St George’s researchers will already be aware of the EU General Data Protection Regulation (GDPR) and the new UK Data Protection Bill, which will govern how we handle personal data after 25 May 2018. While we have learnt a lot about our obligations under the new regulations, researchers may not be clear about what these obligations mean for research. The SGUL Joint Research and Enterprise Services (JRES), Governance and Legal Assurance Services and the Research Data Management Service have come together to clear up a number of misconceptions about what the new regulations may mean for health and social care research. Read on!
It is not clear how the GDPR relates to health and social care research
GDPR has a broad scope beyond clinical research but does relate to all personal data which includes web search engines, social media, and much more. Specifically, data required in research (and the way it is managed) would be within its remit. Identifiers such as name, addresses, date of birth, and electronic medical numbers all constitute personal information. However, the GDPR expands the personal data definition to include information such as location information, genetic data and IP addresses. In sum, any data that could potentially be used to directly or indirectly identify a person is considered personal data. In addition, pseudonymised data will now be considered personal data and therefore governed by the GDPR.
We will have to change all of our research processes to meet the requirements of the GDPR
As many, including the Medical Research Council, have already acknowledged, the GDPR reiterates many of the key principles of good research practice when handling personal data. Research, particularly health research, is governed by very strict guidelines and many of the mechanisms currently in place for assuring good practice can provide the safeguards needed to comply with the GDPR, for example, our ethics procedures and data management plans already address many of the requirements for privacy impact assessments and privacy by design. What we need to ensure is that all of our research is included in these processes, not just our funded research.
The GDPR will stifle research innovation
The GDPR ensures that innovation in health research can continue, but with the appropriate safeguards for data subjects. The new Data Protection Bill (which will replace the current Data Protection Act 1998) is currently going through parliament. This will direct the way the GDPR is implemented within the UK and any specific exemptions or “derogations”. It is widely accepted, but yet to be confirmed, that clinical research will have a number of related derogations to ensure that we are able to carry on normally with the business of improving and transforming health.
The research community will not be able to re-use/re-purpose data for future research
We are aware that it is not always possible to know all the ways research data could be processed when we are collecting it. The legislation also recognises this. Article 6(4) allows for further processing of personal data beyond the purposes for which it was collected, as long as those operations are considered ‘compatible’ with the original purpose under which consent was given, for example, medical research.
Further, secondary processing of data not collected for research, can subsequently be used for research, as long as appropriate safeguards are met and the processing is in the public interest. This means we can continue to access health data to better understand and treat health conditions.
I am going to have to re-consent participants every few years if I want to continue to hold their personal data
Consent is not the lawful basis on which our researchers hold and process personal data. As a public authority, we will usually process personal data for health and social care research as a ‘task in the public interest’, as such your participants may not need to be re-consented under the GDPR. However, under GDPR you will need to ensure you have been lawful, fair and transparent about the personal data you have collected and how it is managed. It is important to understand what information has been provided to your participants already and does this meet the GDPR requirements for transparency and accountability. This may require updates to your participant information sheet, or the addition of an information leaflet. The Health Research Authority (HRA) is working on consistent templates and wording to support researchers and sponsors have confirmed, if required, this would be a non-substantial amendment, that is, one not requiring formal ethics approval.
Even though consent is not the legal basis for processing personal data for research, the common law duty of confidentiality is not changing, so consent is still needed for people outside the care team to access and use confidential patient information for research. Therefore, consent continues to be required to meet the high ethical and research governance expectations we place on our researchers.
How can I be fair and transparent?
Being fair and transparent with research participants means respecting their rights and wishes, and ensuring their personal data is used in line with their expectations. The GDPR requires that the information provided should be concise and easy to understand. If you want to retain information you should state the reason and allow the participant to make that judgement.
Organisations should also display corporate level privacy information about their research in locations where it will be noticed, for example links on website homepages and in waiting rooms. Linking this to your information sheets is a good way of ensuring participants are aware of our institutional role in research.
The JRES is working on updating template documents such as protocol templates and information sheets, to ensure appropriate guidance is provided and considered during the development of our research.
My funder expects me to make my data openly available at the end of my project, the GDPR will prevent me from doing this
The GDPR does not preclude data sharing, it only requires that data is shared responsibly and robustly. This has always been the case with data sharing. The GDPR only covers data that personally identifies a living person. Research that does not involve personal data is not covered under the GDPR and can be shared. The legislation also does not cover data that has been appropriately anonymised according to the ICO’s Anonymisation Code. This is what the ICO calls de-identified data for publication. There are also options to share de-identified data for limited disclosure or access. The ICO Anonymisation Code covers different forms of data publication and the Research Data Management Service is available to discuss your options.
A participant has requested to withdraw from the study but my data has already been anonymised and analysed; I have to start all over
In exceptional circumstances research participants are exempted from erasure if it is “likely to render impossible or seriously impair the achievement of the objectives of that processing” (Article 17(3)(d)). So you can continue to use this data in some circumstances. For data that has already been thoroughly anonymised, the GDPR does not apply.
The responsibility for GDPR compliance falls solely on project teams
The responsibility for compliance is corporate, that is, the organisation is accountable to the ICO, so it is important that researchers do not make decisions about legal compliance alone.
For St George’s University initiated research, we will usually be the data controller. This means we are responsible for outlining what data needs to be collected, why and how it is to be used/managed. For studies we collaborate in (where we are not the lead) we may be the data processor. In this instance, we are being directed on the data requirements and management.
If you are in doubt you should check as this is particularly important if a research participant asks you about their personal data rights.
We hope this post has helped you to get better acquainted with how the new legislation will affect our research activities. With regards to health and social care research, the GDPR maintains existing best practice and we should use this opportunity to evaluate our systems and procedures to ensure that we are indeed engaging in good practice.
Queries about the GDPR not covered here can be emailed to email@example.com.
If you are interested receiving updates from the Library on all things open access, open data and scholarly research communications, you can subscribe to the Library Blog using the Follow button or click here for further posts from us.