Collecting, using and sharing data in research with people requires taking into consideration the legal landscape and expected ethical standards for research.
The Data Protection Act and the General Data Protection Regulation
Researchers must adhere to data protection requirements when managing or sharing personal data. The General Data Protection Regulation (GDPR) applies, if:
Personal data is defined within the legislation as ‘any information relating to an identified or identifiable natural person’ whereby the person can be identified directly or indirectly.
It is important to remember that not all research data obtained from people count as personal data. If data are anonymised and an individual is no longer identifiable then the Act and Regulation will not apply, as the information no longer constitutes 'personal data'. The Medical Research Council has produced clear guidance on identifiability, anonymisation and pseudonymisation.
The Data Protection Act 2018 (DPA) and the General Data Protection Regulation (GDPR) provide some exceptions for research data when the necessary safeguards are in place, and applies only to personal or special categories data, and not to all research data in general, nor to anonymised data.
The DPA and GDPR define six principles that need to be complied with when processing personal data. All personal data must:
Researchers will also need to have a legal basis for processing personal data, of which there are six possible grounds:
In the context of research, the three most applicable grounds for the processing of personal data are consent, public interest (public task) or legitimate interest.
An assessment should made by the data controller for each research project to identify the most appropriate grounds for the processing of the personal data for that research project. This will need recording and the processing ground should not be changed at a later date.
The GDPR specifies the rights a data subject has when their personal data are processed:
Which of these rights will be relevant to processing personal data for your research project will depend on the nature of the project, the chosen processing ground and in which country the research is taking place.
EU Member States are able to apply certain ‘derogations’ (or exemptions) of data subjects’ rights, such as in relation to research and archiving. Researchers will therefore need to refer to national legislation, whilst consulting with their local Data Protection Officer (DPO) to identify which rights can be derogated locally.
The DPA, the GDPR and sharing data
Any information relating to an identified or identifiable natural person, whereby the person can be identified, directly or indirectly.
Special categories data
Personal data that is combined with information on a person's race, ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, sex life or sexual orientation.
A person or organisation who determines the purposes for which and the manner in which personal data are processed.
A person who processes data on behalf of the controller.
Any operation performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or making available, alignment or combination, restriction, erasure or destruction.
Processing the personal data in such a manner that it can no longer be attributed to a specific data subject without the use of additional information, which needs to be kept separately and subject to technical and organisational measures.
For example, if you de-identify individuals in a survey by giving each respondent a numeric identifier, the data will technically remain personal and under the GDPR be classified as pseudonymised data, if you (the data controller) have another file which links that numeric information to the real names or other personal information. If you destroy the linkage key between the identifiers and the personally identifying information, then it classifies as anonymised data and no longer fall under the requirements of the GDPR.