The Data Protection Act (2018) (and the UK General Data Protection Regulation) which is part of the Act) makes clear that anyone obtaining and using ‘Personal Data’ on behalf of an organisation (such as ARU) needs to comply with the law. Where data used in research can identify individuals the law therefore applies.
As part of the University’s Ethical Approval process for taught and staff research projects, applicants must have reviewed the University’s guidance on Data Protection compliance and confirmed that their project adheres to this guidance.
This guidance is designed to help applicants to think through how their research project will best comply with the law, and this will help them to decide whether they can confidently ‘declare’ that their project with comply with the law on the Ethics Approval application form.
Compliance statements cover the following areas:
- Being Open: This requires researchers to use a Participation Information Sheet which directs them to provide necessary information to participants
- Selecting : Guiding researchers to make appropriate use of any data to which they have access when selecting research participants.
- The Data : Ensuring researchers have appropriately considered whether there is a need to collect any identifiable data about individuals, and if so, to ensure it is only that which is necessary to the research. Researchers are provided with guidance on anonymization and pseudonymization considerations.
- Protecting Data : Researchers are presented with essential measures to secure their research data, which includes issues such as device security, removable storage, use of ARU-provided storage and communication tools, management of digital and hard-copy data when stored or in transit and appropriate methods of secure disposal. As our students come to us from across the globe and some of their research takes place outside the UK, we ask them to consider the complexities of different privacy jurisdictions and the obligations under UK law of processing personal data in other jurisdictions.
- If something goes wrong : We make our researchers aware of our data breach process, identify the types of data breach relevant to research activity and how best to take prompt action to mitigate against harm as a result of an incident involving personal data.
- Working with Partners : We ask researchers to consider their involvement with other organisations when conducting research and to identify the various Controller or Processor roles. We provide a range of Agreement templates to ensure the correct privacy obligations are appropriately documented in support of these arrangements.
- Retention : We ask researchers to consider how long they will keep personal data, encouraging the deletion or de-identification of personal data at the earliest opportunity in the project, or to understand and justify retention for the duration of or beyond the completion of the project.
Where research may involve the processing of Special Category data, the Ethics Approval process prompts researchers to consider further statements ensuring the full consideration of any processing that may meet the criteria for a statutory Data Protection Impact Assessment. This can involve the Data Protection Officer where appropriate mitigating measures are not identified, and the DPO’s commentary will support the decisions of our Ethics Approval boards.