Good data protection practice and ethics are essential in research in order to not only comply with the law but also the expectations of individuals that may be the subject of research.
In developing a trusted relationship researchers need to follow ethical principles as well as expectations of confidentiality and privacy.
In 2020 more data protection laws are being developed around the world and whilst the EU General Data Protection Regulation (GDPR) has focused many researchers’ minds on compliance there are more than 140 countries with data protection laws and many have similar approaches to the GDPR. Furthermore Regulators around the world are enforcing the rights of individuals against organisations that process personal data unlawfully or without transparency.
The five important issues to consider are:
1. Transparency and Accountability
Data Protection Principles require that when any personal data is being processed Researchers must provide transparent and plain language information to individuals whose data may be collected and analysed. Researchers should ensure that they have available a Fair Processing Notice or Privacy Notice that informs individuals of who is processing the personal data, with whom that personal data may be shared, the purposes for which the data will be used, for how long it will be retained and what rights and privileges individuals have in terms of their personal data.
In order to demonstrate accountability, the researcher as a controller must have appropriate policies and procedures in place such as not only the Privacy Notice but also a record of processing activities, a process for dealing with individuals rights requests, a process for using data protection impact assessments, a data retention and destruction policy and a policy for the control of sub contracted research organisations and any international transfers of personal data in the course of research.
The above is not an exhaustive list of policies and procedures.
2. Understanding the nature of the personal data
It is essential to identify the nature of the personal data that is being collected during research as the more sensitive the nature of the data, the greater the obligations are for compliance.
The GDPR defines personal data as, “any information relating to identified or identifiable natural persons who can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their physical, psychological, genetic mental economic cultural or social identity”.
The concept of personal data includes any sort of information about a person whether objective or subjective.
The GDPR lays out more stringent obligations for researchers to consider where the personal data consist of “special categories of data” or “information relating to suspected criminal activities”.
These particular sensitive data categories are those revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data relating to sexual orientation or activity.
If as a researcher you are intending to process these special categories of data or information relating to criminal activity you will need to satisfy stricter conditions to be able to lawfully process that data.
3. Controller or Processor?
Researchers should consider whether in the course of their work they are acting as a controller or as a processor in relation to personal data because there are differences in the obligations and liabilities between a controller and a processor.
If the researcher is independently carrying out research where the outcomes will be marketed to customers then the researcher is likely to be a controller and as such will need to comply with all of the controller obligations of the GDPR and other similar legislation in other parts of the world should they apply.
If however, the researcher is acting on the instructions of a client and is directed to research certain individuals or categories of individuals and then the outcome is delivered as a report to the client then the researcher is a processor and most of the liability for data protection compliance rests with the client.
If the research company is the controller then if it is located within the EU and the GDPR then applies it will be responsible for providing appropriate transparent information to each individual and will need to have in place the compliance policies and procedures mentioned in section 1 above.
If the research company is acting as a processor it will still have obligations under the GDPR (where that applies) and should anticipate that clients will want reassurance both practically and as well as contractually that the research company will support the client in its role as a controller and meet its own obligations as the processor.
4. Lawful grounds for processing
The GDPR and other emerging similar laws around the world lay down certain lawful grounds for processing of personal data. Whilst consent is most focused upon it is not the only lawful ground for processing. Researchers should therefore analyse which lawful ground for processing they will rely upon in any particular circumstance.
Whilst consent is undoubtedly an appropriate ground for processing in many cases and will usually be obtained by a signed consent form or in some cases by implication, since under the GDPR consent has to be as easily capable of being withdrawn as given it may be appropriate to consider some of the other lawful grounds.
Some research activities may well fall within the area of public interest or statutory duties where the researcher is part of a public authority or a government agency or is contracted to those organisations. Article 89 of the GDPR also provides that Member States may provide derogations to enable processing for scientific or historical research purposes, so do check your local law.
Another lawful ground that may be of value is that of legitimate interest provided that the legitimate interest of the research business to carry out research is not overridden by the individual rights of data subjects who may be the target of the research.
In many instances research may be carried out by direct interview with individuals but in some instances data may be scraped from publically available sources and in that instance direct consent will not be obtained and therefore it is useful for researchers to be aware that it may be lawful to process personal data when it has been manifestly put into the public domain for example on social media sites.
5. Ethics by design
Whilst privacy by design and security by default are still somewhat cliché phrases which highlight the need to embed data protection by design into processes and systems, whilst at the same time ensuring technical, organisational and physical security into businesses and their management of processing personal data, ethics by design is emerging as the next standard.
Researchers need to not only address privacy and security but also consider how to embed ethics into their operations particularly with regard to processing of personal data in circumstances that might not be anticipated by individuals. Moreover, as consumers reinforce their rights, and as investors place value on ethical positions, and as regulators focus on those who fail to “do the right thing”, so ethics by design will keep researchers asking about their methodologies the question of “just because we can, does not always mean we should!”