GDPR and Social Surveys The Opportunities in Practice 14 January 2019 Debrah Harding Managing Director MRS
Agenda Topics Overview of GDPR - legislative framework - impact of Brexit - reminder of some key concepts Public interest research - definition of public interest - who can undertake research in the public interest - using public task as a ground for processing Scientific and statistical research - collecting special category data Research exemption - data subject rights - adaptions to the data protection principles
Objectives for Today To help you and your colleagues: Increase awareness of the legal privacy and data framework for research Identify differences between GDPR, the Data Protection Act (DPA) 2018 for research, specifically for public interest and scientific research Highlight key actions for researchers to ensure GDPR and DPA 2018 compliance Update on new research sector guidance
Some context: Regulation v. national law Previous privacy framework was a Directive: Each EU state has own law and own interpretation GDPR is a directly applicable Regulation: GDPR is the same in each Member State…but Member States can legislate on specific areas or activities which are subject to ‘derogations’ Research is a derogation Need to understand GDPR plus relevant domestic legislation: In the UK the Data Protection Act 2018
Some context: Brexit GDPR has applied since 25 th May 2018 • The UK Data Protection Act 2018 received Royal Assent in May • 2018 to bring GDPR into national law New draft legislation – The data protection, privacy and electronic • communications (amendments etc.) (EU exit) regulations 2019 – has also been prepared to ensure that the data protection legal framework continues to function after Brexit New legislation amends the Privacy & Electronic Communications • Regulations 2003 (PECR) and the DPA18, and introduces the “UK GDPR”
The Regulators In the UK Information Commissioner’s Office (ICO) regulates the Data Protection Act 2018 In the EU the European Data Protection Board (EDPB) regulates the GDPR – after March 2019 ICO will no longer be part of EDPB For EU cross border complaints where UK citizens or UK business involved…not clear yet what will happen
Some Concepts: 3 Types of Data e.g. Name De- Non- e.g. Unique identified Postcode identifiable identifier Data data e.g. Health information Personal Dataset Pseudonymised Dataset Anonymised Dataset
Some concepts: Obligations •Lead responsibility Data •Direct responsibilities e.g. Required to conduct DPIA; Point Controller(s) of contact for individuals; Audit of DP responsibilities •Contractual obligations Data •Direct responsibilities •Contractual obligations e.g. seek approvals e.g. to appoint sub- Processor processor or data transfers out of EEA But also •Appointment of DPO; record- keeping; technical and similar organisational measures; privacy by design and default, lawful obligations basis for processing; data breach notification
Key concept: Processing research data Options available for research processing: Consent - specific, informed and freely given consent through clear affirmative action Legitimate interest - based on reasonable expectations and provided does not override the rights of individuals (research is a compatible purpose) Public interest – processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the controller Other grounds - such as: contract; compliance with legal obligation; vital interests of data subject
Public Interest Research – the what Public interest not defined in GDPR or UK DPA18 • Specific ICO guidance for freedom of information and environmental • information regulations plus public law proceedings via the UK courts ONS Research Code of Practice and Accreditation Criteria (developed • for the Digital Economy Act) Broad understanding: • public interest represents collective interests • promotes wider values than purely economic or market issues • takes account of all including citizens •
Public Interest Research – the who Public task as a processing ground for research • Processing is necessary for… • the performance of a task carried out in the public interest; • or in the exercise of official authority vested in the controller • For a public task which is in the public interest the controller must be • a public authority Must be based on authority in law but includes organisations with • research as an incorporated or statutory purpose e.g. NHS, universities
Public Interest Research – the process Does the underlying task, function or power have a clear basis in law? What is the public interest being pursued? Is the processing necessary for the public interest? Do the data subject’s rights override the public interest text being pursued?
Public Interest Research – in practice HMRC collects extensive personal data provided largely for the • purposes of tax assessment and collection. If HMRC wishes to carry out research that is directly related to • improving how HMRC carries out its functions it could do so under the “public task” processing conditions – rather than other conditions such as informed consent However HMRC could still decide to follow other processing grounds, • such as informed consent, due to wider research and ethical considerations Such considerations and decisions must be documented to • demonstrate why an approach was selected and on what basis
Public Interest and Scientific Research – the data DPA18 has additional specific conditions for “substantial” public • interest research, separate from a public task, which is for: Archiving purposes in the public interest • Scientific or historical research purposes • Statistical purposes • To use the specific conditions: • Necessary for archiving purposes, scientific or historical research • purposes or statistical purposes Is in the public interest • DPA18 sets out an extensive list of specific activities deemed to • meet substantial public interest Still need to have a legal ground for processing personal data • Can use this to process ‘special category data’ without consent • assuming all other conditions are met (necessary, with appropriate safeguards, meets the public interest test) The controllers for this could be public or private in order to use these • conditions
Public Interest and Scientific Research – in practice Special category data (race, ethnicity, religion etc.) and/or criminal • convictions data may be collected as demographic data for research classification purposes The data might also be collected for equal opportunities monitoring • If the latter, which is substantially in the public interest, the public • interest and scientific research conditions can be used Such data could be collected by either public or private organisations; • the condition will apply irrespective of the type of controller collecting the data
Research exemption Personal data that are processed for scientific or historical research • purposes or statistical purposes or archiving purposes in the public interest have access to a research exemption; and there is no need to undertake a public interest test except for archiving The exemption recognises the importance of personal data in • providing a strong science base, ensuring quality and reliability It is not an automatic exemption. To use it controllers must consider: • Necessity of processing • Extent to which full compliance would impair research processing • Appropriate safeguards must be met which includes: • Not for measures or decisions with respect to particular data • subject No likelihood of substantial damage or substantial distress • Other requirements such as technical and organisation measures still • required plus any resulting research results must be published
Research exemption What it means: • Exemptions and exceptions from certain data subject rights such • as objecting to processing, restricting processing and data rectification Exceptions from provisions on the right to be informed and the • right to erasure Limits the application of the purpose and storage limitation so • data can be used for other research purposes, kept for longer periods Some isolated transfers outside the EEA if to increase knowledge • Some limitations on the right of data access if disproportionate • effort Longitudinal projects, cohort studies, multiple wave research projects • – projects where there is a need to keep data for a long time, and/or have information about participants for a long time – might find the research exemptions of most use
Recommend
More recommend