You left your laptop on a train or a bag on the bus. Your laptop had the DNA profiles from the participants in your research project, or the bag was full of consent forms. Accidents happen but the penalties are about to increase substantially when the EU General Data Protection Regulation (GDPR) comes into effect on 25th May 2018.
GDPR covers all forms of personal data including genomic and some anonymised data.
The Data Protection Act (2018) gives details of how the GDPR provisions will work in the UK, including any exemptions for research data. Data collected as part of a research project is likely to be exempt from several provisions including the length of storage and the 'right to be forgotten' (right of erasure).
This guide will concentrate on some commonly asked questions about GDPR and Research Data. Related FAQs will be released shortly.
The key actions to reduce your risk are:
The Information Commissioner's Office (ICO) is regularly publishing guidance on how GDPR will be interpreted in the UK:
The University is developing guidance and resources for staff to help them understand their and the University's responsibilities under GDPR.
UKRI has published guidance for researchers:
What counts as personal data? What is sensitive/special category personal data?
Personal data means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This could include personal data, including name, identification number, location data or online identifier. Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
Sensitive personal data: data that consists of information about racial or ethnic origin, political opinions, religious beliefs or beliefs of a similar nature, physical or mental health or condition, sexual life, the commission/alleged commission of an offence alleged/committed by the data subject and any related court proceedings, trade union membership. It also includes genetic (i.e. inherited or acquired genetic characteristics e.g. blood type) and biometric data (e.g. fingerprints) where processed to uniquely identify an individual. It has some different grounds for processing and requires the explicit consent of the data subject for its collection.
For more information and links to the relevant provissions in the GDPR, see ICO's GDPR Key definitions: What information does the GDPR apply to?.
All EU Member States have the ability to provide exemptions to the GDPR for data processing "for archiving purposes and for scientific or historical research and statistical purposes". The bill to bring this into UK law is still going through Parliament. However just because there will be an exemption on processing and archiving data for research, does not mean you should not handle personal data carefully and in accordance with the GDPR.
Under the old Data Protection Act, the ICO advised that it was good practice to undertake a Privacy Impact Assessment. Under GDPR Data Protection Impact Assessment ('DPIA') (the new term for a Privacy Impact Assessment) is complusory for any project that id likely to be 'high risk' to the rights and freedoms of indidivudals. The GDPR does not define what high risk is, however examples include 'large-scale' processing so it is likely that DPIA will be required for some research projects. The ICO has created a series of DPIA checklists that you should use if you are unsure if you will need a DPIA. Even if a DPIA is not necesary, you need to be able to demonstrate that you ahve proactiely addressed data protection implications in your research to comply with the GDPR's requirements for accountability and privacy by design.
My research has started before GDPR came into force? Does it need to be GDPR compliant?
If your data uses personal information, even if you started before 25 May 2018, it is necessary to comply with GDPR. You will need to decide if your data are "personal" (which means that they are identifiable in some way e.g name, postcode, cookies), and if there is appropriate consent or other legal basis (usually a 'task in the public interest') in place for you to collect, store and analyse the data.
For research undertaken at the University, the legal basis is likely to be a 'task in the public interest'. If you have already gone through Ethics and secured consent for participation, you are unlikely to need to re-consent as this consent is for participation and not for data handling. However you are likely to need to issue a Transparency Notice to your participants. The Research Integrity and Governance Office is actively contacting PIs on a rolling programme from high risk to lower risk studies regarding transparency notices and participant information sheets.
You should liaise with the Research Governance Manager and the University Data Protection Officer to ensure that you are compliant with GDPR.
Please note: Health and social care research data have specific requirements that are not covered by GDPR.
GDPR means that you must
You need a legal basis (usually a "task in the public interest" or consent) to process personal data (e.g. name, postcode, cookies) and an additional legal basis to process special categories of personal data, as well as being able to show that additional legal requirements such as fairness and transparency are being met. For research undertaken at the University, the legal basis is likely to be a 'task in the public interest'.
Article 5 (e) of the GDPR states that personal data shall be kept for no longer than is necessary for the purposes for which it is being processed. There are some circumstances where personal data may be stored for longer periods (e.g. archiving purposes in the public interest, scientific or historical research purposes). Recital 39 of the GDPR states that the period for which the personal data is stored should be limited to a strict minimum and that time limits should be established by the data controller for deletion of the records or for a periodic review. Organisations must therefore ensure personal data is securely disposed of when no longer needed, reducing the risk that it will become inaccurate, out of date or irrelevant. For research purposes, once the project is complete, the data should be deleted, unless there is a requirement to archive the data for future reference and validation, in which case the organisation should undertake to periodically check that the data are still required, bearing in mind that they should be accurate, in date and relevant. As the University has a Research Data Management Policy which requires significant research data to be held for at least 10 years, that is the minimum period for which you should archive your significant data.
What should I do if the research and data collection occurs overseas? Does GDPR apply?
In short, yes, GDPR does apply if data is collected and processed overseas because the University, as the Data Controller for all research undertaken by University staff, is based in the EU. Article 3 of the GDPR sets the territorial scope of the Regulation to apply to both:
Who owns the data I collect as part of my research?
Research data collected by you while you are a member of staff at the University is owned by the University unless otherwise stated in collaboration agreements. See the University's Research Data Management Policy for more information.
Should I be responsible for students’ data?
To be drafted.
Am I a controller or processor under the GDPR?
The Data Controller is the organisation that determines the purposes for and the manner in which any personal data is processed, in this case, the University. As a PI you may be taking these decisions on behalf of the University, but the University, rather than you personally, is the Data Controller. Research students or other non-employees who do the processing of personal data on behalf of the data controller are data processors.
My data is generic data. Is it covered by GDPR?
If your data are personal data, even if you started before 25 May 2018, it is necessary to comply with GDPR. Personal data are identifiable in some way (e.g name, postcode, cookies), and you need appropriate consent or another legal basis (likely to be a 'task in the public interest' for University-based research) in place for you to collect, store and analyse the data. You should liaise with the Research Governance Manager and the University Data Protection Officer to ensure that you are compliant with GDPR. Health and social care research data have specific requirements that are not covered by GDPR.
Do RIS have GDPR-ready templates?
RIS, Legal Services and iSolutions have various documents and templates available on the GDPR Sharepiont site. Contact RIS Contracts or the Research and Governance Office if you need further help.
How do I anonymise research data? Is fully anonymised data covered by GDPR?
Fully anonymised data is not covered by GDPR. However, it can be complicated to fully anonymise data and doing so may reduce the re-use potential of your research data.
Anonymisation applies to both direct and indirect identifiers. Direct identifiers like name, address, or telephone numbers specify an individual. Indirect identifiers could also reveal an individual when pieced together, for example, cross-referencing occupation, employer, and location. You should be aware that even if you have only one or two indirect identifiers left in your data, they could still be linked to other data sources to allow re-identification. See Research Data Management: Sensitive Data for further information on removing indentifiers to share data for publication.
For more information on anonymisation, see:
What happens if I lose personal data, e.g. lost laptop? What if I disclose by mistake?
You must contact databreach@soton.ac.uk as soon as possible. Do not delay, do not spend time trying to find the data, notify databreach@soton.ac.uk as soon as you suspect the data loss may have happened.
I'm doing social media research. Do I have to worry about GDPR?
In short, yes, if you are using data from social media, such as scrapes of twitter feeds or Facebook, then you should consult the University's policies on Secondary Data and Social Media.
What security levels are required for what type of data?
The Information Security team have developed a RAG data classification tool. Contact the Information Security team for more guidance; send an email to serviceline@soton.ac.uk marked for the attention of InfoSec.
Raw data containing personal information should be stored on University servers that require a login in with a University username and password rather than held locally on laptops or other devices. Therefore raw data should only be stored on the Research Filestore.
Local copies of data should only be held on laptops or other devices after the raw data has been processed to remove personal identifiers.
Data can be encrypted using various software. Contact the Information Security team for more guidance; send an email to serviceline@soton.ac.uk marked for the attention of InfoSec.
See the Research Data Management: Sensitive Data guide for more information.
The Library can advise on drafting Data Management Plans and have advice on the RDM webpages. You can contact them on researchdata@soton.ac.uk. Your Faculty Business Relationship Manager can help you with storage requirements for your project, and iSolutions Information Security team gives advice on how best to encrypt data.
Where can I save personal data (hard copy) & how can I do it responsibly?
Any personal data you hold on paper must be held securely in locked cabinets in lockable rooms. If possible, scan the paper copies and save them securely on the University network, and destroy the paper originals.
If you work in a shared office, do not leave papers containing personal data on your desk when stepping away from your desk, even if you are just popping to the loo. Either dispose in the confidential waste or lock them away in your desk drawers or cabinet.
Contact the Information Security team for more guidance; send an email to serviceline@soton.ac.uk marked for the attention of InfoSec.
Personal data should not be stored on removable devices if at all possible. If you have to collect data on a laptop, the data and the laptop should be encrypted. When undertaking international travel, ensure any devices are in hand luggage.
Windows laptops should be UoS supplied, UoS build and regularly plugged in to network to receive updates. Windows laptops use Bitlocker.
Apple Mac devices are not supplied with encryption (‘Filevault’) enabled by default, as there is no UoS infrastructure available to manage and store encryption keys. You will need to enable this yourself.
When any other Apple device is issued it is provided with only factory default security settings. In order to make these are as secure as possible please undertake the following steps:
For further guidance, contact the Information Security team for more guidance; send an email to serviceline@soton.ac.uk marked for the attention of InfoSec.
What should I do with old data which I still need (paper & electronic)?
You should ensure the personal data is stored securely, following the same guidelines as for new data. Electronic data should be stored on University servers and paper data should be kept in secure, locked cabinets in locked offices. See the Research Data Management: Sensitive Data guide for more information.
How should I destroy data I no longer need (paper & electronic)?
Paper should be shredded (using a cross shredder) or put into the secure confidential waste (white sacks). For electronic data, contact iSolutions Serviceline.
For more information see:
How far back do I need to go? What do I do with old personal data?
There is no limit on how far back you need to go. Before GDPR, you should have been holding personal data securely in accordance with the Data Protection Act.
If you no longer need the personal data that you hold, it should be destroyed (See the Research Data Management: Destruction guide for more information on how to do this securely). Do remember that for some types of research you may need to keep consent records for longer than the research project lasted; contact RIG for guidance. Also consider that the University's Research Data Management Policy requires significant research data to kept for at least 10 years, ideally these data would be anonymised to a level that would allow sharing, either openly or on request from bone fide researchers.
How do I encrypt a USB stick? Where can I buy an encrypted USB stick?
If at all possible, you should avoid saving or moving raw data on USB sticks but if you have to, you should only use encrypted USB sticks such as the Integra Crypto drive. Only use removable storage supplied by iSolutions: Staff equipment and purchasing.
Under GDPR, you will need: a legal basis to process personal data (e.g. name, postcode, cookies), an additional legal basis to process special category personal data, and to ensure that all additional legal requirements are met (e.g. the need to be fair and transparent, and to comply with the common law duty of confidence). Under the new law, the most relevant legal basis for researchers processing personal data for university research will usually be ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’ This justification for this should be internally documented by reference to the public research purpose as established by statute or alternative e.g. University Charter.
Consent is also an legal basis for processing and has very specific requirements under GDPR. If you use consent as your legal basis, you may need to re-consent to be GDPR compliant if your research started before 25 May 2018; alternatively you may be able to establish an alternative legal basis to proceed. You should liaise with the Research Governance Manager and the University Data Protection Officer for further information.
Where do I store consent forms?
Consent forms must be stored in a secure location. At the very least you should store forms in a locakable cabinet in a lockable office. If you are able to scan the consent forms, you should dispose of the paper forms in confidential waste or shredded using a cross-cut shredder (see Research Data Management: Destruction (paper & electronic) for more information).
How do I tell if my research protocol is suitable?
To be drafted.
What are the re-identification risks for data?
Anonymisation is a trade-off against utilisation. What might be a reasonable level of anonymisation in a secure setting due to the high need for utilisation of the data, might not be suitable in an open setting due to the higher risk of re-identification.
"It can be impossible to assess re-identification risk with absolute certainty. [...] The risk of re-identification through data linkage is essentially unpredictable because it can never be assessed with certainty what data is already available or what data may be released in the future. It is also generally unfeasible to see data return (ie recalling data or removing it from a website) as a safeguard given the difficulty, or impossibility, of securing the deletion or removal of data once it has been published. That is why it is so important to take great care, and to carry out as thorough a risk analysis as is possible, at the initial stage of producing and disclosing anonymised data." ICO (2012), Anonymisation: managing data protection risk code of practice
"De-identification – refers to a process of removing or masking direct identifiers in personal data such as a person’s name, address, NHS or other unique number associated with them. De-identification includes pseudonymisation.
"Anonymisation – refers to a process of ensuring that the risk of somebody being identified in the data is negligible. This invariably involves doing more than simply de-identifying the data, and often requires that data be further altered or masked in some way in order to prevent statistical linkage.
"[For] both processes (i.e. de-identification and anonymisation) the purpose is to make re-identification more difficult. Both deidentification and anonymisation are potentially reversible; the data environment in which you share or release data is of critical importance in determining reversibility. In other words, the data environment can either support or constrain reversibility which means you need to think very carefully about the environment in which you share or release data. For example, it may be entirely appropriate to release deidentified data in a highly controlled environment such as a secure data lab but not at all appropriate to release them more openly, for example by publishing them on the Internet.
Re-identification might occur:
From: UKAN (2016), The Anonymisation Decision-Making Framework , pp.15-16
Can I share data with collaborators? How can I share safely? What is the procedure for sharing data?
If you want to share data with external collaborators, even if they are part of the same research project, you should have a data sharing agreement in place. Contact riscontracts@soton.ac.uk for more information.
The safest and simplest way to share documents and data with collaborators external to the University so you can all edit the material, is to use a University SharePoint site. You simply need to create a new Sharepoint site and use the external registration website to add and manage access for your collaborators. For more information see:
If you are just going to be sharing data with members of the University, you can also request space on the Research drive, contact your iSolutions BRM to set this up.
If you need to send data to a collaborator, internally or externally, you can also use the dropoff service. The service allows you to easily move files of up to 50Gb in and out of the University. All files are transferred across the network securely encrypted. Dropoff is in not a cloud service; everything is stored on equipment directly owned by the University, and managed by its own IT staff. All access to data is very tightly and strictly controlled by the University; all accesses to data on Dropoff are logged and can be easily checked if you are ever concerned that a 3rd party might have gained access to your data. Files are automatically deleted from Dropoff 32 days after you upload them. No backups are taken of the uploaded data (it's only a transitory stopping point), so after an uploaded file has been deleted, there is no way of recovering the file.
How do I safely move data on USB sticks?
If at all possible, you should avoid saving or moving raw data containing direct and indirect identifiers on USB sticks but if you have to, you should only use encrypted USB sticks such as the Integra Crypto drive. Only use removable storage supplied by iSolutions, see: Staff equipment and purchasing
Can I take my research data with me?
Research data you collect when employed by the University is owned by the University unless other data sharing or collaboration agreements apply to your research. A copy of the data must be left at the University when you leave. Depending on your actual research, you may be able to take a copy some of the data with you. Contact the Legal Services IP service for a response to your specific situation.
How should I get access to data from someone else?
If you use data owned by a third party (copyright material, software or database), you need to understand the terms under which these are obtained and the scope of use. It is necessary to obtain permission from the data owner for re-use of such material, unless conditions of re-use have been explicitly indicated, for example, with a Creative Commons licence. It is your responsibility to ensure you comply with the terms that apply. RIS can assist with drafting/reviewing of data sharing agreements/T&Cs. In most instances, these are not negotiable. However, it may be possible to seek specific use terms or negotiate different licensing arrangements more appropriate to your specific requirements. It may be that in some circumstances, a commercial licence offers more freedom-to-operate than provisions for academic purposes.
You may also find that the terms of use of some data services, such as Census statistics, require you to deposit derived work with them. When depositing data in a repository you will be required to agree to a licence that asserts you have the rights to deposit that data.
How should I give access to data to others? When do I need an agreement for data transfer?
Personal data transfers will continue to need to be approved though ERGO.
If data is from UHS patients collected under UHS sponsored studies, UHS will need to be consulted. RIS can assist with data sharing agreements as required. Generally if the protocol, consents and patient info describes the data transfer in detail an agreement may not be needed for transfers within UK.
If you want to share data containing direct or indirect identifiers, with external collaborators, even if they are part of the same research project, you should have a data sharing agreement in place (contact riscontracts@soton.ac.uk for more information). The PI or local CoI, as representatives of the University who is the Data Controller, should ultimately give permission for data to be shared. When you share the data with others, they will be data processors but the University will still be the data controller and therefore responsible for how the data is used.
At the end of the project, significant research data should be archived, and preferably made openly available, as per the University's Research Data Management policy. In order for data to be shared openly it should be throughly anonmyised with direct and indirect indentifiers removed or modified. See Research Data Management: Sensitive Data for further information.
What should I do about sharing data with international collaborators?
International research projects should have data sharing agreements if personal data is going to transfered between countries. Contact riscontracts@soton.ac.uk for more information.
Raw data should be stored on University servers and if possible, raw data should not be transfered. If you can remove personal data and reduce or anonymise identifiers in the data before transfering data to international collaborators. Data should be encrypted for transfer. The University's drop-off service allows you to transfer files of up to 50GB in size securely. To transfer larger files, contact serviceline for advice.
The safest and simplest way to share documents and data with collaborators external to the University so you can all edit the material, is to use a University SharePoint site. You simply need to create a new Sharepoint site and use the external registration website to add and manage access for your collaborators. For more information see:
SharePoint provides a safe way to share documents collaboratively with other researchers both internal and external to the University. You simply need to create a new Sharepoint site and use the external registration website to add and manage access for your collaborators. For more information see:
Instead of dropbox (which should never be used for transfering personal data), we recommend that you use the University's drop-off service which allows you to transfer files of up to 50GB in size securely. All files are transferred across the network securely encrypted. Dropoff is in not a cloud service; everything is stored on equipment directly owned by the University, and managed by its own IT staff. All access to data is very tightly and strictly controlled by the University; all accesses to data on Dropoff are logged and can be easily checked if you are ever concerned that a 3rd party might have gained access to your data. Files are automatically deleted from Dropoff 32 days after you upload them. No backups are taken of the uploaded data (it's only a transitory stopping point), so after an uploaded file has been deleted, there is no way of recovering the file. Unlike on a Dropbox view, once a file is deleted in Dropoff, it really is deleted.
Can I transfer my data outside the EEA?
GDPR prohibits transfer of personal data outside the EEA unless certain conditions are met:
For practical purposes, this means that if you are collaborating with organisations outside the EEA, you must have a data sharing agreement in place. Contact riscontracts@soton.ac.uk for more information.
If you leave to work at an organisation outside the EEA and take research data with you, this will count as a data transfer.
Many cloud services are based outside the EEA. Even if the service in question has signed up to the EU-US Privacy Shield, it may not be appropriate to use such a service, since the terms and conditions tend to be one-sided, and are unlikely to be sufficient to enable the University to meet all its obligations under the GDPR. When sharing data with collaborators, do not use cloud-based services unless they have been approved by the University.
My funder requires I share data after the project is finished, how can I do this?
Many funders now require researchers to share data after the research is finished and the introduction of GDPR should not interfere with this process.
If possible, you should aim to robustly anonmyise your data. Fully anonymised data is not covered by GDPR. However, it can be complicated to fully anonymise data and doing so may reduce the re-use potential of your research data.
Anonymisation applies to both direct and indirect identifiers. Direct identifiers like name, address, or telephone numbers specify an individual. Indirect identifiers could also reveal an individual when pieced together, for example, cross-referencing occupation, employer, and location. You should be aware that even if you have only one or two indirect identifiers left in your data, they could still be linked to other data sources to allow re-identification. See Research Data Management: Sensitive Data for further information on removing indentifiers to share data for publication.
Unless your funder specifically requires you openly share the data, it is also possible to set different access levels to your research data. See Restricting Access to Your Research Data for more information.
For more information on anonymisation, see:
