Data protection law change next year
30 October 2017
In May 2018, the Data Protection Act 1998 will be replaced by the EU's General Data Protection Regulation (GDPR), a framework with greater scope and much tougher punishments for those who fail to comply with new rules around the storage and handling of personal data.
UCL has published information about the new GDPR. In addition to this, research teams should be aware of the following:
• Genetic data such as DNA or RNA, which can identify the individual, is now unambiguously subject to data protection principles.
• Data breaches must be reported within 72 hours.
• Particular types of research where the data subjects are vulnerable may require a data privacy impact assessment - a formal process to "evaluate, in particular, the origin, nature, particularity and severity" of the "risk to the rights and freedoms of natural persons" before processing personally identifiable information.
• There will be a requirement to insert relevant GDPR compliant clauses in all active contracts.
• The new accountability principle means that, as data controllers, UCL and UCLH will be required to document compliance with the regulation - this will require the creation of a register of personal data assets held, showing what personal data is collected, how it is used, how it is secured, if it is shared and how long it is retained.
The Joint Research Office is currently awaiting guidance from the MRC and HRA, however preliminary reading suggests that, as data controllers, UCL and UCLH, will have many more legal obligations which will require new policies and processes.
Some aspects of data protection are still evolving and there is a new Data Protection Bill currently working its way through Parliament that will complement the GDPR. The Bill will provide further clarity over matters such as the use of exemptions for research purposes and the extent of individuals' rights over personal data used in research.