Background
In 2018, two new data protection laws came into force:
Combined, both laws represent an evolution of data protection law in the way that they give individuals greater control over their personal data and require organisations to demonstrate greater accountability and transparency in relation to how they process personal data. The GDPR also introduces more severe penalties for infringements, in the form of administrative fines of up to €20 million or 4% of global turnover (whichever is higher).
From a research perspective, these laws reinforce the importance of data protection as part of protecting the rights, dignity, health, safety and privacy of research subjects which is at the core of the University’s research activities and fully embedded in its research culture. Please see the University’s Research ethics page for further information.
Key definitions and application
The key definitions under the GDPR as used in this Guide are set out in Schedule A. Most definitions remain largely unchanged from the Data Protection Act 1998 ('1998 Act'), although it is worth noting that the new definitions of “biometric data” and “genetic data” represent special categories of personal data (previously known as “sensitive personal data” under the 1998 Act).
The GDPR does not apply to deceased persons. It also does not apply to personal data once it has been anonymised; however, the collection and subsequent anonymisation of personal data is itself a processing activity which is regulated under the GDPR.
Key principles
As with the 1998 Act, the GDPR sets out some key principles which must be followed when processing personal data from the point of collection until the point of archiving/deletion/destruction.
The University must ensure that all personal data are:
Under the DPA, it is criminal offence for a person to re-identify information that has been de-identified (whether pseudonymised or anonymised) without the consent of the controller.
The overarching ‘accountability principle’ requires that the University must be able to demonstrate compliance with all of the above principles by maintaining robust records in relation to the governance of personal data.
Additionally, the University must ensure that:
Individuals' rights
Under GDPR, everyone usually has the following rights over their own personal data:
However, if you are processing data for research purposes then your activities are exempted from many of these rights provided that certain conditions are met (see the 'Research or statistical purposes exemption' section below). Specifically, your data subjects will retain:
If data subjects can be identified in the published results of your research then they also retain the right to access their personal data.
If a data subject makes a request relating to one of these rights, you must immediately inform the Data Protection Office (data-protection@bristol.ac.uk) and refer to the University’s Data subject rights procedure.
Documentation
GPDR requires data controllers keep a written record of data processing. We strongly recommend you create a Data Management Plan (DMP), if you don’t already have one, and keep it up to date. Your research funder may have requested a DMP as part of your funding application. Your DMP, along with your ethical planning documents, privacy notices (see below) and, if needed, a Data Protection Impact Assessment (see below) should be used to record the nature of the data you will collect, any re-use of existing data, your justification for processing data, and data security and retention policies.
University policies also contribute to your documentation. For example, our information security policy documents the University’s 'appropriate organisational and technical measures' for safeguarding data.
It will be essential when thinking about further use of data collected to check this documentation to ensure that you are not straying beyond the arrangements described at the point of collection. If the arrangements for data use are not documented there, it will be important to update participants.
Lawful basis for processing personal data
To use personal data for any purpose, including research, a relevant lawful basis must apply. Article 6 of GDPR provides six possibilities, at least one of which must apply to make the activity lawful. If special categories of personal data are being processed then a further lawful basis from Article 9 of GDPR must also apply (see below).
All of the University’s research activity can be covered by the ‘public task’ lawful basis contained in Article 6.1(e) of GDPR. This allows personal data to be used where “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”, usually summarised as the public task condition.
The University of Bristol is founded and regulated by its Charter and related Acts of Parliament. Together they define the University’s role as the provision of teaching and research. Therefore, the University is able to cover all of its research activity involving personal data under the ‘public task’ condition (GDPR Article 6.1(e)). Research studies that involve the processing of personal data will usually need to state their reliance on this lawful basis in information provided to the individuals whose personal data is collected and used, i.e. in participant information sheets and similar means.
Another of the lawful bases offered by Article 6 of GDPR is having the consent of the individual whose personal data is processed. However, relying on consent as the required condition from Article 6 of GDPR for processing personal data in a research context is not necessary or advised. This is because the public task condition can always be used, and because if consent is used then participants can withdraw their consent at any time.
This does not mean that no consent is needed, as it will still likely be required for ethical and confidentiality purposes. However, consent does not need to be used as the GDPR lawful basis, or necessarily need to be of the high standard that GDPR imposes (usually equating to an opt-in mechanism). This issue can be confusing so researchers are advised to seek advice if they are unsure.
Condition for processing special categories of personal data
Further conditions must be met to allow for the processing of "personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation” (known as Special category data).
One of the conditions under the DPA is where the processing of personal data is necessary for archiving purposes, scientific or historical research purposes or statistical purposes in the public interest (‘research condition’ – GDPR Article 9.2.(j)). As the University will generally rely on the public task condition for processing personal data in the research context, this public interest test should therefore be satisfied.
However, to be able to rely on the research condition, the DPA provides that the processing must not be:
Another condition applies when research involving the processing of personal data is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices (‘public health’ – GDPR Article 9.2.(i)). This will also apply to research being conducted for a medical purpose falling within this definition.
See Article 9 EU GDPR "Processing of special categories of personal data" and Article 6 EU GDPR "Lawfulness of processing"
Research or statistical purposes exemption
GDPR contains an exemption (in Article 89) which means that if you are processing personal data for research purposes and certain conditions are met then the individuals who the data relates to do not have some of the usual individual rights they would normally have regarding their personal data (see the 'Individuals' rights' section above).
For this exemption to apply, you must:
In addition, if your data processing is likely to cause harm or distress to data subjects then you have not met the requirements for processing for research purposes, and the exemptions will not apply.
Data Protection by Design and Default
The GDPR introduces a new requirement: ‘data protection by design and default’.
This is an approach which is designed to ensure that privacy issues are taken into consideration during the research design process. Once any privacy issues have been identified, appropriate technical and organisational measures can then be put in place to ensure that data protection law is complied with and those safeguards integrated into the research process.
It is closely related to the purpose limitation and data minimisation principles (see Key principles) and requires researchers to ensure that they only process such personal data as is necessary to achieve the specific purposes of the research.
This requirement represents a ‘privacy first’ approach to ensure that adequate safeguards are put in place to facilitate compliance with data protection and ensure that the rights of data subjects are respected.
Data Protection Impact Assessments
The GDPR also introduces the requirement for a Data Protection Impact Assessment (DPIA) to be undertaken where the processing of personal data is likely to result in a risk to the rights and freedoms of data subjects (DPIA template). A DPIA is an important part of data protection by design and default as it aims to identify how any privacy issues can be mitigated or eliminated before any processing commences.
Further information and guidance can be found on the Data Protection Impact Assessment webpage, including a set of screening questions and the full DPIA template.
Not all research projects will require a DPIA to be undertaken. For example, questionnaire or survey-based research that does not involve the collection of any special categories of personal data or personal data relating to criminal convictions or offences would unlikely require a DPIA to be undertaken. However, a DPIA will be a mandatory requirement where any research involves:
The University considers that a DPIA should always be undertaken:
Key definitions
biometric data |
personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data |
consent |
any freely given, specific, informed and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear positive action, signifies agreement to the processing of personal data about them |
controller |
the person or organisation that determines the purposes and means of processing personal data |
criminal convictions and offences |
personal data relating to criminal convictions, the commission or alleged commission of an offence, proceedings for the commission or alleged commission of an offence and sentencing |
data subject |
an individual to whom personal data relates and who can be identified or is identifiable from personal data |
EEA |
the 28 countries in the European Union and Iceland, Lichtenstein and Norway |
explicit consent |
a higher standard of consent that requires a very clear and specific statement rather than an action which is suggestive of consent, and is the requirement when processing special category data on the basis on consent |
fair processing notices |
a notice setting out information that must be provided to data subjects before collecting personal data from them including notices aimed at a specific group of individuals or notices that are presented to a data subject on a ‘just-in-time’ basis (also known as ‘privacy notice’ or ‘data protection notice’) |
genetic data |
personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question |
personal data |
any information identifying a data subject or information relating to a data subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal data includes criminal convictions and offences data, special categories of personal data and pseudonymised personal data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person's actions or behaviour |
personal data breach |
a breach of security lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed and which compromises the confidentiality, integrity, availability and/or security of the personal data |
privacy notices |
see fair processing notices above |
process, processes, processing |
any activity or set of activities which involves personal data including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or making available, alignment or combination, restriction, erasure or destruction |
pseudonymised, pseudonymisation |
replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the data subject cannot be identified without combining the identifier or pseudonym with other information which has been kept separately and securely. Personal data that have been pseudonymised is still treated as personal data (unlike personal data which has been anonymised) |
special categories of personal data |
previously known as “sensitive personal data” under the Data Protection Act 1998, this means information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data, and, for the purposes of this policy personal data relating to criminal offences and convictions. |
Further reading