Guidance on the Processing of Personal Data for Research Purposes 1

Transcription

1 Guidance on the Processing of Personal Data for Research Purposes 1 1. Background The University of the West of Scotland has a reputation as a provider of high quality applied research. Some of the research undertaken may use information about identifiable living individuals. The use of personal data for research falls within the remit of the Data Protection Act. 2. Data Protection Act Under the Data Protection Act 1998 the University has responsibilities regarding the collection, processing and disclosure of all personal data. The Act also gives individuals rights regarding the personal data held about them. 3. Personal Data Personal data is basically any biographical information that allows a living individual to be identified and that is held as part of an organised filing system or processed by computer. An organised filing system is basically where the data is held under the individual s name and it is possible to go straight to it. Information processed by computer includes payroll details, staff databases, student records and other formats on a computer. This definition was expanded under the Freedom of Information (Scotland) Act 2002 to cover all recorded information about identifiable living individuals held by the University. 4. Use of personal data for research If a member of staff or a student wishes to use personal data to carry out research as a member of a University established research group, two options are available: 1. To anonymise the data so that it no longer falls within the Data Protection Act definition of personal data 2. To comply with the Data Protection Act Option one: Personal data is only completely anonymised when it is not possible to identify the individual from that information plus any other information that the University holds or is likely to hold. For example if student information was used with each student identified by their banner ID, it would be possible to identify the individuals from the student records system using the ID number. This would not qualify as completely anonymised data under the Act. No key can be kept to the anonymised data and it must not be possible for a subject to be identified from any other information held. If you are able to meet these requirements, the rest of this guidance does not apply to you. 1 This guidance is based on the University of Edinburgh document entitled Guidance notes on Research and the Data Protection Act

2 6. Option two: You must ensure that you have arrangements in place to meet all the requirements of the Data Protection Act. Please read the guidance given below to help you comply with the Act. A checklist is provided at appendix A and you may choose to keep this form with your project management documentation so that you can prove that you have taken into account the requirements of the Data Protection Act. 7. Research and safeguard conditions Research is defined broadly in the Act and covers statistical and historical studies. The research may be commercial or academic and may be carried out in the public or private sector. There are safeguards in place. Your research must fulfil all of the following safeguard conditions: The data cannot be used to support measures or decisions with respect to any identifiable living individual (not just the data subject(s)). The processing of the data will not cause, or be likely to cause, substantial damage or substantial distress to any data subject. The data is used exclusively for research purposes and for no other purpose, not even an incidental use. You will not make the results of your research, or any resulting statistics, available in a form that identifies the data subjects. For example if you use case studies in your research report you may choose to disguise the names of the individuals. However, if you describe his or her circumstances in detail it may be possible for someone to identify that individual, in which case you would not meet this criterion. If you cannot comply with the safeguard conditions, please contact the University Data Protection Officer. If you can comply with the safeguard conditions, you must also fulfil the requirements below regarding the eight principles put in place by the Data Protection Act 1998 to protect personal information. See the checklist at appendix A. 8. The Eight Data Protection Principles Principle 1. Personal data shall be processed fairly and lawfully. To use personal data lawfully you must comply with all UK laws and, in particular, personal data shall not be processed unless at least one of the conditions in Schedule 2 of the Data Protection Act is met. The conditions that are most likely to apply to research are: The data subject has given their consent to the processing You are processing for the purposes of the legitimate interests of the University or of a third party or parties and the use does not cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subject - 2

3 For research using sensitive data such as health, criminal convictions, ethnic or racial origins, religious beliefs, sexual life or trade union membership, at least one of the additional conditions in Schedule 3 must be met also. These include: The individual has given their explicit consent freely for the processing of the data, having been informed of the proposed uses and disclosures. You are a health professional or a person who owes a similar duty of confidentiality and processing is necessary for medical purposes such as medical research, provision of care and treatment, preventive medicine, etc. You will need to take into account medical ethics also as well as confidentiality constraints. (See the General Medical Council guidance Confidentiality: Protecting and Providing Information You are processing information as to racial or ethnic origin for equal opportunity purposes. Research is in the substantial public interest and is necessary for research purposes and does not support measures with respect to the particular individual except with their specific consent, nor cause, or be likely to cause, substantial damage or distress. It is advisable to include a statement in the project documentation indicating the potential benefits to the public. In order for the processing to be fair the data controller must comply with the fair processing code and in particular must provide the following to the data subject in a privacy notice: 1. The identity of the data controller 2. The identity of any nominated representative 3. The purpose or purposes for which the data are intended to be processed 4. Any further information that is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair. This privacy notice will give the data subject a full understanding of what you are doing with their data and they must be given the opportunity to opt-in rather than opt-out if explicit consent is required. You can ask the individual to sign a consent form or have a data protection statement on a questionnaire being used to collect the personal data. If you use a form to collect the explicit consent, the form should be kept for as long as the data is kept. You do not need to provide a fair processing notice if both of the following conditions apply: The personal data has been provided by a third party AND Provision of a fair processing notice would involve a disproportionate effort and the reasons are recorded. (Factors to be considered include the cost, length of time and ease of provision of a notice to all the data subjects balanced against the benefit to the data subject.) - 3

4 Principle 2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. So long as the data were obtained for one or more specified and lawful purposes, any further processing for research purposes only will not be regarded as incompatible with the original purpose or purposes for which the data were obtained as long as the safeguard conditions above are complied with. Principle 3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. You should keep only the amount of data about a person that you need for your research. You should not collect or store data that you do not need, e.g. date of birth or employment details Principle 4. Personal data shall be accurate and, where necessary, kept up to date. This means that you must ensure that your research data is accurate. However you do not need to ensure that the personal data is kept up to date, if your research is based on information representing a definitive time frame. Principle 5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary. Under section 33(3) of the Data Protection Act personal data, which are processed only for research purposes subject to the safeguard conditions, may be kept indefinitely despite the strictures of Principle 5. Principle 6. Personal data shall be processed in accordance with the rights of data subjects under this Act. Under the Act the rights of the data subject are: To be informed by you whether you or someone on your behalf is using their personal data. If that is the case, to be provided with o A copy of their data and associated information held by you (subject access right). o A description of the purposes for which the data are being used or to be used and o The recipients or classes of recipients to whom the data are or may be disclosed To have communicated to them in an intelligible form: o The information constituting any personal data of which that individual is the data subject and o Any information available to you as the source of those data To require you to ensure that no decision that significantly affects him or her is based solely on the processing by automatic means of personal data of which that individual is the data subject To prevent processing because it is likely to cause substantial, unwarranted damage or distress to the individual or another To compensation, payable by the data controller, if an individual suffers damage by reason of any contravention of the Act To require you to rectify, block, erase or destroy his or her personal data in certain circumstances - 4

5 To refer to the Information Commissioner any concerns regarding the processing of their personal data in compliance with the Act. Provided that the safeguard conditions under option 2 are met and the results of the research or any resulting statistics are not made available in a form that identifies individuals, you are exempt from the requirement to provide subject access (Section 33(4) of the Act) but you must comply with the other rights of the data subject. Care should be taken even where data are aggregated or anonymised since data combinations such as age and postcode may still be enough to identify individuals. This risk is increased in the case of rare medical conditions. Principle 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. You must ensure that any personal data collected or processed is kept securely and that includes not only paper records but also electronic records. If you are using sensitive information, e.g. health records, more stringent security measures need to be in place. The required levels of security must be maintained throughout processing wherever that may be, e.g. in the office and at home. Any laptops or computers should always be password protected and the data encrypted. Back up research data regularly on a shared drive, rather than floppy disks. The secure disposal of data is very important. It is not sufficient just to delete personal data from a computer or laptop. You must either remove or destroy the computer s hard disk or overwrite the material at least 7 or 8 times. Even reformatting the hard disk may not prevent the recovery of old data. Principle 8. Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. This principle bans the transfer of personal data outside of the European Economic Area, which encompasses the 25 EU member states and the three EEA countries (Liechtenstein, Norway and Iceland). Research may involve international collaboration and, if data transfer is necessary, one of the following must apply: The country, to which the data is being transferred, has been designated as providing adequate protection for personal data. For further details see tm You have obtained the explicit, (written) consent of the data subject. Such a question could be added to the consent form. You have completely anonymised the data You have a contract in place with the recipient of the data, which details the necessary safeguards. 9. Additional information Please ensure that you read the University Data Protection Policy accessible at na_/dataprotectionp-1/dataprotectionp.doc. The University is committed to best practice in all areas of research and to conformity with the law. For further information, please contact the University Data Protection Officer on extension

6 Appendix A Checklist for Researchers Complying with the Data Protection Act 1998 Any member of staff or student using personal data for their research should use this checklist to ensure that he or she has taken into account the requirements of the Data Protection Act and to provide evidence that the requirements have been taken into account. This checklist should be used along with the Guidance on the Processing of Personal Data for Research Purpose. Requirements for Research Exemptions: 1 Does the research involve personal data; that is data, which relates to a living individual, who can be identified from that data or other data in your possession or likely to come into your possession? 2 Is the data used exclusively for research purposes and not other purposes? 3 The results of the research are not going to be used to make decisions or support measures about any of the research subjects. 4 The data processing will not result in any damage or distress to the individual data subject. 5 The results of the research, or any resulting statistics, will not be available in a form that identifies the data subjects. Requirements for meeting the Data Protection Principles 1.1 To meet the 1 st Data Principle you have met one of the requirements for using personal data. Indicate which condition has been met, e.g. consent of the data subject: 1.2 To meet the 1 st Data Principle you have met one of the additional conditions if you are using sensitive data, e.g. obtaining of explicit consent. Indicate which condition you have met: 1.3 To meet the 1 st Data Principle you have provided the following information to the data subject: a. The identity of the data controller b. The identity of any nominated representative c. What you are doing with the data d. Any further information that is necessary, such as who will receive copies of the data or have access - 6

7 Appendix A 1.4 You are excused from fulfilling 1.3 only if all of the following conditions apply: a. The personal data has been provided by a third party b. Provision of the above information would involve a disproportionate effort c. You recorded the reasons for believing that a disproportionate effort applies. Outline the reasons: 2 To meet the 3 rd Data Principle, you have only collected the amount of data needed for your research, i.e. the data is not excessive or irrelevant. 3 To meet the 4 th Data Principle, you have taken measures to ensure that the data collected is accurate. 4 To meet the 6 th Data Principle you have taken steps to comply with the rights of the data subjects by: a. Informing the data subject that you are going to use their data and for what purpose b. Stopping the use of data if it is likely to cause substantial, unwarranted damage or distress to the individual or another c. Ensuring that no decision that significantly affect the data subject is based solely on the processing by automatic means of personal data d. Rectifying, blocking, erasing or destroying the personal data of a data subject, if necessary 5 To meet the 7 th Data Principle you have assessed the security of the systems and the storage facilities used as well as all working environments. Briefly indicate the measures taken: 6 To meet the 8 th Data Principle, you shall not transfer any of the data outside the EEA unless one of the following applies: a. The country, to which the data is being transferred, has been designated as providing adequate protection for personal data. b. You have obtained the explicit, (written) consent of the data subject or subjects. c. You have completely anonymised the data d. You have a contract in place with the recipient of the data, which details the necessary safeguards. State which condition was met and to which country or countries data is being transferred: - 7