Data Protection Considerations
In this post we explore what you need to know about data protection when conducting research with human participants.
Contents
Introduction
In other posts in this series, we have discussed how information sheets and consent forms/scripts are important supporting documents for your research study. Both contain information not only about what you’re planning to do but also about what information you want to collect and what you’re planning to do with it. They also contain information related to UK General Data Protection Regulation (GDPR).
In this post we explore how UK GDPR applies when constructing information for your research study.
UK GDPR relates to personal information that makes it possible to identify a person directly or indirectly (i.e. through contextual elements or when linking multiple sources of data).
Examples of personal information include:
- Names, addresses, contact information
- Dates of birth
- Records of consent
- Audio/video recordings
- Photographs
UK GDPR also refers to special category information which is sensitive personal information about a person. These pieces of information are classed as special category as they require additional protections to ensure the information is only accessed by authorised individuals.
Examples of special category data include:
- Race
- Ethnic origin
- Political affiliation
- Religious beliefs
- Trade union membership
- Genetics/biometrics
- Health information
- Sexual orientation
What does UK GDPR mean?
Now that we know what type of information is included under UK GDPR, we can explore what we need to do to ensure that information is kept safe and secure.
The requirements of UK GDPR stipulate that we must tell participants the legal reason why we are collecting and processing their personal information. This reason is called the legal basis and for the purposes of research at the University, this reason is listed as public interest and a process necessary for research purposes. More information about these specific reasons can be found in the University’s Research Privacy Notice and a copy of which (either digitally as a hyperlink/URL or physically as a separate handout) must be included as part of any information that you provide to your participants.
Another requirement is UK GDPR stipulates that we must explicitly list the personal and special category data that we plan to collect in the participant information sheet. Remember, personal information includes names, records of consent and any demographic information. By following the University template for the participant information sheet, you’ll see the information listed under the section related to confidentiality.
Finally, UK GDPR stipulates that we must be clear with research participants about how their data will be used, stored and shared. This is why specific information must be included in the participant information sheet and consent form in relation to these details.
Data protection considerations
In order to be able to provide participants with detailed information about how their data will be used, stored and shared, you need to develop a data management plan. A data management plan (DMP) contains specific information in relation to the data generated from your research study including what you plan to record, how you will use the information, where the information will be stored, who will access it, how it will be published and when it will be destroyed.
Data management plans are created using the DMPonline system and a copy of the plan should be submitted as part of any ethics application.
In order to construct your plan, you’ll need to consider the following:
Collection
- How will the data be initially collected? Will this be on paper or electronically?
- Will you be taking audio/video recordings or photographs? What device will be used? How will these be stored?
Use
- How will the data be used? Will it be identifiable, pseudonymised or anonymised?
- Will the data be shared with others at University of Manchester or those at other institutions? In what format will it be shared?
- How will the data be published? Will individuals be identifiable?
Retention/Storage
- How and where will the data be stored and archived?
- Will you use a central repository and make the data openly available?
- Will you be retaining contact details to provide them with a study summary or to invite them to take part in a future study?
Destruction
- When and how will the data be destroyed?
Specifying data protection
The detailed information that you include as part of your data management plan must be consistent with the information you provide participants in the information sheet and consent form. This will ensure that what you tell the University you are planning on doing with the data matches with what you tell participants you will do with their information and what they agree you are permitted to do with it.
Magic triangle of data protection
This triangulation of requirements is best described here as the Magic Triangle of Data Protection. It simply shows how for ethical purposes, the details of all three of these documents must match and the specific areas where these statements are usually misaligned.
The most important areas to cross check for consistency between your supporting documents are:
- Sharing the data with other researchers.
- Using the data in future research.
- Retaining contact details to provide participants with a study summary.
- Retaining contact details to invite participants to take part in future studies.
Confidentiality
When it comes to confidentiality, you have some important choices to make in terms of the data you have collected and what you will do to ensure that the identity and other detailed information about your participants is kept safe. Most researchers will either pseudonymise or anonymise their data sets to ensure that the confidentiality of their participants is protected when the information is published. Although these terms appear similar, there are some important differences that you need to note before deciding on which method is most appropriate for your study.
Pseudonymising
Pseudonymising refers to the process of removing identifying information from your data set (usually names) and providing each participant with a random ID number. A key is then created which lists the identifying information for each participant along with their corresponding ID so that individual contributions to the data set can be identified by the researcher in future. It is important that the key is stored in a separate location to the rest of the data.
Anonymising
Anonymising refers to the process of removing all identifying information from the data set such that no link remains to make it possible to identify a participant. You may find that simply removing the name is not sufficient to make the data truly non-identifiable and therefore you need to change the information (e.g. using pseudo names or fictitious details) or in the case of audio/video recordings, use voice masking software.
You also need to consider any circumstances which would mean that you need to break confidentiality (i.e. a participant reveals that they are at risk of harming themselves/others or they reveal something that requires reporting to the relevant authorities).
Should it be likely that there will be circumstances that arise during the course of the research, that would result in you needing to break confidentiality, you must provide details of this in the Participant Information Sheets and Consent form.
Not sure about Participant Information Sheets and consent forms? Take a look out our posts covering these topics, these are also linked below and again at the end of this post:
Knowledge check
Let’s take a look at what you have learned. Read the case study below and choose an option from the multiple choice question below it. You may choose more than one option.
You’re conducting a research study that involves a relatively small group of unique individuals. As part of your study you’re collecting a number of pieces of demographic information on the participants such as ethnicity, date of birth, gender, health information and sexual orientation. In order to protect their confidentiality, you have decided not to collect names with any of the demographic information but to instead use a unique identifier. This would make the demographic information anonymous and due to this, you feel as though UK GDPR doesn’t apply so don’t need to mention the legal basis for data processing.
Withdrawal of data
How you choose to manage confidentiality will have implications on the ability of your participants to request that their information is withdrawn from the study.
If you pseudonymise the data, you are always able to maintain a link between the participant and their data. You must therefore consider how you will handle any withdrawal requests that may arise. Ensure you make it clear in the information sheet and consent form when it will no longer be possible for a participant to request that their data is withdrawn from the dataset (i.e. point of publication or once your thesis is submitted).
If you anonymise the data, you won’t be able to withdraw data from a specific participant as you’re unable to identify their specific contributions. Ensure you make this clear in the information sheet and consent form and highlight the time period that is available before you will anonymise the information (e.g. two weeks after the interview). If data will be anonymised immediately upon collection ensure this is specifically mentioned.
Data sharing
If you have clarified in the information sheet and consent form that you would like to share research data with either researchers at University of Manchester or researchers at other institutions/organisations, you must provide additional details regarding your plans, including:
- What data will be shared? All of it or only selected portions?
- In what format will the data be shared? Raw? Pseudonymised? Anonymised?
- With whom will the data be shared?
- For what purpose will the data be shared? To inform future work? To enable additional analysis?
- Will the data be shared outside of the UK?
It’s important to note that sharing of data should always be an optional point on the consent form and if participants choose not to agree to this you must respect their decision.
Retention
You must also ensure that you clarify in the information sheet what data you will be retaining and for how long. You should follow the University’s Records Retention Schedule which outlines the minimum amount of time that specific pieces of information should be kept. When retaining information, you must follow the University’s guidelines and expectations regarding appropriate storage facilities and backing up of data.
As with data sharing, the retention of data for future studies or the retention of contact details should be optional requests for participants as opposed to mandatory requirements. Again, if they choose not to agree to one or both of these then the researcher must respect this decision and ensure the information is destroyed appropriately.
Summary
In this post we have explored what you need to know about data protection when conducting research with human participants, including confidentiality and withdrawal of data.
Alternatively go back to our ‘Managing and sharing data from human participants’ post and explore all the posts in this series.
