GDPR and research

Introduction

This page provides information to researchers on how to comply with the requirements of the General Data Protection Regulation (GDPR) and the UK Data Protection Act (DPA), throughout all stages of conducting research.

You can find more information about the specifics of the legislation on the GDPR details for researchers page.

GDPR has meant some significant changes for anyone using identifiable information in their research. If you wish to discuss your situation please contact the Information Governance Team (data-protection@bristol.ac.uk) or the Research Data Service team (data-bris@bristol.ac.uk).

This Guide sets out some of the key issues for University researchers to be aware of when planning and conducting research projects that involve the processing of personal data. It should be read alongside the University’s other policies and guidance on good research practice.

Does GDPR apply to my research data?

GDPR is only concerned with information which can be used to identify living people.

It applies to the collection, storage and use of anything that might in any way be used to identify an individual. This includes name, ID number, location (including IP address and data from cookies), online identifiers, physical and physiological factors, biometrics, and genetic, mental, economic, cultural or social identity. This is classed as 'personal data' or ‘personal information’.

Note, this does include data where the only identifier is a code, for example a study identifier, if that code can be related back to an individual in any way, e.g. by a registration log held by the PI. This is referred to as ‘pseudonymised data’.

GDPR does not apply if your research involves only fully anonymised data (so there is no way of linking it back to the individual it relates to, including through use of a code or numerical identifier).

GDPR requires additional conditions to be satisfied when dealing with ‘Special category data’. These are particularly sensitive personal data including racial/ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, genetic and biometric data, physical or mental health, sex life, and sexual orientation.

How does GDPR impact on me?

If you are dealing with identifiable information you have a responsibility to keep the data safe, keep data subjects informed and report any breaches.

Researchers – Steps to Take

1. Determine whether your work will involve personal information – as defined above. Remember that this will include (though not be limited to):

• Pseudonymised data
• Consent forms - for studies where data is not otherwise stored

2. If so, complete a Data Protection Impact Assessment checklist. DPIA Checklist

3. If you answered yes to two or more of the categories of the checklist, complete a full DPIA (DPIA template). More detailed information is available here:  http://www.bristol.ac.uk/secretary/data-protection/guidance/privacy-impact-assessment/

4. Determine whether you will need to transfer personal information outside of Europe and any steps you will need to take.

5. Determine how data will be stored and whether it will be encrypted: http://www.bris.ac.uk/infosec/uobdata/encrypt/

6. Determine who the data controller is for your study. This will generally be the Chief Investigator’s employer (i.e. usually UoB). For Clinical Research, by default this will be the Sponsor (usually the CI’s employer or a Commercial Sponsor) but it can be assigned to, for example, an NHS Trust or CCG where the data is generated, shared between organisations etc. There is more information available here:   https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/controllers-and-processors/

7. Determine whether you wish, or are required, to make anonymised data available to other researchers after publication. If so, you can find further information about the research data team and the data.bris research data repository here: http://www.bristol.ac.uk/staff/researchers/data/

8. You are strongly recommended to create a Data Management Plan (DMP), which should be proportionate to the nature of your work. More information can be found here: http://www.bristol.ac.uk/staff/researchers/data/writing-a-data-management-plan/.  This external site provides DMP templates: https://dmponline.dcc.ac.uk/.

A DMP should include details of where the data will be stored. We recommend the use of the University’s Research Data Storage Facility (RDSF) for research data: https://www.bristol.ac.uk/acrc/research-data-storage-facility/apply-to-use-the-rdsf/

9. Ensure that your participant information sheet and consent forms include sufficient information to meet the GDPR requirements of Transparency. More information can be found here:https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed/

There is also information and recommended wording on the HRA website.

• You will need to identify the GDPR lawful basis under which you/the University is processing the personal data you are using. As a rule, studies Sponsored by an Academic or NHS organisation collect data on the lawful basis of it being a Public Task.
• If your study is sponsored by a commercial or charitable organisation, the lawful basis is Legitimate Interest.
• Suggested template wording can be found here: https://www.hra.nhs.uk/planning-and-improving-research/policies-standards-legislation/data-protection-and-information-governance/gdpr-guidance/templates/

10. Determine whether additional required steps have been taken for:

• Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

If you will be working with this type of data, see further information found on the GDPR details for researchers page.

11. In the very unusual circumstance that you are processing data on the basis of Consent and your participants are under sixteen, please see further information on the Paediatric research page.

Reporting data breaches

If you suspect a data breach has occurred you must inform the University’s Data Protection Officer immediately (data-protection@bristol.ac.uk or ext. 41824 / 0117 3941824). To do this, do not rely on email alone but confirm that the breach has been formally logged. Reporting possible incidents as early as possible is vital as the University is subject to time-limits governing how long we must undertake certain actions in response to a data breach. You may also need to inform the IT Service Desk if the breach involves a cyber or technical IT issue. For more information see the University’s Personal data breach procedure.

How long should I keep different types of data?

The University has a Records Retention Schedule that outlines how long different types of records should be kept. The Research Data Service also has Guidance on the Retention of Research Records and Data, which covers issues specific to research records and data in more detail.

Data Protection requirements are not the only reason to retain data. You may also need to consider the future use of records or whether they may be of future historic value - for more information contact the University’s Special Collections section in the Library.