Obligations when sharing data

The Data Protection Act and the General Data Protection Regulation

Researchers must adhere to data protection requirements when managing or sharing personal data. The General Data Protection Regulation (GDPR) applies, if:

• a researcher based in the EU collects personal data about people anywhere in the world
• a researcher outside the EU collects personal data on EU citizens

Personal data is defined within the legislation as ‘any information relating to an identified or identifiable natural person’ whereby the person can be identified directly or indirectly.

It is important to remember that not all research data obtained from people count as personal data. If data are anonymised and an individual is no longer identifiable then the Act and Regulation will not apply, as the information no longer constitutes 'personal data'. The Medical Research Council has produced clear guidance on identifiability, anonymisation and pseudonymisation.

The Data Protection Act 2018 (DPA) and the General Data Protection Regulation (GDPR) provide some exceptions for research data when the necessary safeguards are in place, and applies only to personal or special categories data, and not to all research data in general, nor to anonymised data.

The DPA and GDPR define six principles that need to be complied with when processing personal data. All personal data must:

1. be processed lawfully, fairly and transparently
2. be kept to the original purpose
3. be minimised (i.e. only the personal data that is necessary is collected)
4. have the accuracy upheld
5. be removed if they are not necessary
6. be kept confidential and their integrity maintained

Researchers will also need to have a legal basis for processing personal data, of which there are six possible grounds:

1. consent of the data subject
2. necessary for the performance of a contract
3. legal obligation placed upon controller
4. necessary to protect the vital interests of the data subject
5. carried out in the public interest or is in the exercise of official authority
6. legitimate interest pursued by controller

In the context of research, the three most applicable grounds for the processing of personal data are consent, public interest (public task) or legitimate interest.

An assessment should made by the data controller for each research project to identify the most appropriate grounds for the processing of the personal data for that research project. This will need recording and the processing ground should not be changed at a later date.

The GDPR specifies the rights a data subject has when their personal data are processed:

• The right to be informed
• The right of access
• The right of rectification
• The right to erasure (the ‘right to be forgotten’)
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated individual decision-making and profiling

Which of these rights will be relevant to processing personal data for your research project will depend on the nature of the project, the chosen processing ground and in which country the research is taking place.

EU Member States are able to apply certain ‘derogations’ (or exemptions) of data subjects’ rights, such as in relation to research and archiving. Researchers will therefore need to refer to national legislation, whilst consulting with their local Data Protection Officer (DPO) to identify which rights can be derogated locally.

The DPA, the GDPR and sharing data

Consider:

• Do you really need to collect personal data? Often information such as participants' names and addresses are collected for administrative purposes only and have no research value. Not collecting personal data in the first place may make it easier to manage and share your data. Alternatively, if they do need to be collected, for example, for follow-up interviews, they should be stored separately from research data.
• Inform your participants about use of personal data. All researchers must inform research participants about how any personal data collected about them will be used, stored, processed, transferred and destroyed.

Definitions

Personal data

Any information relating to an identified or identifiable natural person, whereby the person can be identified, directly or indirectly.

Special categories data

Personal data that is combined with information on a person's race, ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, sex life or sexual orientation.

Data controller

A person or organisation who determines the purposes for which and the manner in which personal data are processed.

Data processor

A person who processes data on behalf of the controller.

Data processing

Any operation performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or making available, alignment or combination, restriction, erasure or destruction.

Pseudonymisation

Processing the personal data in such a manner that it can no longer be attributed to a specific data subject without the use of additional information, which needs to be kept separately and subject to technical and organisational measures.

For example, if you de-identify individuals in a survey by giving each respondent a numeric identifier, the data will technically remain personal and under the GDPR be classified as pseudonymised data, if you (the data controller) have another file which links that numeric information to the real names or other personal information. If you destroy the linkage key between the identifiers and the personally identifying information, then it classifies as anonymised data and no longer fall under the requirements of the GDPR.