What is needed to fulfil the General Data Protection Regulations
A privacy notice is a document referred to in the General Data Protection Regulation advice. This should explain to the people who are being requested to provide personal and/or sensitive data that it will be processed fairly, lawfully and transparently. The privacy notice must inform people who the data controller is, what they are going to do with the information and with whom it will be shared. It needs to include details of people’s rights to access their data and the length of time it will be retained. In research, this is to be included in the setting and participant information letters that researchers use to explain their research plans to those from whom they need to get approval (e.g. university ethical review boards or government ministries), permissions (e.g. gatekeepers) and to gain informed consent from their participants and/or their carers/parents/guardians.
The privacy notice/information letter should refer to the ways the principles of GDPR will be put into practice. These are principles of:
- lawfulness, fairness, transparency
- purpose limitation
- data minimisation
- accuracy
- storage limitation
- integrity and confidentiality.
When data is shared with another data controller/processor for joint purposes, a data sharing agreement is required. If this is to be shared beyond the European Union (EU), assurance is needed that it will be handled as securely there as it needs to be within the EU. The Privacy Shield Framework is the current EU–US government agreement, which states its own 7 principles that need to be met for personal data to be transferred from the EU to US states (Mookencherry, 2020).
Activity 5 Data management planning
If the principles of GDPR are turned into questions, a researcher can ask these when planning to collect personal data.
- Is it justifiable and legal to collect this data?
- Will you collect data that is limited to a stated purpose?
- Will the data collected be limited to only that which is needed for the stated purpose?
- Will the data collected be checked for accuracy and kept up to date whilst being stored? (Participants, called ‘data subjects’ according to GDPR, have rights for this to be the case and can ask for this to be checked).
- Will the data be stored only for the time period that matches the stated purpose?
- Will the data be stored (and transferred) safely and kept confidential?
Refer to the table you reviewed in Activity 9 of Session 1, replicated below. Choose from the drop-down menu in the final column with a P or S which forms of data could be classed as personal (P) or sensitive (S) data, both or Neither.