2.7 Ethics and data protection
Ethics is more than approval from a committee, or good data protection practices. The concept of primum non nocere (‘first do no harm’) is a guiding principle that we should follow in relation to the humans in our data.
If you are collecting, transforming or analysing data about identifiable living people then you need to abide by the data protection legislation (commonly called GDPR). This legal framework in EU and now UK law emphasises the rights of data subjects as owners of their informational footprint. You will act as a ‘data controller’ when you collect personal data and could be held accountable for any breach of your data subjects’ privacy.
You may have heard that academic researchers may be able to rely on exemptions to GDPR if their research is in the public interest, but you always must ensure the rights of data subjects are protected with appropriate safeguards. It is important to seek advice from your institution when designing your research.
Activity 4 Thinking about data protection
Should you obtain the explicit consent of the data subjects before doing research with the following?
- David Beckham’s Twitter feed
- A WhatsApp organising group for a student rent strike
- A Facebook event page for a concert
- Comments below an article by readers of an online newspaper
- Direct messages on Twitter
- Profiles of members on an online dating service
Discussion
Some of these sources are publicly available and open to anyone to view (David Beckham’s Twitter, Facebook event, online comments). But you still can’t ignore the principle of ‘do no harm’. Remember that not everyone posting information about themselves online does so with full recognition of the possible consequences.
Joining private groups (WhatsApp, direct messages) to conduct research or undertake investigative journalism could be considered ethical and legal without explicit consent if the researchers made a strong enough case that this was in the public interest. However, you would need a strong case as to why the failure to obtain consent was justified. Researchers gathering information from profiles of users of an online dating service would need to take additional care that they were not only taking into account the rights of the service users, but also whether they were acting within the terms set by the service provider. Failure to take account of these could result in legal action from the platform or being banned from using the service in future.