Guidance for researchers on the implications of the GDPR and DPA 2018

Content

• Introduction
• A. Scope
• B. Legal bases for the processing of personal data
• C. Research involving ‘special category personal data’ or information relating to criminal convictions/offences
• D. Data relating to criminal convictions and offences
• E. Consent and ethical issues
• F. Fairness and transparency
• G. Accountability
• H. Data protection principles
• I. Further guidance

Introduction
This guidance note has been compiled to provide an overview of data protection key points for researchers, in line with the General Data Protection Regulation (GDPR) and the new UK Data Protection Act 2018. When referring to both, this guidance note will use the term ‘new data protection legislation’.
This document was last updated on 24 May 2018. It may be updated further as relevant guidance on the issues raised is published by the UK Information Commissioner’s Office (ICO).
 

This means that if you are collecting or accessing personal data, including re-using existing data, that either identifies or could be linked to a living individual, then this guidance and GDPR applies. If you are processing truly anonymised data, then your research activity falls outside the scope of these guidelines. Note that this means the data should be completely anonymous on receipt (collection/accessing); if you have personal data but then make that personal data anonymous, that will still be a processing operation and the and GDPR and this guidance applies. If you are a researcher processing personal data, then you must comply with the requirements of the new data protection legislation, in addition to the common law duty of confidentiality and all relevant ethical requirements.
 

Researchers must be explicit about what this basis is and document it both as part of their ethics application and in the information they provide to participants, eg information sheets. Article 6(1) of the GDPR sets out the following six possible legal bases for processing of personal data:

(a) Consent
(b) Contract
(c) Legal obligation
(d) Vital interests
(e) Public task
(f) Legitimate interests

UCL’s view is that, for the vast majority of research undertaken at the University, the appropriate legal basis for processing personal data will be Article 6(1)(e), i.e. the ‘public task’ basis. This applies where the processing is necessary for UCL to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.

UCL is a public authority for the purposes of data protection legislation and it has taken the view that the ‘public task’ basis should generally be relied upon in a research context. It is important to note that when we talk about consent as a legal basis, we are referring to only that – the legal basis – we are not referring to ‘ethical informed consent’ which will still be required in addition to the legal basis. UCL has produced a ‘Statement of Public Tasks’ outlining the categories of processing that are deemed to fall within the Article 6(1)(e) basis.

In accordance with ICO guidance, UCL has considered factors such as its Charter and Statutes in order to determine what types of processing should be included in this list, and has categorised research generally as being one of its ‘public tasks’. Note that if you intend to process, ie collect/use, either ‘special category’ information; or data relating to criminal convictions or offences is used, you will need an additional legal basis for processing that particular data and further safeguards will need to be put in place. Information on these requirements is outlined in Sections C and D respectively.
 

• data which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership;
• data concerning health (the physical or mental health of a person, including the provision of health care services);
• data concerning sex life or sexual orientation; or
• genetic or biometric data processed to uniquely identify a natural person.

As stated above, in addition to the lawful basis for other research data, you need a further basis (meaning a specific justification) for processing ‘special category personal data’ (under GDPR Article 9(2) and the Data Protection Act 2018). UCL’s view is that the most appropriate legal basis to rely upon when processing ‘special category personal data’ for research purposes is Article 9(2)(j), i.e. where the processing is necessary for
archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. Reliance on this condition requires UCL to ensure that the processing meets the public interest test and ‘appropriate safeguards’ are in place. These ‘appropriate safeguards’ include:

• Using ‘technical and organisational measures’ to ensure data minimisation, e.g. pseudonymisation;
• Using anonymised data where possible;
• Not processing in ways that are likely to cause substantial damage or distress to individuals;
• Not supporting measures or decisions with respect to individuals; and
• Having the assurance that research ethics committee approval is in place where needed.

UCL’s view is that the ethics application, data protection registration process and review itself will help ensure that the research is in the public interest. In circumstances where it is not possible to rely on Article 9(2)(j) GDPR, it may be possible to establish that another condition under Article 9(2) GDPR applies. Examples of alternative conditions include the following:

• Article 9(2)(a) - the research participant has given explicit consent to the processing of the personal data for one or more specified purposes. (Note that consent as a lawful basis should only be used if no other condition applies, as the GDPR imposes very strict requirements – consent must be freely given, specific and informed (covering all relevant purposes for the processing by all relevant parties) and unambiguous. A positive action is required to opt in – ‘implied consent’ is not acceptable – and individuals may withdraw their consent at any time, which may cause problems for researchers and the use of the data at a later stage.);
• Article 9(2)(e) - processing relates to personal data which are manifestly made public by the research participant (this may apply when using certain social media for example); or
• Article 9(2)(i) - processing is necessary for reasons of public interest in the area of public health, such as protecting against cross border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices.

However, reliance on any of these alternative grounds is not UCL’s recommended approach. Researchers should justify why they wish to rely on any condition other than Article 9(2)(j) GDPR as part of their data protection registration.
Again it is important to note that the above refers to the legal basis, and does not in any way remove the ethical requirement to obtain informed consent from participants to access and use their special category personal data. If you are accessing such data as secondary data, then you should still clarify whether the original participants’ consent for their data being used is still valid.
 

As Article 10 GDPR only allows for the processing of personal data ‘under the control of official authority’ or as authorised by EU or Member State law, this means that researchers will need to show that one of the grounds set out in the Data Protection Act 2018 applies. For researchers, UCL’s view is that the most relevant condition for processing criminal convictions and offences personal data will be that the processing ‘is necessary for archiving purposes, scientific or historical research purposes or statistical purposes’.

Under the Data Protection Act 2018, reliance on this condition requires UCL to ensure that the same ‘appropriate safeguards’ listed above in respect of ‘special category personal data’ are in place. As is the case with ‘special category personal data’, it may be possible to rely on an alternative basis for processing, although this is not UCL’s recommended approach. Researchers should justify why they wish to rely on any condition other than Article 9(2)(j) GDPR.
 

GDPR recital 33 notes that research must act in a manner that is ‘in keeping with recognized ethical standards for scientific research’, and the UCL REC and other ethical review boards will usually expect informed consent. In effect in order to use personal data for research you need two bases; the legal basis (GDPR) and the ethical basis (informed consent). For example, a person may be asked to consent to participate in research (ethical basis) and told that, if they agree to participate, data about them will be processed for a task in the public interest (legal basis). Here, the legal basis for data processing will be ‘public task’ rather than consent.

While consent to participate in a project that is obtained for ethics purposes must be fully informed and freely given, in addition to meeting other requirements, researchers do not therefore need to obtain consent that meets the high standards set out in the GDPR, which is:
"any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her".
 

Researchers must be as transparent as possible about the uses to which data will be put and any risks involved. This usually requires that the research participant is provided with appropriate information about how and why their data will be processed through the provision of an Information Sheet. Participants can then give their ‘fully informed’ consent to take part in the research. The Information Sheet must include the legal basis relied upon for the processing (as stated above, this will generally be the ‘public task’ basis).

For clarity, researchers who process ’special category personal data’ as part of their project must state both the Article 6 and the Article 9 GDPR conditions they are relying on in both their ethics application and in the information they supply to participants. For criminal convictions/offences personal data, the basis under established under both Article 6 and Article 10 GDPR and must be documented in the ethics application and in the information supplied to research participants Information provided to participants must be:

• Concise, transparent, intelligible;
• Provided in easily accessible form, using clear, plain and simple lay language;
• Prepared with consideration of the audience e.g. information addressed specifically to a child; and
• Provided by an appropriate means (e.g. in writing, orally, electronically).

An annotated template Information Sheet is available on the Ethics website which can be used as a basis to craft your own Information Sheet that is specific to your research project. Further details are set out in the University’s privacy notice, and guidance on creating a local privacy notice can be found here.
However, please note that in the case of participant observation and other forms of ethnographic research, an alternative method of communicating information about the research may be appropriate.
 

In practice, this means that in addition to simply establishing a legal basis for processing:

i. The selected basis must be documented as part of the data protection registration;
ii. Evidence of the fair processing information provided to individuals must be kept; and
iii. Evidence must also be kept of how the other data protection principles (set out in Section H below) have been complied with as part of the research project.

Meeting i-iii above means that researchers should submit such information as part of the data protection registration process and keep their own record of this.
 

In accordance with the new accountability requirement, UCL must also be able to demonstrate compliance with the above principles.Further  commentary on these principles may be found on the ICO website here.