Research with human participants: your responsibilities under UK GDPR
In this post we will explore the six principles for data protection when conducting research with human participants.
Contents
Introduction
The UK General Data Protection Regulation along with the Data Protection Act 2018 concerns the collection of, holding, processing and using of information about individuals or more (‘personal data’).
The legislation balances the individual’s right to privacy with the legitimate interests of organisations wanting to process their personal data. UK GDPR gives extensive rights to individuals. When undertaking research with human participants it is important you understand what responsibilities you have in relation to how you collect, process and use your participants’ data.
Breaches of the UK GDPR may result in investigations by the Information Commissioners Office (ICO), potentially leading to significant fines, civil or criminal liability, adverse publicity and could damage your reputation as a researcher.
The six principles of Data Protection
Researchers must process all personal data in accordance with the following principles.
Personal data must:
- Be processed lawfully, fairly and in a transparent manner; (Lawful, fair and transparent).
- Be collected only for specified, explicit and legitimate purposes, and not be further processed in any manner incompatible with those; (Legitimate and limited purpose).
- Be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed; (Data minimisation).
- Be accurate and, where necessary, kept up-to-date; (Accurate and up to date).
- Not be kept as identifiable data for longer than necessary for the purposes concerned; (Storage limitation).
- Be processed securely (Integrity and confidentiality).
In the remainder of this post we will explore each principle in more detail.
1. Lawful, fair and transparent processing
This is an overriding objective of UK GDPR and when sufficiently met, it will help to ensure you meet the requirements for the other principles.
The processing of personal data must have a lawful basis (a legally acceptable reason for processing the data). There are six legal bases specified in the UK GDPR; the three that are important to understand from a research perspective are outlined below.
Research being a ‘Public interest task’ covers the majority of The University’s research work and likely be the most common legal basis for processing. It applies where the processing is necessary for the performance of a task carried out in the public interest. As a result, personal data can be processed without consent.
Consent as one of UK GDPR’s lawful bases for legally processing personal data is different to, and should not be confused with, consent that researchers usually seek from people to participate in a project. The need to seek consent from participants in research in order to satisfy ethical considerations is necessary, but it is separate from the requirement under the UK GDPR. You can learn more about participant consent in this post.
UK GDPR sets a very high standard for valid consent and it may be difficult to rely on consent as your basis for processing. Consent can be withdrawn by participants at any time, so if a research participant exercised this right, the research team would need to stop processing that individual’s data. The University would therefore, not usually recommend that researchers rely on consent as their lawful basis for processing.
As a public authority, The University cannot rely on legitimate interests for any processing it does to perform its public interest tasks. However, legitimate interests may be the appropriate legal basis where it is difficult to demonstrate that the research is necessary to meet a public interest. For example, because it is funded by a private company and is commercial in nature.
When processing special categories of data, for example personal data about health, ethnicity, political opinions, religious beliefs, etc., you must meet an additional legal basis for processing. In these cases, the most likely condition for researchers will be that such processing is ‘necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with safeguards’.
The fairness and transparency requirements give control to participants; they have greater awareness of how their data is being used and can object if they wish. ‘Fair’ processing requires researchers to consider how their use of personal data affects the interests of the individual concerned; if it’s likely to cause them detriment, you must consider whether it is justified.
When you are collecting personal data from individuals you must be clear, open and transparent with those individuals, by explaining what you intend to do with their data. For research this information is most often provided to data subjects in the form of a privacy notice or participant information sheet. Transparency information must be concise, easy to understand and easy to find.
Good research transparency should help participants understand that data is commonly linked with other data sources, kept for a long time, reused to address important research questions and how their interests are protected.
Privacy Notices for research participants (full version and a simplified version are available on the Ethics website). Links to them are also provided in the Participant Information Sheet templates.
You’ll need to choose the relevant one depending on the type of research you are doing.
2. Legitimate and limited purpose
This principle explains that personal data shall be collected only for specified, explicit and legitimate purposes, and not further processed in a manner incompatible with those purposes. Where you have obtained personal data for a specified purpose, you should not then be allowed to use it for other purposes (i.e., ‘further processing’) that are incompatible with that original purpose.
However, the UK GDPR states that the further processing of data for research purposes will be considered compatible with the original purpose for which the data was collected. In addition data collected for a non-research purpose may be reused for research purposes provided the necessary information is provided to the data subjects, and to do so before the further processing takes place.
3. Data Minimisation
This principle outlines the need for personal data collection to be adequate, relevant and limited to what is necessary for the intended purpose for which it is processed, i.e., collect only what you need to fulfil your research purpose.
This principle does not just apply to the amount of data you collect but who has access to it. This could apply to all aspects of the research work, e.g. consider whether all members of a research team and collaborators need access to the full data set, can anonymisation or pseudonymisation be utilised before sharing. Take a look at this post ‘Data protection considerations’ for further information.
4. Accurate and up to date
If data is not kept up to date and inaccuracies amended, it may no longer be relevant. However, the purpose of some research projects might be to create a point in time archive, where updating would defeat the purpose. In this case researchers do not need to keep the personal data up-to-date.
5. Storage limitation
This principle refers to not keeping personal data for longer than necessary for the purposes concerned. The UK GDPR does not specify how long personal data should be held for, although a specific retention period may be required by a research funder or sponsor, or as a result of regulatory or policy considerations. If this is the case, ensure it is included in your Data Management Plan. In all cases the research participants should be told about the likely retention period. The University of Manchester Records Retention Schedule can be accessed here.
6. Integrity and Confidentiality
Personal data must be processed securely; information security breaches may cause serious harm or distress to individuals, cause embarrassment or be highly inconvenient. Individuals are entitled to be protected from all forms of security breach which requires researchers to ensure they are using appropriate ‘technical and organisational measures’ to gather, process and store personal data.
Depending on the nature of the research and associated risks, researchers should consider the technology to be used and liaise with Research IT and or Information Governance teams as appropriate.
Summary
In this post we explored the six Data Protection principles for dealing with personal data and your responsibilities as a researcher to adhere to UK GDPR.
If you haven't already we recommend you also take the time at look at this post: ‘Data Protection law: Handling research data from human participants’ which explores the wider context of UK Data Protection law in relation to research.
Several posts related to this topic are linked in the further support section below.
Further support
Resources
- Find out how the data protection principles apply to research
- Participant engagement and consent
- Data Protection considerations
- My Research Essentials webpages
Key webpages and contacts
Thank you to our contributors
These resources were created in partnership with University of Manchester’s Information Governance team. Special thanks to Liz Skae, Alex Daybank and Laurence Malbeaux who wrote and advised on the content.
