Docsity
Docsity

Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity


Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan


Guidelines and tips
Guidelines and tips

SGREP-Anonymity-Confidentiality-DataProtection.pdf, Schemes and Mind Maps of Ethics

PRINCIPLES OF ANONYMITY, CONFIDENTIALITY AND DATA PROTECTION. Note: This guidance document aims to develop further the information relating to anonymity,.

Typology: Schemes and Mind Maps

2021/2022

Uploaded on 09/12/2022

anandamayi
anandamayi 🇺🇸

4.2

(9)

250 documents

1 / 9

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
UREC September 2019
Specialist Research Ethics Guidance Paper
PRINCIPLES OF ANONYMITY, CONFIDENTIALITY AND DATA PROTECTION
Note: This guidance document aims to develop further the information relating to anonymity,
confidentiality and data protection that is covered in the University’s ‘Ethics Policy Governing
Research Involving Human Participants, Personal Data and Human Tissue’, and provides
signposting to guidance from useful external sources
In summary:
If you are processing (i.e. collecting, storing, using, disclosing or destroying) identifiable
personal information about living individuals, then you should ensure that you comply with the
requirements of the General Data Protection Regulation (GDPR), the UK Data Protection Act
2018, and the Common Law Duty of Confidentiality (staff and students working at the
International Faculty in Greece will need to ensure that any relevant local data protection
regulation is met in addition to the GDPR).
If you are processing (i.e. collecting, storing, using, disclosing or destroying) identifiable
personal information about deceased individuals, then you should ensure that yo u comply with
the requirements of the Common Law Duty of Confidentiality. You should also be aware of the
possibility of living individuals (e.g. relatives of the deceased) being identified in this
information, which would then need to be treated in line with the relevant data protection
legislation as stated in the previous paragraph.
If you are processing (i.e. collecting, storing, using, disclosing or destroying) anonymised
personal information, whether relating to the living or the deceased, then your research
activity falls outside the scope of these guidelines.
The use of identifiable personal information in research should be reduced so far as possible.
You should think carefully about how it may be possible to use less identifiable data (e.g. rather
than collecting full date of birth, would it be sufficient to collect only ‘month and year’? Is it
necessary to collect, or retain, the full post-code?). All processing of personal information
should be defensible as both relevant and accurate.
If it is necessary to use identifiable personal information, you should aim at all times to ensure
that the processing is defensible as both ‘fair, lawful and transparent’. This requires you to be
as transparent as possible about the uses to which data will be put and any risks involved. The
data subject (i.e., the individual whose data are being processed) should be fully informed
about how and why their data will be processed, including the legal basis for the processing
(for most research this will be ‘a task in the public interest’; additional conditions apply to
Special Categories of personal data). You should usually only use identifiable personal
information with the consent of the data subject. It may be possible to use such data without
consent, providing consent is not being used as the legal basis for the processing (e.g. in the
case of research involving large datasets obtained from social media, where it may be
infeasible to seek informed consent from all individuals concerned); however, consent is to be
preferred unless it can be shown to be inappropriate for some reason.
You should ensure that personal information is kept secure at all times. The level of security
should be proportionate to the risks but all personal information should be kept securely.
pf3
pf4
pf5
pf8
pf9

Partial preview of the text

Download SGREP-Anonymity-Confidentiality-DataProtection.pdf and more Schemes and Mind Maps Ethics in PDF only on Docsity!

Specialist Research Ethics Guidance Paper

PRINCIPLES OF ANONYMITY, CONFIDENTIALITY AND DATA PROTECTION

Note: This guidance document aims to develop further the information relating to anonymity, confidentiality and data protection that is covered in the University’s ‘Ethics Policy Governing Research Involving Human Participants, Personal Data and Human Tissue’, and provides signposting to guidance from useful external sources

In summary: If you are processing (i.e. collecting, storing, using, disclosing or destroying) identifiable personal information about living individuals, then you should ensure that you comply with the requirements of the General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, and the Common Law Duty of Confidentiality (staff and students working at the International Faculty in Greece will need to ensure that any relevant local data protection regulation is met in addition to the GDPR).

If you are processing (i.e. collecting, storing, using, disclosing or destroying) identifiable personal information about deceased individuals, then you should ensure that you comply with the requirements of the Common Law Duty of Confidentiality. You should also be aware of the possibility of living individuals (e.g. relatives of the deceased) being identified in this information, which would then need to be treated in line with the relevant data protection legislation as stated in the previous paragraph.

If you are processing (i.e. collecting, storing, using, disclosing or destroying) anonymised personal information, whether relating to the living or the deceased, then your research activity falls outside the scope of these guidelines.

The use of identifiable personal information in research should be reduced so far as possible. You should think carefully about how it may be possible to use less identifiable data (e.g. rather than collecting full date of birth, would it be sufficient to collect only ‘month and year’? Is it necessary to collect, or retain, the full post-code?). All processing of personal information should be defensible as both relevant and accurate.

If it is necessary to use identifiable personal information, you should aim at all times to ensure that the processing is defensible as both ‘fair, lawful and transparent’. This requires you to be as transparent as possible about the uses to which data will be put and any risks involved. The data subject (i.e., the individual whose data are being processed) should be fully informed about how and why their data will be processed, including the legal basis for the processing (for most research this will be ‘a task in the public interest’; additional conditions apply to Special Categories of personal data). You should usually only use identifiable personal information with the consent of the data subject. It may be possible to use such data without consent, providing consent is not being used as the legal basis for the processing (e.g. in the case of research involving large datasets obtained from social media, where it may be infeasible to seek informed consent from all individuals concerned); however, consent is to be preferred unless it can be shown to be inappropriate for some reason.

You should ensure that personal information is kept secure at all times. The level of security should be proportionate to the risks but all personal information should be kept securely.

You should not keep personal information for longer than necessary; however, it is recognised that (as long as relevant conditions are satisfied) research may require the retention of data for long periods and this may be justified (e.g. to meet legal or funder requirements).

You should avoid disclosing identifiable information, including information that may be identifiable to others, wherever possible. If it is necessary to disclose personally identifiable information, or information that may be potentially identifiable, then this should usually only be done with the consent of the individual/s involved.

1. Introduction

A researcher who processes (i.e. collects, stores, uses, discloses or destroys) identifiable personal information - as defined in the box below - about living individuals, must comply with the requirements of the relevant data protection legislation, and the Common Law Duty of Confidentiality.

A researcher who processes identifiable personal information about deceased individuals, must still consider the requirements of the Common Law Duty of Confidentiality. Individuals have a reasonable expectation of privacy with respect to confidential information that refers to them. Any use of such confidential information that exceeds that which an ordinary person could reasonably be said to expect constitutes a breach of confidentiality. In addition, researchers should be aware of the possibility of living individuals (e.g. relatives of the deceased) being identified in this information, which would then need to be treated in line with the relevant data protection legislation as stated in the previous paragraph.

The relevant data protection legislation in the EU (including the UK) is the GDPR, and it is expected that the requirements of the GDPR will continue to apply in the UK after it leaves the EU. In the UK, the Data Protection Act 2018 also applies. Staff and students working at the International Faculty in Greece need to ensure that they comply with any relevant local data protection regulation in addition to the GDPR.

The legislation emphasises the rights of the individual whose data are being processed (the ‘data subject’), but also incorporates a range of exemptions from these rights when processing data for research purposes.

For example, the normal rights (for research participants) to access their data, to rectify it, to restrict or object to its processing, are not available if exercising these rights would prevent or seriously impair the achievement of the research purpose, and as long as the processing is not likely to cause substantial damage or substantial distress to an individual.

There are also exemptions from the right for participants to be informed where personal data is collected indirectly (e.g. from posts made via social media). Again, this exemption should only be applied if exercising this right would prevent or seriously impair the achievement of the research purpose, and as long as the processing is not likely to cause substantial damage or substantial distress to an individual.

For more guidance, refer to the Information Commissioner’s Office (ICO) guidance on exemptions: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the- general-data-protection-regulation-gdpr/exemptions/.

2. Identifying an appropriate legal/lawful basis for the processing of personal data

If it is necessary to use identifiable personal data, then an appropriate legal basis for the processing of this data must be identified, and researchers must be explicit about this and document it as part of their ethics application, and in the information they provide to participants.

Article 6 of the GDPR sets out six possible legal bases for processing of data that does not include ‘Special Categories’ (these are discussed later in this document and have additional requirements). At least one of these legal bases must apply whenever personal data is collected and used as part of a research project.

The University’s view is that, for the vast majority of research undertaken at the University, the appropriate legal basis will be:

6(e) Public interest: the processing is necessary for you to perform a task in the public interest or for your official functions.

Further details are set out in the University’s Privacy Notice, and a link to this can be included in the information that is provided to participants: https://www.sheffield.ac.uk/govern/data- protection/privacy/general. Other legal bases are available and may apply to other aspects of University business, but are unlikely to apply for research purposes. If you feel that the research you are undertaking cannot be justified as being ‘a task in the public interest’, please contact the University Research Ethics Committee for further guidance.

Although the legal basis for processing a person’s data is most likely to be ‘a task in the public interest’ rather than ‘consent’, from an ethical perspective, obtaining a person’s informed consent for their involvement in the research is still likely to be required, unless it can be shown to be inappropriate for some reason (e.g. if the material is already in the public domain, for example). If a researcher intends to process data without informed consent, then further advice should be sought from the University Research Ethics Committee.

Further guidance on legal bases is provided on the ICO’s webpages: https://ico.org.uk/for- organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation- gdpr/lawful-basis-for-processing/?q=anonymisation.

3. Data Protection Safeguards

‘Safeguards’ are measures to protect the rights and freedoms of individuals whose personal data you are processing. Under the GDPR there is a strong emphasis on implementing safeguards for research. In practical terms, this means giving careful consideration to:

  • Only collecting personal data where it is necessary for the research purpose (known as ‘data minimisation’);
  • Ensuring that data are pseudonymised or anonymised wherever possible and as early as possible;

• Ensuring appropriate arrangements are in place for security and storage

of data, proportionate to the risks inherent in the nature of the data e.g. portable devices must be encrypted.

For processing of ‘Special Category’ personal data, additional safeguards will be required: Further information about this can be found in section 6 of this document: ‘Research involving ‘Special Categories’ of personal data’.

It should be noted that safeguards will not be sufficient if the processing is likely to cause substantial damage or distress to an individual. In addition, the GDPR states that safeguards will not be sufficient if the processing is carried out for the purpose of measures or decisions with respect to a particular data subject, except for approved medical research (i.e. approved via the Health Research Authority, NHS research ethics committee, etc.).

More guidance on safeguards can be found in the Health Research Authority’s guidance: https://www.hra.nhs.uk/planning-and-improving-research/policies-standards- legislation/data-protection-and-information-governance/gdpr-detailed- guidance/safeguards/, and in the Medical Research Council’s Guidance Note 5: https://mrc.ukri.org/documents/pdf/gdpr-guidance-note-5-identifiability-anonymisation- and-pseudonymisation/.

4. The right to be informed

When gathering identifiable personal data researchers should aim at all times to ensure that its processing is defensible as ‘fair, lawful and undertaken in a transparent manner’. This requires that the participant be provided with appropriate information about the uses to which data will be put and any risks that might be involved. This information must be:

  • Concise, transparent, intelligible
  • Provided in easily accessible form, using clear, plain language
  • Prepared in consideration of the needs of the audience e.g. information addressed specifically to a child
  • Provided by an appropriate means (e.g. in writing, electronically, orally)

Under the GDPR, this information should specifically cover the legal basis that is being applied in order to process someone’s personal data. In many contexts, taking into account the language and literacy of potential participants, a fact-sheet (often referred to as a participant information sheet) is a useful and documented means of providing this information. However, a ‘layered’ approach to providing this information may be useful (e.g. utilising webpages, posters, leaflets or newsletters as well as information sheets).

Taken together, the information provided should normally include:

  • the nature and purpose of the project;
  • the legal basis for the collection and use of the participants’ data (and the additional condition(s) required for processing of ‘Special Categories’ of data, if required);
  • the research methods to be employed by the project;
  • full explanation of any technical terms used;
  • the conditions under which the project will be conducted;
  • who is undertaking and who is sponsoring the project (i.e. the details of the ‘Data Controller’, the research team, the funder and/or the research governance sponsor if applicable);
  • the potential risks and inconveniences that may arise;
  • the potential benefits that may result;
  • what participation in the research will require in practice and what data will be collected;

9(2)(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

In order for this condition to be relied upon, it must be justifiable that this processing is in the public interest, must not cause substantial damage or distress to the data subject, and appropriate safeguards must be in place (e.g. processes to ensure data security - see section 3 of this document for details of safeguards). The University’s view is that the information provided in an ethics application (e.g. concerning the aims and objectives of the research), and the assessment of this via the process of ethical review, will meet the researcher’s obligations in respect of the need to justify that the research is in the public interest.

Other conditions which may apply in certain circumstances (researchers should contact the University Research Ethics Committee for advice if they wish to rely on these) are:

9(2)(a) the data subject has given explicit consent to the processing of the personal data for one or more specified purposes (ONLY TO BE USED IF NO OTHER CONDITION IS POSSIBLE – MORE STRINGENT CONSENT REQUIREMENTS WILL APPLY);

9(2)(e) processing relates to personal data which are manifestly made public by the data subject (this may apply when using certain social media data, for example);

9(2)(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices.

Researchers who need to process Special Category personal data as part of their projects must explicitly state which legal basis AND which condition they are relying on, as part of their ethics application, and in the information they supply to participants.

6. Re-using personal data for a different purpose & sharing with third parties

If a researcher wishes to re-use personal data that were collected for a particular purpose (e.g. a specific research project) for a new purpose (e.g. a new research project), and the data subject was not informed of this as part of the original informed consent procedures, then the researcher would be required to contact the data subject to inform them of this BEFORE the new processing commenced. If the data from the original project had already been fully anonymised before use in the second project, it would no longer constitute personal data and would therefore no longer be subject to data protection legislation and the data subject would not need to be contacted about the re-use of their data.

Where personal data is to be used by a researcher but they have NOT obtained the data directly from the data subject, the original data controller supplying the data must have informed the data subject of relevant information relating to this new processing. However, the receiving data controller should check that the providing data controller has met their obligations in this regard, and it is also good practice for the receiving data controller to provide relevant study-level information to the data subject.

Guidance on the relevant information that should be provided to the data subject in these circumstances, and the appropriate time frames for providing this information, are provided in the Health Research Authority’s guidance on transparency: https://www.hra.nhs.uk/planning-and-improving-research/policies-standards-

legislation/data-protection-and-information-governance/gdpr-guidance/what-you-need- do/transparency/.

In some circumstances, where personal data has NOT been obtained directly from the data subject, then the requirement to provide information to the data subject does not apply. This is where:

  • Data has been pseudonymised and the new research activity is conducted without using identifiable data AND
  • The provision of information would be impossible or involve a disproportionate effort (taking into consideration the number of participants, the age of the data, etc.) OR
  • The provision of information would render impossible or seriously impair the objectives of the research.

Such a decision should be documented as part of the ethics review procedure, and appropriate safeguards should be in put place. Where information is not provided to the data subjects due to the above exemptions, the information should instead be made publicly available (e.g. via a study webpage).

7. Common Law Duty of Confidentiality

The Common Law Duty of Confidentiality applies to research involving confidential personal information. Under the law of confidentiality, it is recognised that individuals have a reasonable expectation of privacy in relation to confidential information: any use of confidential information that exceeds that which an ordinary person could reasonably be said to expect will constitute a breach of confidence.

Information will be considered confidential if an individual could be understood to have an objective reasonable expectation that the information will, in the circumstances, be kept private.

The easiest way to affect an individual’s reasonable expectations is by explaining clearly what will happen with their personal information. Minimally, it should be made clear who will have access to their data, for what purpose(s), and for how long. Special considerations apply, and further specific advice should be sought, if considering seeking consent from children (0-18), from vulnerable persons with capacity to consent, and vulnerable persons without capacity to consent. Further information about these issues can be found in Research Ethics Policy Note no.2 ‘Principles of Consent’: https://www.sheffield.ac.uk/polopoly_fs/1.112749!/file/Research-Ethics-Policy-Note-2.pdf

If the intention is to use confidential information for a research purpose, then that should be clearly explained to an individual and their consent, either express or implied, sought for such use.

It should also be made clear to an individual that, wherever possible, there is an ongoing entitlement to withdraw consent to the processing of data for specific purposes. It may not always be possible to grant participants the entitlement to withdraw – for example if data have been anonymised, once publication has taken place, if participatory research processes mean