EU GDPR

Some additional provisions do apply — detailed below — most of which expand individuals’ rights over their personal data.

Data portability

Access rights are strengthened with the right to request one’s personal data be transmitted to another party in a 'structured, commonly used machine-readable format' in certain circumstances.

Automated decision-making

There is a right to not be subject to a decision (with legal effect) based solely on automated processing or profiling; ie individuals must be able to seek human review of automated decisions.

Right to object

• to direct marketing
• to research/statistics: the individual can object to their data being processed for research or statistical purposes, unless an overriding public interest is proven
• to other processing: the individual can object to their data being processed for ‘public interest’ or ‘legitimate interest’ purposes, unless an overriding public interest, or the legitimate interest of the controller, is proven.

Right to restrict processing

Individuals can require organisations to cease (or at least pause) processing data about them in certain circumstances, such as where the accuracy of the data is under review, or the individual has objected to processing and a final decision has not yet been made.

In conjunction with the National Statement, compliance can be achieved in part by:

1. Developing a data management plan

A data management plan should be developed prior to commencing your research. It includes clearly articulating that intentions related to the generation, collection, access, use, analysis, disclosure, storage, retention, disposal, sharing and re-use of data and information, the risks associated with these activities and any strategies for minimising those risks.

2. Informing participants

Ensuring participants have an adequate understanding of the potential risks and benefits of their information being used for research, including their rights over their information, and that this information is presented to the participants in a format suitable to the participant with the aim of establishing mutual understanding between researchers and participants.

Consent must then be obtained for the research to proceed (exemptions may be given in certain circumstances as determined by the Human Research Ethics Committee).

3. Clear consent

Consent for research should not be bundled with other consents. The participant must be clear what they are consenting to and have the option of selecting which uses and disclosures they agree to.

4. Relevance

Regularly revisiting both the data management plan and the consent obtained to ensure they remain relevant and reflect actual practices. Where changes are intended to be made or the data used for a purpose that was not initially articulated, participants may need to be consulted and consent re-obtained.