On 25 May 2018 new data protection regulations are introduced in the UK and across the EU. We have been working for many years with the research community and the Information Commissioner’s Office, trying to understand what the new regulations mean for research.
The General Data Protection Legislation and new Data Protection Act, which come into force in the UK, will enable greater accountability and transparency by those who process personal data. The new legislation, GDPR for short, offers enhanced rights to individuals whose data is being processed. In the context of research, GDPR has the potential to further benefit research and archiving, helping to improve trust and confidence between the public and universities, and between researchers and their participants.
So, what are the key things to look out for if you are involved in research with personal data, collecting it, using it or archiving it?
Research is in the public interest
Research organisations must have a lawful basis to collect, use or store personal data. Research – whether conducted in universities, research council institutes, the NHS or other public authorities – is ‘a task in the public interest’. When processing special categories of personal data, like data about health or ethnicity, GDPR specifically recognises that this is ‘necessary for scientific research purposes in accordance with safeguards’. This assures research participants that research organisations will use their data for public good and to protect their privacy.
Consent to take part in research is important
The usual consent process to take part in research, which is at the heart of ethical research, gives participants control over whether they participate and allow their data to be used. Together with public task as the lawful basis, such consent provides dual protection. This builds public trust.
GDPR recognises that research data is valuable, it can be kept long-term
GDPR recognises the value of scientific research, important collections of data do not need to be destroyed, they can be retained indefinitely for research. Data can be used for multiple research purposes regardless of the initial reason for collection. GDPR supports UK Research and Innovation (UKRI) data sharing objectives.
GDPR forces a record of historical decision-making
Long-term retention needs to be adequately supported and periodically reviewed; organisations must justify why data need to be retained, which can be useful to refer back to in the future. Through its councils, UKRI funds data preservation and retention.
GDPR safeguards reflect current research good practice
Research must meet safeguards including technical and organisations measures. These protect participants’ interests: Good security and access systems, storing in pseudonymised or anonymised form where possible, only using special categories of data for public good, and not causing substantial damage or distress to participants. Our robust research governance and ethics systems already deliver this.
GDPR is useful for research, it recognises that research is special and largely conforms, allowing it certain privileges. It legalises much of the current good practice in research, placing people at the centre, something that has formed the cornerstone of ethical research for many years.
This blog was first published by the ESRC at https://blog.esrc.ac.uk/2018/05/25/why-gdpr-matters-for-research/#more-5089
Sarah Dickson is Head of the Medical Research Council’s Regulatory Support Centre (MRC RSC) – supporting the health research community with the ethics and governance of research involving people as participants, their biosamples or data.
The Centre works closely with multiple stakeholders, providing the researcher voice to shape policy and interpretation. Preparations for the new data protection legislation included working with: Wellcome Trust on an amendment to the Data Protection Bill; Health Research Authority on official briefing documents; Information Commissioner’s Office, NHS Digital and others to provide practical guidance and shared learning opportunities.
Maria Sigala is a Senior Policy Manager at the Economic and Social Research Council (ESRC). She works within ESRC’s Data and Infrastructure Team that support ESRC’s large investments in longitudinal studies and data and resources. Maria has a background in social research and has previously contributed to ESRC’s work for better data sharing legislation for research purposes, as in the Digital Economy Act 2017.