





Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Community
Ask the community for help and clear up your study doubts
Discover the best universities in your country according to Docsity users
Free resources
Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors
PRINCIPLES OF ANONYMITY, CONFIDENTIALITY AND DATA PROTECTION. Note: This guidance document aims to develop further the information relating to anonymity,.
Typology: Schemes and Mind Maps
1 / 9
This page cannot be seen from the preview
Don't miss anything!
Specialist Research Ethics Guidance Paper
PRINCIPLES OF ANONYMITY, CONFIDENTIALITY AND DATA PROTECTION
Note: This guidance document aims to develop further the information relating to anonymity, confidentiality and data protection that is covered in the University’s ‘Ethics Policy Governing Research Involving Human Participants, Personal Data and Human Tissue’, and provides signposting to guidance from useful external sources
In summary: If you are processing (i.e. collecting, storing, using, disclosing or destroying) identifiable personal information about living individuals, then you should ensure that you comply with the requirements of the General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, and the Common Law Duty of Confidentiality (staff and students working at the International Faculty in Greece will need to ensure that any relevant local data protection regulation is met in addition to the GDPR).
If you are processing (i.e. collecting, storing, using, disclosing or destroying) identifiable personal information about deceased individuals, then you should ensure that you comply with the requirements of the Common Law Duty of Confidentiality. You should also be aware of the possibility of living individuals (e.g. relatives of the deceased) being identified in this information, which would then need to be treated in line with the relevant data protection legislation as stated in the previous paragraph.
If you are processing (i.e. collecting, storing, using, disclosing or destroying) anonymised personal information, whether relating to the living or the deceased, then your research activity falls outside the scope of these guidelines.
The use of identifiable personal information in research should be reduced so far as possible. You should think carefully about how it may be possible to use less identifiable data (e.g. rather than collecting full date of birth, would it be sufficient to collect only ‘month and year’? Is it necessary to collect, or retain, the full post-code?). All processing of personal information should be defensible as both relevant and accurate.
If it is necessary to use identifiable personal information, you should aim at all times to ensure that the processing is defensible as both ‘fair, lawful and transparent’. This requires you to be as transparent as possible about the uses to which data will be put and any risks involved. The data subject (i.e., the individual whose data are being processed) should be fully informed about how and why their data will be processed, including the legal basis for the processing (for most research this will be ‘a task in the public interest’; additional conditions apply to Special Categories of personal data). You should usually only use identifiable personal information with the consent of the data subject. It may be possible to use such data without consent, providing consent is not being used as the legal basis for the processing (e.g. in the case of research involving large datasets obtained from social media, where it may be infeasible to seek informed consent from all individuals concerned); however, consent is to be preferred unless it can be shown to be inappropriate for some reason.
You should ensure that personal information is kept secure at all times. The level of security should be proportionate to the risks but all personal information should be kept securely.
You should not keep personal information for longer than necessary; however, it is recognised that (as long as relevant conditions are satisfied) research may require the retention of data for long periods and this may be justified (e.g. to meet legal or funder requirements).
You should avoid disclosing identifiable information, including information that may be identifiable to others, wherever possible. If it is necessary to disclose personally identifiable information, or information that may be potentially identifiable, then this should usually only be done with the consent of the individual/s involved.
1. Introduction
A researcher who processes (i.e. collects, stores, uses, discloses or destroys) identifiable personal information - as defined in the box below - about living individuals, must comply with the requirements of the relevant data protection legislation, and the Common Law Duty of Confidentiality.
A researcher who processes identifiable personal information about deceased individuals, must still consider the requirements of the Common Law Duty of Confidentiality. Individuals have a reasonable expectation of privacy with respect to confidential information that refers to them. Any use of such confidential information that exceeds that which an ordinary person could reasonably be said to expect constitutes a breach of confidentiality. In addition, researchers should be aware of the possibility of living individuals (e.g. relatives of the deceased) being identified in this information, which would then need to be treated in line with the relevant data protection legislation as stated in the previous paragraph.
The relevant data protection legislation in the EU (including the UK) is the GDPR, and it is expected that the requirements of the GDPR will continue to apply in the UK after it leaves the EU. In the UK, the Data Protection Act 2018 also applies. Staff and students working at the International Faculty in Greece need to ensure that they comply with any relevant local data protection regulation in addition to the GDPR.
The legislation emphasises the rights of the individual whose data are being processed (the ‘data subject’), but also incorporates a range of exemptions from these rights when processing data for research purposes.
For example, the normal rights (for research participants) to access their data, to rectify it, to restrict or object to its processing, are not available if exercising these rights would prevent or seriously impair the achievement of the research purpose, and as long as the processing is not likely to cause substantial damage or substantial distress to an individual.
There are also exemptions from the right for participants to be informed where personal data is collected indirectly (e.g. from posts made via social media). Again, this exemption should only be applied if exercising this right would prevent or seriously impair the achievement of the research purpose, and as long as the processing is not likely to cause substantial damage or substantial distress to an individual.
For more guidance, refer to the Information Commissioner’s Office (ICO) guidance on exemptions: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the- general-data-protection-regulation-gdpr/exemptions/.
2. Identifying an appropriate legal/lawful basis for the processing of personal data
If it is necessary to use identifiable personal data, then an appropriate legal basis for the processing of this data must be identified, and researchers must be explicit about this and document it as part of their ethics application, and in the information they provide to participants.
Article 6 of the GDPR sets out six possible legal bases for processing of data that does not include ‘Special Categories’ (these are discussed later in this document and have additional requirements). At least one of these legal bases must apply whenever personal data is collected and used as part of a research project.
The University’s view is that, for the vast majority of research undertaken at the University, the appropriate legal basis will be:
6(e) Public interest: the processing is necessary for you to perform a task in the public interest or for your official functions.
Further details are set out in the University’s Privacy Notice, and a link to this can be included in the information that is provided to participants: https://www.sheffield.ac.uk/govern/data- protection/privacy/general. Other legal bases are available and may apply to other aspects of University business, but are unlikely to apply for research purposes. If you feel that the research you are undertaking cannot be justified as being ‘a task in the public interest’, please contact the University Research Ethics Committee for further guidance.
Although the legal basis for processing a person’s data is most likely to be ‘a task in the public interest’ rather than ‘consent’, from an ethical perspective, obtaining a person’s informed consent for their involvement in the research is still likely to be required, unless it can be shown to be inappropriate for some reason (e.g. if the material is already in the public domain, for example). If a researcher intends to process data without informed consent, then further advice should be sought from the University Research Ethics Committee.
Further guidance on legal bases is provided on the ICO’s webpages: https://ico.org.uk/for- organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation- gdpr/lawful-basis-for-processing/?q=anonymisation.
3. Data Protection Safeguards
‘Safeguards’ are measures to protect the rights and freedoms of individuals whose personal data you are processing. Under the GDPR there is a strong emphasis on implementing safeguards for research. In practical terms, this means giving careful consideration to:
of data, proportionate to the risks inherent in the nature of the data e.g. portable devices must be encrypted.
For processing of ‘Special Category’ personal data, additional safeguards will be required: Further information about this can be found in section 6 of this document: ‘Research involving ‘Special Categories’ of personal data’.
It should be noted that safeguards will not be sufficient if the processing is likely to cause substantial damage or distress to an individual. In addition, the GDPR states that safeguards will not be sufficient if the processing is carried out for the purpose of measures or decisions with respect to a particular data subject, except for approved medical research (i.e. approved via the Health Research Authority, NHS research ethics committee, etc.).
More guidance on safeguards can be found in the Health Research Authority’s guidance: https://www.hra.nhs.uk/planning-and-improving-research/policies-standards- legislation/data-protection-and-information-governance/gdpr-detailed- guidance/safeguards/, and in the Medical Research Council’s Guidance Note 5: https://mrc.ukri.org/documents/pdf/gdpr-guidance-note-5-identifiability-anonymisation- and-pseudonymisation/.
4. The right to be informed
When gathering identifiable personal data researchers should aim at all times to ensure that its processing is defensible as ‘fair, lawful and undertaken in a transparent manner’. This requires that the participant be provided with appropriate information about the uses to which data will be put and any risks that might be involved. This information must be:
Under the GDPR, this information should specifically cover the legal basis that is being applied in order to process someone’s personal data. In many contexts, taking into account the language and literacy of potential participants, a fact-sheet (often referred to as a participant information sheet) is a useful and documented means of providing this information. However, a ‘layered’ approach to providing this information may be useful (e.g. utilising webpages, posters, leaflets or newsletters as well as information sheets).
Taken together, the information provided should normally include:
9(2)(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
In order for this condition to be relied upon, it must be justifiable that this processing is in the public interest, must not cause substantial damage or distress to the data subject, and appropriate safeguards must be in place (e.g. processes to ensure data security - see section 3 of this document for details of safeguards). The University’s view is that the information provided in an ethics application (e.g. concerning the aims and objectives of the research), and the assessment of this via the process of ethical review, will meet the researcher’s obligations in respect of the need to justify that the research is in the public interest.
Other conditions which may apply in certain circumstances (researchers should contact the University Research Ethics Committee for advice if they wish to rely on these) are:
9(2)(a) the data subject has given explicit consent to the processing of the personal data for one or more specified purposes (ONLY TO BE USED IF NO OTHER CONDITION IS POSSIBLE – MORE STRINGENT CONSENT REQUIREMENTS WILL APPLY);
9(2)(e) processing relates to personal data which are manifestly made public by the data subject (this may apply when using certain social media data, for example);
9(2)(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices.
Researchers who need to process Special Category personal data as part of their projects must explicitly state which legal basis AND which condition they are relying on, as part of their ethics application, and in the information they supply to participants.
6. Re-using personal data for a different purpose & sharing with third parties
If a researcher wishes to re-use personal data that were collected for a particular purpose (e.g. a specific research project) for a new purpose (e.g. a new research project), and the data subject was not informed of this as part of the original informed consent procedures, then the researcher would be required to contact the data subject to inform them of this BEFORE the new processing commenced. If the data from the original project had already been fully anonymised before use in the second project, it would no longer constitute personal data and would therefore no longer be subject to data protection legislation and the data subject would not need to be contacted about the re-use of their data.
Where personal data is to be used by a researcher but they have NOT obtained the data directly from the data subject, the original data controller supplying the data must have informed the data subject of relevant information relating to this new processing. However, the receiving data controller should check that the providing data controller has met their obligations in this regard, and it is also good practice for the receiving data controller to provide relevant study-level information to the data subject.
Guidance on the relevant information that should be provided to the data subject in these circumstances, and the appropriate time frames for providing this information, are provided in the Health Research Authority’s guidance on transparency: https://www.hra.nhs.uk/planning-and-improving-research/policies-standards-
legislation/data-protection-and-information-governance/gdpr-guidance/what-you-need- do/transparency/.
In some circumstances, where personal data has NOT been obtained directly from the data subject, then the requirement to provide information to the data subject does not apply. This is where:
Such a decision should be documented as part of the ethics review procedure, and appropriate safeguards should be in put place. Where information is not provided to the data subjects due to the above exemptions, the information should instead be made publicly available (e.g. via a study webpage).
7. Common Law Duty of Confidentiality
The Common Law Duty of Confidentiality applies to research involving confidential personal information. Under the law of confidentiality, it is recognised that individuals have a reasonable expectation of privacy in relation to confidential information: any use of confidential information that exceeds that which an ordinary person could reasonably be said to expect will constitute a breach of confidence.
Information will be considered confidential if an individual could be understood to have an objective reasonable expectation that the information will, in the circumstances, be kept private.
The easiest way to affect an individual’s reasonable expectations is by explaining clearly what will happen with their personal information. Minimally, it should be made clear who will have access to their data, for what purpose(s), and for how long. Special considerations apply, and further specific advice should be sought, if considering seeking consent from children (0-18), from vulnerable persons with capacity to consent, and vulnerable persons without capacity to consent. Further information about these issues can be found in Research Ethics Policy Note no.2 ‘Principles of Consent’: https://www.sheffield.ac.uk/polopoly_fs/1.112749!/file/Research-Ethics-Policy-Note-2.pdf
If the intention is to use confidential information for a research purpose, then that should be clearly explained to an individual and their consent, either express or implied, sought for such use.
It should also be made clear to an individual that, wherever possible, there is an ongoing entitlement to withdraw consent to the processing of data for specific purposes. It may not always be possible to grant participants the entitlement to withdraw – for example if data have been anonymised, once publication has taken place, if participatory research processes mean