This technical guidance has been produced for data protection officers, information governance officers and research governance managers. 

It is very important that data controllers, who are legally responsible for processing personal data for research purposes, are aware of the research activity that they are responsible for, and the current systems used in the organisation to corporately manage research.

The sponsor of the research is the data controller as they are responsible for the research protocol and the collection and use of data for the research.

The Information Commissioner’s Office has up-to-date information.

For Data Protection Officers:

Discuss forthcoming data protection law with your researchers and research governance managers.
Establish what data your organisation is data controller for and which data researchers are processing on behalf of another organisation.
Consider whether there is any research in your organisation which is unlikely to fall under the ‘task in the public interest’ legal basis (e.g. because your organisation is not a public authority as defined in the Freedom of Information Act).
Make sure you know what personal data and ‘special category’ personal data researchers are currently processing. For special category data, work with research managers to determine how you will demonstrate that this data is being processed in the public interest (e.g. the research has public funding or research ethics committee approval).
Work with research managers to determine how your organisation will comply with the safeguards, and what existing systems can you take account of.
Work with research managers and researchers to determine how your organisation will comply with the transparency requirements of the new legislation. This includes considering project specific information provided as well as a review of more corporate, higher level information about information sharing for research.
Work with research managers and researchers to determine how to apply research exemptions to subject rights. For some you are likely to have a corporate-wide approach (e.g. for data integrity reasons, the right to erasure may not apply), for others it will depend on the circumstances.
Work with clinicians and other care staff - not just researchers and research managers - to determine if they are passing personal data to others for research, and if so, what information was previously given to data subjects about that processing.

Research Managers and Researchers:

Work out which organisation(s) is the data controller and which are processors for your research or research portfolio.
Discuss forthcoming data protection law with the relevant Data Protection Officers. Help them understand the personal data and ‘special category’ data processed for research.
Determine whether you have ever told research participants about the legal basis on which you are processing data about them. Although in the past you were not required to be explicit to participants about the legal basis you were using, in a few rare circumstances you may have done so. If you have, check whether it is actually the correct legal basis under the GDPR.
Work with the relevant Data Protection Officers and others, such as HR, IT and IG teams, security architecture leads, to agree how the appropriate safeguards are met and can be demonstrated.
Work out what transparency information participants already have been given, including their subject rights and anything about withdrawal from the study, and inform the relevant Data Protection Officer(s) of this.
Work with Data Protection Officers to determine how research exemptions to subject rights should be applied.
Back to gdpr: technical guidance