Skip to content
Skip to main content
header search
ahihi OpenLearn
OpenLearn
Menu
sticky search

About this free course

Become an OU student

Download this course

Share this free course

Course content Course content
Becoming an ethical researcher
Becoming an ethical researcher

Start this free course now. Just create an account and sign in. Enrol and complete the course for a free statement of participation or digital badge if available.

More free courses

What is needed to fulfil the General Data Protection Regulations

Described image
Figure 4 Key questions to consider when meeting the General Data Protection Regulation
Show description|Hide description

A collage of clippings of telephone numbers and addresses, on which there are superimposed six words with question marks afterwards – Lawful? Accurate? Purpose? Expiry? Needed? Confidential?

Figure 4 Key questions to consider when meeting the General Data Protection Regulation

A privacy notice is a document referred to in the General Data Protection Regulation advice. This should explain to the people who are being requested to provide personal and/or sensitive data that it will be processed fairly, lawfully and transparently. The privacy notice must inform people who the data controller is, what they are going to do with the information and with whom it will be shared. It needs to include details of people’s rights to access their data and the length of time it will be retained. In research, this is to be included in the setting and participant information letters that researchers use to explain their research plans to those from whom they need to get approval (e.g. university ethical review boards or government ministries), permissions (e.g. gatekeepers) and to gain informed consent from their participants and/or their carers/parents/guardians.

The privacy notice/information letter should refer to the ways the principles of GDPR will be put into practice. These are principles of:

  • lawfulness, fairness, transparency
  • purpose limitation
  • data minimisation
  • accuracy
  • storage limitation
  • integrity and confidentiality.

When data is shared with another data controller/processor for joint purposes, a data sharing agreement is required. If this is to be shared beyond the European Union (EU), assurance is needed that it will be handled as securely there as it needs to be within the EU. The Privacy Shield Framework is the current EU–US government agreement, which states its own 7 principles that need to be met for personal data to be transferred from the EU to US states (Mookencherry, 2020).

Activity 5 Data management planning

Timing: Allow approximately 15 minutes

If the principles of GDPR are turned into questions, a researcher can ask these when planning to collect personal data.

  1. Is it justifiable and legal to collect this data?
  2. Will you collect data that is limited to a stated purpose?
  3. Will the data collected be limited to only that which is needed for the stated purpose?
  4. Will the data collected be checked for accuracy and kept up to date whilst being stored? (Participants, called ‘data subjects’ according to GDPR, have rights for this to be the case and can ask for this to be checked).
  5. Will the data be stored only for the time period that matches the stated purpose?
  6. Will the data be stored (and transferred) safely and kept confidential?

Refer to the table you reviewed in Activity 9 of Session 1, replicated below. Choose from the drop-down menu in the final column with a P or S which forms of data could be classed as personal (P) or sensitive (S) data, both or Neither.

Guest users do not have permission to interact with embedded questions.
Interactive feature not available in single page view (see it in standard view).