Under the GDPR, transparency relates to providing information to people about the processing of their data. Some of this is addressed at an organisational level in providing public information about use of data. There are important differences in the transparency requirements between organisations directly collecting information from research participants and organisations receiving information indirectly from another organisation.
Participant data that is no longer identifiable or where the participant cannot be identified on its own, or in combination with other accessible information, is no longer personal data, and the GDPR transparency requirements do not apply.
This means that your organisation needs to understand what personal data it is currently responsible for processing as a controller, and will in future be processing, so that it can publish transparency information. You should use the information below to determine what further information, if any, should be given to participants of individual studies, and how to provide it.
You should take into account what mechanisms you have to provide transparency information, including publishing or providing information via participating sites, relevant patient groups etc., and be able to justify your decisions about transparency.
The table below sets out the transparency requirements under GDPR:
|Personal data obtained directly from participants||Personal data obtained indirectly|
|Name of controller and contact details (including of data protection officer)||Required||Required|
|Purposes of the processing, as well as the legal basis||Required||Required|
|The legitimate interests of the controller or third party, where applicable||Required||Required|
|The categories of personal data concerned||Required|
|The recipients or categories of recipients of the personal data, if any||Required||Required|
|The period for which the personal data will be stored||Required||Required|
|The data subject’s rights under GDPR (see note A below)||Required||Required|
|The right to lodge a complaint with the ICO||Required||Required|
|The source from which the personal data originate, and if applicable, whether it came from publicly accessible sources||Required|
|Whether the provision of personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data (see note B below)||Required|
|Any automated decision-making, and, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject (see note C below)||Required||Required|
|How appropriate or suitable safeguards are achieved in relation to any personal data transferred out of Europe||Required||Required|
A: For research, there are conditional exemptions to subject rights, so you should set out that an exemption may apply and will depend on the circumstances.
B: This is not applicable to researchC: In this context automated decision-making refers to use of personal data in machine learning or other technologies that will result in a decision about the individual, eg a diagnosis. Electronic randomisation technologies are not included.