1 / 53

General Data Protection Regulations – Research V3.0

This guide provides insight on GDPR compliance in university research, covering key principles and considerations. Learn how to handle identifiable research data, lawful basis for processing, and consent requirements.

mchristman
Download Presentation

General Data Protection Regulations – Research V3.0

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. General Data Protection Regulations – ResearchV3.0 Simon Clements – (CISM) Information Security Manager Dr Clark Crawford Head of Research Integrity

  2. Purpose of today • NOT to give a background for GDPR • Become more aware of GDPR • Understand how the prepared for GDPR • Understand your own actions to comply with GDPR • Understand what compliance to GDPR looks like in University research

  3. Just a reminder……. 6 Principles of Data Protection under GDPR Kept in a form which permits identification of data subjects of no longer then is necessary for the purposes for which the personal data are processed Processed lawfully, fairly and in a transparent manner in relation to individuals Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed Accurate and, where necessary, kept up to date Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage

  4. Good News! • Research has always been very close to compliance already. • Research is not the “problem” GDPR is trying to solve.

  5. What three things must I consider when working with identifiable research data?

  6. Do you know what identifiable data is? • Turn to your neighbour, give an example of an asset and the identifiable data held in it. • Did anyone think a consent form was an asset? • Did anyone think an email from a disgruntled participant was a piece of identifiable data?

  7. Is this processing? • True • False I’m the supervisor of a masters student, when they left they handed over the consent forms which I put in a filing cabinet in the School Office.

  8. What three things must I consider for the GDPR? • Lawful basis for Processing • Being able to process it • Transparency • Being fair about processing it • Safeguards • Processing it properly (safely and securely)

  9. Lawful Basis :Conditions for Processing Data subjects must be informed of the relevant condition for processing: • (a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose. • (b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. • (c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations). • (d) Vital interests: the processing is necessary to protect someone’s life. • (e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. • (f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

  10. What’s the condition? • Consent • Contract • Legal obligation • Vital interests • Public Task • Legitimate interest

  11. Lawful Basis :Conditions for Processing • Data subjects must be informed of the relevant condition for processing: • (a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose. • (b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. • (c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations). • (d) Vital interests: the processing is necessary to protect someone’s life. • (e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. • (f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

  12. Why not consent? • Consent may be an Ethical requirement. • Consent may be a lawful requirement under confidentiality. • Consent processes may, in part, be the vehicle for transparent and fair processing. • But it is not the condition for processing.

  13. IF consent were the condition • A participant who wanted to withdraw their consent could request that their data is destroyed. • Research doesn't always involve consent. • And, once selected, we cannot change conditions without informing the individual and documenting the change.

  14. Special Category Personal Data • Data concerning an individual’s: • race; • ethnic origin; • politics; • religion; • trade union membership; • genetics; • biometrics (where used for ID purposes); • health; • sex life; or • sexual orientation.

  15. Conditions for Processing of Special Category Personal Data (a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject; (b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject; (c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent; (d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects; (e) processing relates to personal data which are manifestly made public by the data subject; (f)  processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity; (g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject; (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3; (i)  processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy; (j)  processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

  16. What’s the condition? • Consent • Obligations as employers • Vital interests • Legitimate activities • Personal data manifestly made public by the subject • In relation to legal matters • Substantial public interest • Preventative or occupational medicine • Public interest in public health • Archiving in the public interest, scientific or historical research purposes

  17. Sum up….. • Legal basis is: • …task carried out in the public interest. • Archiving in the public interest, scientific or historical research purposes • Why? • Personal data is necessary and relevant • Not that it might be nice to have • Will only be used to support legitimate research activities that are considered to be in the public interest • Their interests are safeguarded/protected.

  18. Two conditions? • One “process event”, two conditions. • Example: e.g. Consent Keele Alumni Fundraising Research Public Task

  19. What three things must I consider when working with identifiable research data? “Public Interest” ≠ “Public Interest”

  20. University Wide Preparation Data collection Data Protection Officer Asset Register Asset Manager Who, what, where, why (incl legal basis)

  21. Data Protection Officer • MUST know what data Keele is processing as controller or processor. • A line listing of each and every research project. Ian Rawlinson - Solicitor - Corporate Governance & Commercial / DPO i.rawlinson@keele.ac.uk

  22. Building the Asset Register • Respond to requests for data assets in relation to research: • Your school will have been given a list of your: • University REC approved projects • Health and Social Care projects • Any projects that involve data must re-appear as assets on the register. • Data Protection Impact Assessment process (DPIA) https://www.keele.ac.uk/informationgovernance/fortheuniversity/dataprotection/privacybydesign/dataprotectionimpactassessments/

  23. Responsibilities in Research • Researcher MUST complete DPIA for EVERY data set (i.e. project) of identifiable data being processed for research. • No DPIA: • Research Integrity Team cannot issue Sponsorship • Research Ethics Committees cannot issue favourable ethical opinion • Signatories cannot sign research contracts • DPIA help researchers design their studies. • Do not let identifiable data move into or out of the University without a legal agreement.

  24. What three things must I consider for the GDPR? • Lawful basis for Processing • Being able to process it • Transparency • Being fair about processing it • Safeguards • Processing it properly

  25. Transparency • You must be open and honest with data subjects • We must inform subjects • What their rights are • What our legal basis is • What we’re doing with the data • Others! • You must treat people fairly • If they say ‘no’, you must respect this

  26. Layers of Transparency? • Privacy notice – the Legal, generic, everlasting statements. • Information sheets – specifics around the project, what data, who, where, when, how? • Conversations – Clear understanding of all involved. • No Surprises

  27. Layers The DPO Your control

  28. What do we need to tell them? • Your relationship with your Bank • Name • Address • Salary information • Relationships • Outgoing payments • What do you want your bank to tell you?

  29. What do you want your bank to tell you? • What language will my data be held in? • Who is the Data Controller? • What will be done with my data? • Will the bank “sell” my data? • What database will my data be kept on? • How long will the data be kept? • Who outside the Bank will be sent the data? • Will the bank disclose data to the Authorities?

  30. Good or bad? Please provide telephone numbers in case we need to contact you about your claim. You do not have to tell us your phone number but it will help us to contact you quickly if we have a question about your claim. You must provide the following telephone numbers. It will delay you claim if you do not provide your telephone numbers. Mobile: Mobile: Home: Home: Implies it is mandatory to give this information when in this case it is voluntary Clear explanation of why it would be helpful to provide this information x √

  31. Good or bad? I hereby confirm my understanding of and acceptance of the following information. Donningly Council (the 'Council') will utilise the personal data I have provided in this form and via any evidence I have submitted in support of my claim in order to process my claim for housing benefit, council tax benefit, both of these or other applicable benefits which may be available to myself in accordance with the Council's personal data usage policies. The Council may check the personal data against other sources within the Council and other relevant third party public sector organisations as necessary in order to prevent and detect crime, protect public funds and make sure the personal information is accurate. The Council may also require to check personal data I have provided, or information in relation to myself, which has been provided to the Council by a third party with other information held by the Council. The Council may also get information about me from third parties or give information about me in accordance with the law. For the purposes of the Data Protection Act 1998 the data controller processing your personal data is Donningly Council. The Council processes all personal data in accordance with the Data Protection Act 1998 and the law. Having read and understood the above information I hereby provide declaration that the data on this form is correct and comprehensive and understand that if I give the Council information that is incorrect or incomplete the Council may commence legal action against me potentially leading to or including court action. I understand the following: You will use the information I have provided to process my claim for housing benefit, council tax benefit, or both. You may check some of the information with other sources within the council, the rent service, other councils and government departments, eg the benefits agency, the Inland Revenue and the Home Office. You may also get information about me from certain other organisations, or give information about me to them to: make sure the information is accurate; prevent or detect crime; and protect public funds. These other organisations include government departments, other local authorities and private sector organisations such as banks and organisations that may lend me money. If I give information that is incorrect or incomplete you may take action against me, including court action. I declare that the information I have given on this form is correct and complete. Signature of the person claiming Signature: So confusing!!!!!!! Clear explanation of purpose and use.

  32. Further use of Data You would usually use collected data further so say so: • And give examples…… • Be clear if you will be sharing any identifiable information with others…… We will keep your data and use it to support future health research

  33. What three things must I consider for the GDPR? • Lawful basis for Processing • Being able to process it • Transparency • Being fair about processing it • Safeguards • Processing it properly

  34. Buuuuut… “Appropriate Safeguards..” The spirit of the new data protection legislation is to ensure organisations are lawful, fair and transparent when holding and using personal data. Scientific research has a natural route through the legislation which depends on specific safeguards being in place. https://mrc.ukri.org/documents/pdf/gdpr-guidance-note-3-consent-in-research-and-confidentiality/

  35. Safeguards • Research Ethics Committee approval, • Governance checks (including HRA assessment), • Peer review from public funders, • Data minimisation and minimisation of recruitment numbers, • Pseudonymisationand other technical safeguards against accidental disclosure and loss or corruption of research data, etc…

  36. What is data? ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’). In other words, any information that is clearly about a particular person. But just how broadly does this apply? The GDPR clarifies: “[A]n identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

  37. Anonymisation GDPR defines anonymous information, as: ‘…information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable’. Identifiable can mean either DirectorIndirect

  38. Identifiable…… • directly identifiable: can be from name, address, postcode, telephone number, photograph or image, or some other unique personal characteristic • indirectly identifiable: when certain information is linked together with other sources of information, including, their place of work, job title, salary, their postcode or even the fact that they have a particular diagnosis or condition Once data is truly anonymised and individuals are no longer identifiable, the data will not fall within the scope of the GDPR https://ico.org.uk/media/for-organisations/documents/1061/anonymisation-code.pdf

  39. Psuedonymisation GDPR defines psuedonymisation as: “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution to an identified or identifiable individual”

  40. Safeguards….. Pseudonymisedpersonal data can still fall within scope of the GDPR. However, it will assist us tomeet our data protection obligations: • principles of ‘data minimisation’ • ‘storage limitation’ • processing for research purposes for which ‘appropriate safeguards’ are required. “Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person.”

  41. Information Governance documentation

  42. Agreements • For health and social care research • Statement of Activities • Model non-commercial agreement (mNCA) • Bespoke site agreement • For other research • Data Sharing Agreement • Details what, how, why, where to, who to etc • Collaboration Agreement • required for projects involving at least one other research partner on a project.

  43. Data Sharing Agreement • Very specific clauses • Not routinely covered by collaboration agreements • Researchers must identify transfer of data to ensure appropriate agreements are implemented

  44. Data Sharing agreements made simple • Email Subject: Research Data Sharing raise.contracts@keele.ac.uk

  45. What three things must I consider for the GDPR? • Lawful basis for Processing • Being able to process it • Transparency • Being fair about processing it • Safeguards • Processing it properly

  46. Back to the asset register Data Transfer Agreements Safeguards Transparency Keele School Collaborator Data Subject Research DPIA

  47. Things which must be clear e.g.: • Identity of the data controller • Condition(s) of processing • The categories of personal data concerned • The data subject’s rights under GDPR • The source from which the personal data originate, and if applicable, whether it came from publicly accessible sources • How appropriate or suitable safeguards are achieved in relation to any personal data transferred out of Europe

  48. Prepare for Amendment • All investigators will be required to declare their studies and the actions undertaken to bring them into compliance. • Two routes: • Where approved by the HRA • Where the only approval is a University REC

  49. Professor Ponting (Poppleton University) provides you with identifiable data to process as part of her RCUK grant. What do you need? • Nothing • A collaboration agreement covering the grant • Evidence of Ethics Approval • A clear email granting you the authority to process the data • Something else

  50. Resources • Information on Common Law – Confidentiality https://mrc.ukri.org/documents/pdf/gdpr-guidance-note-3-consent-in-research-and-confidentiality/ • Data Protection Impact Assessment https://www.keele.ac.uk/informationgovernance/fortheuniversity/dataprotection/privacybydesign/dataprotectionimpactassessments/ • Keele Information Governance/Data Protection https://www.keele.ac.uk/informationgovernance/fortheuniversity/ • Keele Information Security https://www.keele.ac.uk/informationsecurity/ • ICO Anonymisation Guide https://ico.org.uk/media/for-organisations/documents/1061/anonymisation-code.pdf

More Related