EU GDPR Research Implications
What is the EU GDPR?
The EU General Data Protection Regulation (GDPR) commenced on 25 May 2018. Although a European law it is designed to have extra-territorial reach. The GDPR applies to any organisation offering goods or services to individuals living in the EU. This includes universities offering educational packages to EU students or conducting research involving EU residents. While the language used in the GDPR is different, the core requirements under the GDPR are similar to those found in the Privacy laws already regulating the University. Some additional provisions do apply which have detailed below, most of which expand individuals’ rights over their personal data:
- Data portability: access rights are strengthened with the right to request one’s personal data be transmitted to another party in a “structured, commonly used machine-readable format” in certain circumstances
- Automated decision-making: there is a right to not be subject to a decision (with legal effect) based solely on automated processing or profiling; i.e. individuals must be able to seek human review of automated decisions
- Right to object:
- to direct marketing
- to research/statistics: the individual can object to their data being processed for research or statistical purposes, unless an overriding public interest is proven
- to other processing: the individual can object to their data being processed for ‘public interest’ or ‘legitimate interest’ purposes, unless an overriding public interest, or the legitimate interest of the controller, is proven
- Right to restrict processing: individuals can require organisations to cease (or at least pause) processing data about them in certain circumstances, such as where the accuracy of the data is under review, or the individual has objected to processing and a final decision has not yet been made.
How will GDPR impact my research?
GDPR aligns with many of the new provisions of the National Statement on Ethical Conduct in Human Research and mirror good practice in research data management. The greatest importance in both is the emphasis on transparency, primarily, that the information provided to participants should be concise, easy to understand, accurately reflect what will happen with their data and what their rights are as participants. In conjunction with the National Statement, compliance can be achieved in part by:
- Developing a data management plan prior to commencing your research, this includes clearly articulating that intentions related to the generation, collection, access, use, analysis, disclosure, storage, retention, disposal, sharing and re-use of data and information, the risks associated with these activities and any strategies for minimising those risks.
- Ensuring participants have an adequate understanding of the potential risks and benefits of their information being used for research, including their rights over their information, and that this information is presented to the participants in a format suitable to the participant with the aim of establishing mutual understanding between researchers and participants. Consent must then be obtained for the research to proceed (exemptions may be given in certain circumstances as determined by the Human Research Ethics Committee).
- Consent for research should not be bundled with other consents. The participant must be clear what they are consenting to and have the option of selecting which uses and disclosures they agree to.
- Regularly revisiting both the data management plan and the consent obtained to ensure they remain relevant and reflect actual practices. Where changes are intended to be made or the data used for a purpose that was not initially articulated, participants may need to be consulted and consent reobtained.
Further guidance has been issued by the NSW Information Privacy Commissioner and for the full GDPR text refer here.
For additional assistance please contact the Privacy Officer who can assist in ensuring you are well informed on how to manage your obligations arising from GDPR.