Policy purpose

Alexander College is dedicated to the advancement of knowledge, learning and understanding in the service of society. This policy sets out Alexander College’s requirements for the curation of research data in pursuit of this goal. The policy outlines a framework of support to enable the management of research data so that the benefits of open research data can be realized, subject to compliance with legal, ethical, regulatory, contractual, intellectual property protection and other legitimate requirements.

Does GDPR apply to my research data?

GDPR is only concerned with information which can be used to identify living people. GDPR does not apply if your research involves only fully anonymised data (so there is no way of linking it back to the individual it relates to, including through use of a code or numerical identifier). Pseudonymised data (partially anonymised) is covered by GDPR as it could be used indirectly to identify individuals.

Personal information includes name, ID number, location (including IP address and data from cookies), online identifiers, physical and physiological factors, biometrics, and genetic, mental, economic, cultural or social identity.

‘Special category’ personal information are particularly sensitive and require additional conditions to be satisfied under GDPR (see Special Category Data, below). Special category data includes racial/ethnic origin, political opinions, religious/philosophical beliefs, trade union, genetic and biometric data, health, sex life, and sexual orientation.

How does GDPR impact on me?

If you are dealing with identifiable information you have a responsibility to keep the data safe, keep data subjects informed and report any breaches.

Documentation

GPDR requires data controllers keep a written record of data processing. We strongly recommend you create a Data Management Plan (DMP), if you don’t already have one, and keep it up to date. Your research funder may have requested a DMP as part of your funding application. Your DMP, along with your ethical planning documents, privacy notices (see below) and, if needed, a Privacy Impact Statement (see below) should be used to record the nature of the data you will collect, any re-use of existing data, your justification for processing data, and data security and retention policies.

Alexander College policies also contribute to your documentation. For example, our student data collection notice documents the College’s appropriate organisational and technical measures’ for safegurding students’ data.

It will be essential when thinking about further use of data collected to check this documentation to ensure that you are not straying beyond the arrangements described at the point of collection. If the arrangements for data use are not documented there, it will be important to update participants.

Should I seek consent to process personal data?

The answer is probably ‘no’. There are six different legal justifications for processing identifiable information; ‘consent’ is just one of them. As a general principle researchers should look for another legal basis before fixing on consent, in part due to a data subject’s right to withdraw consent at any time.
 
The College gives researchers the power to “make provision for research and for the advancement and dissemination of knowledge” and this provides our legal basis for the processing of data for research purposes. We therefore expect researchers to stipulate the legal basis for processing data as ‘public task’.

However, there will still often be a requirement to obtain consent to participate in a research activity where sensitive data (eg. racial or ethnic origin, physical or mental health conditions and particular criminal convictions) are processed.

Privacy notices

When collecting data, it is important that researchers explain to people what will happen to their data. Although this information can go into participant information sheets, consent forms, etc, ‘privacy notices’ do have a number of mandatory elements that might not be met by other information supplied to research participants. Privacy notices need to be:

  1. Concise, transparent, intelligible and easily accessible
  2. Written in clear and plain language, particularly if addressed to a child
  3. Accessible free of charge

Aim to address the following questions:
What information is being collected? Who is collecting it? How is it collected? Why is it being collected? How will it be used? Who will it be shared with? What will be the effect of this on the individuals concerned? Is the intended use likely to cause individuals to object or complain? How long is it intended to be held for?

Researchers will need to consider how best to circulate privacy notices: this could be online, paper based or verbal.

It may not always be possible, at the outset of a research project, to know what processing activities will be carried out on personal data collected as part of the research. Further processing must be compatible with those activities stated in the original Privacy notice.

Secure data storage

Identifiable information should never be stored on an unencrypted device.

Handling subject access request

Under GDPR, everyone has the following rights over their own personal data:

  1. The right to be informed of the collection and use of their personal data
  2. The right to access their personal data
  3. The right to have inaccurate or incomplete information corrected
  4. The right to have their personal data erased
  5. The right to request that you restrict the ways in which their personal data is processed
  6. The right to a copy of their personal data in a portable, machine readable format
  7. The right to object to processing of their personal data
  8. The right to be informed of any automated individual decision-making or profiling, and the right to challenge such decisions

However, if you are processing data for research purposes then your activities are exempted from many of these rights provided that certain conditions are met (see below). Specifically, your data subjects will retain:

  1. The right to be informed of the collection and use of their personal data
  2. The right to be informed of any automated individual decision-making or profiling, and the right to challenge such decisions

If data subjects can be identified in the published results of your research then they also retain the right to access their personal data.

If a data subject makes a request relating to one of these rights, you must inform the Data Protection Office dpo@alexander.ac.cy.

Conditions for processing for research and statistical purposes

Your data processing must meet certain conditions in order to qualify for the ‘research or statistical purposes’ exemptions to data subject rights. Specifically, you must:

  • Follow the principle of data minimisation (collect no more personal data than is needed for your research)
  • Anonymise your data as far as possible and at the earliest opportunity 

In addition, if your data processing is likely to cause harm or distress to data subjects then you have not met the requirements for processing for research purposes, and the exemptions will not apply.

Reporting data breaches

If you suspect a data breach has occurred you must inform the Data Protection Office dpo@alexander.ac.cy. To do this, do not rely on email alone but confirm that the breach has been formally logged. Reporting possible incidents as early as possible is vital as the College is subject to time-limits governing how long we must undertake certain actions in response to a data breach.

How long should I keep different types of data?

This depends on the type of data, you should contact the Data Protection Office dpo@alexander.ac.cyregards retention periods.

Special category data

Special category data may be processed provided that there is a lawful basis for processing (probably ‘public task’, as before), AND that another specific condition is met. There are a number of conditions for processing special category data but the one most likely to be suitable for research is if processing is necessary for “scientific or historical research purposes or statistical purposes”. You must ensure that the principle of data minimisation is respected when collecting special category data: you should identify the minimum amount of special category data you need to properly fulfil your purpose, and hold no more than that.

See Article 9 EU GDPR “Processing of special categories of personal data” and Article 6 EU GDPR “Lawfulness of processing”