This blog post provides a brief overview of a workshop organised for the London Area Research Data (LARD) group on the implications of the General Data Protection Regulation (GDPR) for research data management. The event was held at the London School of Hygiene & Tropical Medicine on November 17, 2017. It was organised by Gareth Knight (LSHTM), in conjunction with Helen Porter (SOAS) and Laurence Horton (LSE). A second write-up of the session has been produced by Laurence Horton.
Gareth Knight, LSHTM’s Research Data Manager, opened the session by emphasising the importance of ensuring GDPR awareness across all levels of the university. The new GDPR legislation comes into force in May 2018, but he noted relatively little guidance existed tailored to the needs of research support staff. The meeting was intended to partially address this need by providing attendees with a better understanding of GDPR and an opportunity to discuss its implications for research data management. The topic clearly struck a chord with many people, attracting almost 70 attendees. Gareth emphasised that this was just the first step, with a need for follow-on events to improve understanding and compare implementations as we get closer to the May deadline.
GDPR and Research Data Management: An Introduction – Tim Rodgers (Imperial College London)
Tim Rodgers of Imperial College London provided a gentle introduction to GDPR. GDPR was described as a set of rules that governed how organisations process personal data on data subjects (some of whom could be research participants). As part of the changes introduced by GDPR, the definition of personal data will be broadened to include machine-generated data generated through device use, such as location, cookies, and IP addresses, among others. Data subjects are also given additional rights over how information about them is used.
To address GDPR, organisations must adopt a “Privacy by design” strategy, implementing technical and organisational measures that enables them to protect data subject information and address associated risks. They must also demonstrate ethical compliant, maintaining evidence on how and when consent to collect and use information was obtained, and provide opportunities for individuals to view and correct information stored about them, or withdraw consent for its use (with some qualifications). Further information on these may be found in the 12 Steps to preparing for GDPR guide.
Although GDPR compliance requires significant work to implement, Tim argued it will benefit academic research over time. GDPR harmonises the rules surrounding the performance of scientific, historical and health research across the European Union, which will make it easier to collaborate across countries. The need to produce a ‘Privacy Impact Assessment’ to ensure the rights of the data subject are taken into account when performing research will also help researchers to recognise and fulfill their ethical obligations.
GDPR: The JISC Perspective – Paul Stokes (JISC)
Paul Stokes, Senior co-design manager at JISC, made extensive use of Sli.do to lead a dynamic discussion on the support needs of research support staff attending the event. Paul had been given only 1 day notice by his manager that he would have to attend, so we were extremely pleased that he could make such an extensive contribution to the session.
After determining that 95% of those who voted believed they would be directly affected by GDPR (with only 5% believing it was someone else’s problem within the institution), Paul moved on to describe the GDPR resources in-development at JISC and asked for suggestions on topics that would be helpful to cover in a forthcoming GDPR for RDM toolkit. Attendees provided a huge response (most of which I wasn’t able to note), with notable requests highlighting the need for guidance on the implications of GDPR for specific resource types and research communities (including health, economics and social scientists), sample GDPR-compliant Data Processor Agreements (DPAs) for use, GDPR compliant data processing services (via Research Data Shared Services), as well as online and face-to-face training and consultancy services to help them get up to speed.
GDPR Preparation at the UK Data Archive – Scott Summers (University of Essex)
Scott Summers gave an enlightening talk on the GDPR preparatory work being performed at the UK Data Archive. The UKDA have been monitoring the new data protection legislation for several months and are working to update their policies, procedures and guidance to reflect the new legislation. However, it remains a work-in-progress, which will continue into 2018 and potentially beyond.
Scott noted that GDPR was just one of several requirements that researchers must address in their research. GDPR, like the Data Protection Act 1998, applies to living individuals only; there remains a need to consider the broader ethical issues associated with research.
The UKDA considers the GDPR principles to be entirely reasonable – research participants should be provided with clear information on the purpose of the research, the power to influence how their personal data is used, and the right to be forgotten. The real challenge is how to GDPR interpret it at the institution level – the UKDA must consider its responsibilities as a data processor and the implications for University of Essex as a data controller.
GDPR Article 89, which specifies the safeguards associated with processing personal data for scientific, historical research, or statistical purposes, is a particular area of interest at the moment. This establishes the data subjects’ rights to access, correct, and object to data processing performed for research purposes, as well as limitations that may be applied.
Scott concluded by describing a few of the resources being developed by the UKDA in collaboration with other institutions. In addition to the updates to UKDA policy, they will also be re-developing their informed consent guidance and templates, and contributing to a CESSDA online training module that will cover some of the legal and ethical issues in GDPR.
Issues of Consent in Anthropological and Ethnographic Research – Helen Porter (SOAS, University of London)
Helen Porter of SOAS provided a short ‘flash talk’ on the issues encountered when SOAS updated their code of practice for use of personal data recently. Although consulted researchers agreed that data protection must be addressed, it raised several interesting scenarios where anthropological and ethnographic research performed in other countries and cultural contexts may become impossible to perform if rigid compliance was necessary.
The code of practice indicates that meaningful consent can only be provided if the data subject is asked directly, has a genuine choice and is able to withdraw without detriment. However, this could prove challenging when working in communities where cultural norms dictate that village elders provide consent on behalf of a village, or when male family members are required to provide consent on behalf of females. She also questioned the amount of information needed to enable meaningful consent. Does the person need to understand internet distribution methods and digital licences to provide consent?
Helen concluded by suggesting there was a need to recognise the cultural norms in place when collecting and storing data. Different cultures have different interpretations of what constitutes a private vs. public space, as well as different power relationships which affect how you collect data and obtain consent. It is important to allocate additional time to build relationships with research participants and improve awareness within the environment in which research is taking place.
Information Security and GDPR – Laurence Horton (London School of Economics)
The final flash talk was provided by Laurence Horton, Data Librarian at the London School of Economics, who spoke on the information security implications of data protection. He began by noting that the easiest way to manage personal data is not to collect it. However, where it must be collected, it essential that researchers are made aware of their contractual, legal, and ethical obligations and take steps to address these. For instance, apply technical controls to limit access, use encryption to digitally secure it, ensure it is held in a physically secure location, and provide secure deletion facilities.
Laurence went on to describe how LSE researchers are made aware of data protection requirements. LSE actively promote the UK Office of National Statistics ‘Five Safes’ for projects, people, settings, data, and outputs, maintain a data classification policy that can be applied to their storage systems, have produced an encryption matrix to guide researchers on the different options available, and are actively working towards ISO27001 compliance for their storage systems at the moment.
Thanks to everyone who attended the workshop and to my co-organisers, Helen Porter and Laurence Horton, for making the event interesting!