It falls upon me to cover the ‘hot topic’ of research data and GDPR (European privacy legislation) just before a cold winter holiday break. This makes me feel like the last speaker in a session that has overrun – ‘So, I’m the only thing between you and your lunch …’ But none of this changes the fact that the General Data Protection Legislation – codified into British Law by the UK Data Protection Act, 2018 – is a very important factor for researchers working with human subjects to take into account.
This is why the topic of GDPR and data protection arose out of the case studies project that my colleagues completed this summer. This blog post introduces the last in the series of these RDM case studies: Personal data: What does GDPR mean for your research data?
Dr. Niamh Moore talks about how research has evolved to take data protection and ethics into account, focusing on the time-honoured consent form, and the need to take “a more granular approach” to consent: subjects can grant their consent to be in a study, but also to have their data shared–in the form of interview transcripts, audio or video files, diaries, etc., and can choose which of these they consent to and which they do not.
Consent remains a key for working with human subjects ethically and legally, but at the University of Edinburgh and other HEIs, the legal basis for processing research data by academic staff may not be consent, it may simply be that research is the public task of the University. This shifts consent into the ethical column, while also ensuring fair, transparent, and lawful processing as part of GDPR principles.
I was invited to contribute to the video as well, from a service provider’s perspective because our Research Data Support team advises and trains researchers on working with personal and sensitive data. One of my messages was of reassurance, that actually researchers already follow ethical norms that put them in good stead for being compliant with the Law.
Indeed, this is a reason that the EU lawmakers were able to be convinced that certain derogations (exceptions) could be allowed for in “the processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes,” as long as appropriate safeguards are used.
Our short video brings out some examples, but we could not cover everything a researcher needs to know about the GDPR – the University of Edinburgh’s Data Protection Officer has written authoritative guidance on research and data protection legislation for our staff and students and has also created a research-specific resource on the LEARN platform. Our research data support team also offers face to face training on Working with Personal and Sensitive Data which has been updated for GDPR.
I have tried to summarise how researchers can comply with the GDPR/UK Data Protection Act, 2018 while making use of our Research Data Service in this new Quick Guide–Research Data Management and GDPR: Do’s and Don’ts. Comments are welcome on the usefulness and accuracy of this advice!
Robin Rice
Data Librarian and Head, Research Data Support
Library & University Collections