Good data protection
practice and ethics are essential in research in order to not only comply with
the law but also the expectations of individuals that may be the subject of
research.
In developing a
trusted relationship researchers need to follow ethical principles as well as
expectations of confidentiality and privacy.
In 2020 more data
protection laws are being developed around the world and whilst the EU General
Data Protection Regulation (GDPR) has focused many researchers’ minds on
compliance there are more than 140 countries with data protection laws and many
have similar approaches to the GDPR. Furthermore Regulators around the world
are enforcing the rights of individuals against organisations that process
personal data unlawfully or without transparency.
The five important
issues to consider are:
1. Transparency and Accountability
Data Protection
Principles require that when any personal data is being processed Researchers
must provide transparent and plain language information to individuals whose
data may be collected and analysed. Researchers should ensure that they have
available a Fair Processing Notice or Privacy Notice that informs individuals
of who is processing the personal data, with whom that personal data may be
shared, the purposes for which the data will be used, for how long it will be
retained and what rights and privileges individuals have in terms of their
personal data.
In order to
demonstrate accountability, the researcher as a controller must have
appropriate policies and procedures in place such as not only the Privacy
Notice but also a record of processing activities, a process for dealing with
individuals rights requests, a process for using data protection impact
assessments, a data retention and destruction policy and a policy for the
control of sub contracted research organisations and any international
transfers of personal data in the course of research.
The above is not an
exhaustive list of policies and procedures.
2. Understanding the nature of the personal data
It is essential to
identify the nature of the personal data that is being collected during
research as the more sensitive the nature of the data, the greater the
obligations are for compliance.
The GDPR defines personal
data as, “any information relating to identified or identifiable natural
persons who can be identified directly or indirectly, in particular by
reference to an identification number or to one or more factors specific to
their physical, psychological, genetic mental economic cultural or social
identity”.
The concept of
personal data includes any sort of information about a person whether objective
or subjective.
The GDPR lays out
more stringent obligations for researchers to consider where the personal data
consist of “special categories of data” or “information relating to suspected
criminal activities”.
These particular
sensitive data categories are those revealing racial or ethnic origin,
political opinions, religious or philosophical beliefs, trade union membership,
genetic data, biometric data, data concerning health or data relating to sexual
orientation or activity.
If as a researcher
you are intending to process these special categories of data or information
relating to criminal activity you will need to satisfy stricter conditions to
be able to lawfully process that data.
3. Controller or Processor?
Researchers should
consider whether in the course of their work they are acting as a controller or
as a processor in relation to personal data because there are differences in
the obligations and liabilities between a controller and a processor.
If the researcher is
independently carrying out research where the outcomes will be marketed to
customers then the researcher is likely to be a controller and as such will
need to comply with all of the controller obligations of the GDPR and other
similar legislation in other parts of the world should they apply.
If however, the
researcher is acting on the instructions of a client and is directed to research
certain individuals or categories of individuals and then the outcome is
delivered as a report to the client then the researcher is a processor and most
of the liability for data protection compliance rests with the client.
If the research
company is the controller then if it is located within the EU and the GDPR then
applies it will be responsible for providing appropriate transparent
information to each individual and will need to have in place the compliance
policies and procedures mentioned in section 1 above.
If the research
company is acting as a processor it will still have obligations under the GDPR
(where that applies) and should anticipate that clients will want reassurance
both practically and as well as contractually that the research company will
support the client in its role as a controller and meet its own obligations as
the processor.
4. Lawful grounds for processing
The GDPR and other
emerging similar laws around the world lay down certain lawful grounds for
processing of personal data. Whilst consent is most focused upon it is not the
only lawful ground for processing. Researchers should therefore analyse which
lawful ground for processing they will rely upon in any particular
circumstance.
Whilst consent is
undoubtedly an appropriate ground for processing in many cases and will usually
be obtained by a signed consent form or in some cases by implication, since
under the GDPR consent has to be as easily capable of being withdrawn as given
it may be appropriate to consider some of the other lawful grounds.
Some research
activities may well fall within the area of public interest or statutory duties
where the researcher is part of a public authority or a government agency or is
contracted to those organisations. Article 89 of the GDPR also provides that
Member States may provide derogations to enable processing for scientific or
historical research purposes, so do check your local law.
Another lawful ground
that may be of value is that of legitimate interest provided that the
legitimate interest of the research business to carry out research is not
overridden by the individual rights of data subjects who may be the target of
the research.
In many instances
research may be carried out by direct interview with individuals but in some
instances data may be scraped from publically available sources and in that
instance direct consent will not be obtained and therefore it is useful for
researchers to be aware that it may be lawful to process personal data when it
has been manifestly put into the public domain for example on social media
sites.
5. Ethics by design
Whilst privacy by
design and security by default are still somewhat cliché phrases which
highlight the need to embed data protection by design into processes and
systems, whilst at the same time ensuring technical, organisational and
physical security into businesses and their management of processing personal
data, ethics by design is emerging as the next standard.
Researchers need to
not only address privacy and security but also consider how to embed ethics
into their operations particularly with regard to processing of personal data
in circumstances that might not be anticipated by individuals. Moreover, as
consumers reinforce their rights, and as investors place value on ethical
positions, and as regulators focus on those who fail to “do the right thing”,
so ethics by design will keep researchers asking about their methodologies the
question of “just because we can, does not always mean we should!”