collect, archive and process data because processing is necessary for archiving purposes in the public interest, for scientific or historical research purposes or statistical purposes in accordance with Article 89(1). Your information sheet should clearly state this, see Ethics guidance.
GDPR for researchers
To learn more about GDPR, the following videos are available.
Withdrawal of Consent
Individuals do have the right to withdraw their consent and data. However, because you are collecting the data under Article 89(1), see above, you do not have to give individuals this right forever. You can give individuals a date, after which, as the data is to be anonymised or pseudomymised it would be too difficult or detrimental to the research to remove. The Individuals effectively waive their right after a certain date.
This option should be clearly stated on the consent form. You cannot deny this right if in fact it would be relatively easy to remove the data and you do have processes in place for that purpose. You cannot deny this right if you did not give clear details on the consent form that there is a limited period for withdrawal. In such instances you may have to come to some agreement.
Data Management Plans are useful
As you are dealing with identifiable personal and special category data, you should complete a data management plan detailing how the data is to be stored and safeguarded, including protocols limiting the number of researchers working on the identifiable data and security procedures, such as showing how early in the process data can be anonymised. You should also consider having those with access to identifiable data sign a data sharing agreement/protocol, particularly useful with collaborators outside the University. To make sure you are storing the data securely, apply for storage on the Active DataStore.
Data Protection Impact Assessments (DPIA)
If you are working with large amounts of personal or special category data or your project involves working with sensitive issues you should complete a Data Protection Impact Assessment (DPIA). Completing a data management plan (DMP) alongside considering your DPIA is a useful and time saving exercise. If you are applying for funding you will have to complete a DMP, so doing both together when you are considering research data management is logical. A DPIA has to be attached to ethics applications. Use the DMPonline tool to help you prepare a DMP and DPIA, with integrated guidance from funders and UoL.
If the data is pseudonymised or easily identifiable, then you might not be able to share any data, unless the consent form allowed such sharing of information for similar research projects. In which case sharing will be restricted and only the details of the project (a metadata record) can be entered onto a repository. Ethics have examples of appropriate consent form options. If you wish to discuss your particular situation further please email the Liverpool Research Data Team.
If you have a specific situation or need to discuss your project in details in relation to GDPR/Data Protection please contact Dan Howarth, Data Protection Officer.