This technical guidance has been produced for data protection officers, information governance officers and research governance managers.
Research organisations must be transparent about the personal data they process for research. Transparency is a fundamental principle of existing data protection law. The new law increases the amount of information that must be provided to research participants.
The new data protection legislation emphasises the importance of transparency. It requires that information for data subjects must be:
- concise and easy to understand, using clear and plain language,
- easy to find,
- tailored to the needs of the audience, and
- provided by an appropriate means, such as in writing or by video. When requested by the data subject, the information may be given orally.
The changes in transparency requirements will apply to all data processed from 25 May 2018, not just to personal data obtained after that date. This includes data that is simply held or stored, without being otherwise actively used.
Information about an organisation’s processing of personal data is often contained within a ‘privacy notice’. The Information Commissioner’s Office (ICO) has guidance on what to include in a privacy notice.
Information should be tiered. General information about data processing should be given at an organisational level, for example through the website and in clinic waiting rooms where data subjects will notice it. Information about specific uses of data, for example in a research study, should be given via a participant information sheet or a patient notification required by the Confidentiality Advisory Group.
Organisations, data controllers and researchers should give data subjects an ongoing opportunity to check their understanding and ask questions. An example of good practice is the National Survey of Health and Development.
The detail of what information a data controller must give a data subject depends upon whether the personal data is collected from a data subject or from other sources.
Personal data collected from the data subject
When personal data is collected from the data subject, the data controller must provide information to the data subject at the time it is obtained. The following are examples of personal data collected from a data subject:
- a researcher asks a patient to complete and return a questionnaire
- a researcher working on behalf of an NHS Trust, which is the data controller, uses personal data held by the Trust
- a research site collects information from research participants and then transfers the data to the research sponsor
When personal data is collected from the data subject, the controller must give them the following information:
|The name and contact details of the controller (including the data protection officer)|
|Why the data is being processed and the legal basis for doing so|
|The recipients or categories of recipients of the data|
|How long the data will be stored|
|What are the data subject’s rights, including, where consent is the legal basis for processing the data, the right to withdraw that consent at any time (this is different from consent to participate in research)|
|That the data subject has a right to make a complaint to the ICO|
|Whether the data is obtained as part of a statutory or contractual requirement or obligation and any possible consequences of failing to provide the data|
|Whether there will be any automated decision-making and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject|
|How appropriate or suitable safeguards are achieved if the data is to be transferred out of Europe|
Where confidential information is shared with people that participants reasonably expect, consent for disclosure in line with the common law should be obtained, or s251 support.
When personal data has been collected from a data subject but the controller intends to further process the data for a different purpose, the controller must also give the data subject information about that further purpose before the data is processed. An example is that researchers may wish to use personal data originally collected for clinical or local audit for research.
However, if the information about further processing is in fact the same as the information for the original processing, the data controller does not need to give the data subject that information again.
Information given to data subjects should be as precise as possible without unduly restricting the possibility of further research uses of data in the future. For example, it may be appropriate to say: ‘Personal data (data that can identify you) will be used by research teams in this organisation and shared with external research organisations, such as universities and commercial companies in this country and abroad for scientific research purposes.’ The scientific research purposes in question should then be detailed but do not need to be project-specific. If particular organisations are excluded from the statement, the data controller must ensure that the information is not shared with them.
Personal data obtained from other sources
Examples of other sources include:
- Obtaining data from other controllers like NHS
Digital or other central sources or registries.
- A university researcher working on behalf of a
university data controller obtaining data from NHS medical records only. (Where
a university researcher collects data from the data subject and from NHS medical
records, the data being processed are a mixture of data collected from the data
subject and data obtained from other sources, so the requirements above for data
collected from the data subject must also be met.)
Where personal data is obtained from other sources for research, the new (receiving) data controller must give the data subject the same information as listed above, as well as the source from which the personal data the personal data originate, and if applicable, whether it came from publicly accessible sources.
This information should be given by the new data controller within a reasonable period. Specifically,
- within one month, OR
- if the personal data is to be used to contact the data subject, by the time of contact, OR
- if disclosure to another recipient is envisaged – for example to a researcher employed by another controller – by the time the personal data is disclosed.
If research purposes were not a purpose for which the data was obtained by the original controller, the relevant information should be given before processing for research purposes.
We say that this information should be provided, rather than must, because there are circumstances where it is not a requirement to provide the information.
Good practice example:
The TIGAR study (Tracking the Impact of Gestational Age on health, educational and economic outcomes: a longitudinal Record linkage) collects data in relation to research participants from a variety of sources. Despite the fact that data is not obtained from the data subject, the TIGAR study provides information to research participants about the study, answers frequently asked questions, and provides information about how to make further contact.
Exemptions for research
Where personal data is obtained from a third party, there is no requirement to give information, as long as:
- Technical and organisational measures that respect the principle of data minimisation are in place. Where possible this requires that personal data is pseudonymised and the research activity is conducted without using identifiable data
- Giving the information to data subjects would be impossible or would involve a disproportionate effort, or giving the information to data subjects is likely to render impossible or seriously impair the achievement of the objectives of that processing (ie, it would undermine the possibility of valid research results).
Data controllers must decide which, if any, of these circumstances apply. It is good practice to establish a process by which such decisions may be made, recorded, and made available in line with responsibilities for accountability.
When assessing whether giving the information to data subjects would be impossible or would involve a disproportionate effort, data controllers should take into account the number of data subjects, the age of the data and any appropriate safeguards adopted.
When assessing whether giving the information would undermine the possibility of valid research results, data controllers should consider appropriate alternate methods of analysis.
When personal data obtained from other sources is subject to a research exemption, the data controller must make the transparency information publicly available and take any appropriate measures to protect the data subject’s rights and freedoms and legitimate interests. There is also a responsibility to ensure that data is processed consistent with appropriate safeguards.