Research Data Management: Data Protection
At a Glance
- The General Data Protection Regulation (GDPR) came into force 25 May 2018.
- GDPR applies to any research that uses personal data, including scientific research and studies in the arts and humanities.
- It is important to know that Ireland has introduced detailed Health Research Regulations that anyone, who works with health related personal data needs to be aware of.
- Informed consent must be gained for preservation and/or sharing of personal data.
- Consider anonymisation of personal data for preservation and/or sharing (truly anonymous data are no longer considered personal data).
Help@UCD: UCD Data Protection
HELP@UCD: Relevant Policies
Help@UCD: Data Privacy & Security Training
4 Legal and ethical requirements, codes of conduct
4a If personal data are processed, how will compliance with legislation on personal data and protection of sensitive data be ensured?
Points to consider:
- Ensure that when dealing with personal data protection laws (for example GDPR) are complied with:
- Gain informed consent for preservation and/or sharing of personal data.
- Consider full anonymisation of personal data for preservation and/or sharing (truly anonymous data are no longer considered as personal data).
- Consider full pseudonymisation of personal data (the main difference with anonymisation is that pseudonymisation is reversible).
- Consider encryption (the encryption key must be stored separately from the data, for instance by a trusted third party).
- Explain whether there is a managed access procedure in place for authorised users of personal data.
- Describe the main risks to data protection, particularly if your data is sensitive for example containing personal data, politically sensitive information, or trade secrets and how these will be managed.
- Explain which institutional data protection policies are in place.
General Data Protection Regulation (GDPR) 2016/679
General Data Protection Regulation (GDPR) 2016/679 is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas. GDPR applies to any research that uses personal data, including scientific research and studies in the arts and humanities. It is important to know that Ireland has introduced detailed Health Research Regulations that anyone, who works with health related personal data needs to be aware of.
Sensitive data means any information that needs to be protected against unnecessary disclosure for legal, ethical, privacy or commercial reasons. Examples include personal data, ecological data, confidential data or data that are otherwise deemed sensitive.
Personal data means any information concerning or relating to a living natural person who is either identified or identifiable (such a person is referred to as a ‘data subject’).
An individual could be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (such as an IP address) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.
Special category data:
- Personal data revealing racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data and biometric data processed for the purpose of uniquely identifying a natural person
- Data concerning health
- Data concerning a natural person’s sex life or sexual orientation
Processing of these special categories is prohibited, except in limited circumstances set out in Article 9 of the GDPR.
Other types of sensitive personal data:
In addition to 'special category' data there are other types of personal data that require extra protection. These data include: criminal convictions or the alleged commission of an offence; and financial data. A data subject has additional rights in relation to the processing of any such data, and consequently a data controller has additional responsibilities.
Anonymisation of data means processing it with the aim of irreversibly preventing the identification of the individual to whom it relates. Data can be considered effectively and sufficiently anonymised if it does not relate to an identified or identifiable natural person or where it has been rendered anonymous in such a manner that the data subject is not or no longer identifiable.
Pseudonymisation of data means replacing any identifying characteristics of data with a pseudonym, or, in other words, a value which does not allow the data subject to be directly identified.
Data which has been irreversibly anonymised ceases to be 'personal data'. However, a person does not have to be named in order to be identified. If there is other information enabling an individual to be connected to data about them, which could not be about someone else in the group, they may still 'be identified'.
UCD guidance: Data Protection
Files which contain personal data and confidential university information can be stored in Google Drive and Novell Drive (NetStorage). Investment has been put into ensuring that these solutions meet a high standard of security and data protection and are continually monitored and managed. Multi-Factor Authentication (MFA) is mandatory for all staff Google accounts and adds an important layer of protection to IT accounts and helps secure and protect research data.
It is important to note that personal data cannot be moved outside the EEA, which also means server locations are important. An assessment needs to be undertaken whether the transfer of personal data beyond the EEA can be legally facilitated or not. All data in Google Drive are stored in the EU.
The Shared Drives feature of Google Drive lets you create a shared drive and sub-folders for your team and projects. This allows you to manage centrally what information is saved by your team and with whom it is shared, especially any sensitive or personal data. It also ensures that shared files are not lost if their owner leaves the team.
Consider if you need to complete a Data Protection Impact Assessment (DPIA)