skip to primary navigationskip to content

Research and Finance Office

Department of Engineering

Studying at Cambridge

 

GDPR for researchers

Brief overview of data protection legislation for researchers

Brief overview of data protection legislation for researchers.

Data protection legislation sets out rules and standards for the use and handling ('processing') of information ('personal data') about living identifiable individuals ('data subjects') by organisations ('data controllers').

From 25 May 2018, this legislation will be the EU General Data Protection Regulation (GDPR), coupled with a new Data Protection Act that supplements the GDPR in specific ways and which is currently being debated by the UK Parliament. 

Principles

Under the GDPR, there are six principles.  Personal data must be processed following these principles so that the data are:

  1. Processed fairly, lawfully and transparently - and only if there is a valid 'legal basis' for doing so
  2. Processed only for specified, explicit and legitimate purposes
  3. Adequate, relevant and limited
  4. Accurate (and rectified if inaccurate)
  5. Not kept for longer than necessary
  6. Processed securely - to preserve the confidentiality, integrity and availability of the personal data

Depending on the context, there are full or partial exemptions from the principles when processing personal data for specific purposes, including academic research.

What the exemptions mean in practice: research exemptions

In practice, most types of academic research at the University that fall under the research exemptions largely can continue as they have been doing. But there are some important changes to highlight as follows:

(a)  Researchers will need to identify the appropriate legal basis for data processing for their project in order to meet the lawfulness part of the principle in 3(a)(i) below. In almost all cases, the recommended legal basis for normal personal data is that the data processing is necessary for the performance of a task carried out in the public interest, and the recommended legal basis for special category (sensitive) personal data is that the processing is necessary for scientific or historical research purposes in the public interest. The recommended legal basis for data processing is not consent (or explicit consent), even when you are collecting consent from research participants for ethical reasons.

 

(b)  Researchers will need adequate data management plans/arrangements in order to meet the other data handling and security principles in 3(a)(iii), (iv) and (vi) below.

(c)   Researchers will need to ensure that the information they supply to research participants about how their personal data will be used in the project covers all the topics required in order to fulfil the right in 3(b)(i) below. Further guidance on this is forthcoming, but in essence the University has published a generic statement for research participants which covers all of the static headings, meaning that participant information forms (or equivalent project documentation) need only to cover those topics that necessarily differ from project to project. There is a partial exemption from the supply of this information if you have not collected the personal data from the data subjects themselves, and if to supply the information would be impossible or would involve disproportionate effort (e.g. you have no or very limited contact details). In such circumstances you should endeavour to make the relevant information publicly available (e.g. on a website).

(d)  Ethical reviews for high risk research projects will continue to be required. Researchers may need to be prepared to answer more questions about the data protection aspects of their work during these processes in order to fulfil some of the accountability requirements in 3(c)(iv) and (vi) below

Freedom of expression exemptions 

In practice, most types of academic research at the University that fall under the freedom of expression exemptions can continue as at present. The key aspects of the GDPR simply do not apply: there is no need to follow the principles, to identify a legal basis for processing, to tell the data subjects about the processing, or to respond to their rights requests. While many of the accountability requirements apply in theory, the most likely practical impact will be the need for ethical review for high risk research projects in order to meet the DPIA requirements (Carrying out Data Protection Impact Assessments (DPIAs) on high risk processing activities) but such research projects are likely to be subject to a comparable ethical review under current procedures in any case.

 

General Principles (excerpt)

 3. The default duties may be summarised as follows:

(a) Following the data protection principles, so that personal data are:

(i) Processed (i.e. collected, handled, stored, disclosed and destroyed) fairly, lawfully and transparently. As part of this, the data controller needs to identify a valid legal basis for processing an individuals personal data (e.g. they have consented to the processing, or the processing is necessary to operate a contract with them, or the processing is necessary for the performance of a task carried out in the public interest)

(iii) Adequate, relevant and limited

(iv) Accurate (and rectified if inaccurate)

(vi) Processed securely

(b) Respecting an individuals rights as follows:

(i) The right to be informed of how their personal data are being used. This right is usually fulfilled by the provision of privacy notices (also known as data protection statements) which set out how an organisation plans to use an individuals personal data, who it will be shared with, ways to complain, and numerous other prescribed topics

(c) Implementing various accountability requirements, in particular:

(iv) Maintaining records of the data processing that is carried out across the organisation.

(vi) Carrying out Data Protection Impact Assessments (DPIAs)on high risk processing activities

Guidance and training

More detailed guidance for University staff on data protection is published:

�         In the short Data Protection Quick Guide leaflet

�         On the guidance pages of this website, where there are also links to sources of additional guidance provided by other parts of the University

�         On the current standalone GDPR page of this website, which in time will be merged into the main guidance pages

Data protection training for University staff is available:

�         Through an online course

�         Through a face-to-face course that is run regularly throughout the year