What does the GDPR mean for Data Partners engagement with the CDRC?
Research organisations and their stakeholders, including Data Partners, have a greater responsibility under the GDPR than under the DPA, so it is more important for them to understand the principles of data protection.
Provisions relating to data sharing: you will need to identify whether the relationship between CDRC and stakeholders is one of Data Controller-Data Controller or Data Controller-Data Processor.
Where there are Data Controller to Data Processor arrangements between CDRC and any Stakeholder, the GDPR requires that there are written arrangements in place documenting the arrangements.
CDRC and its stakeholders will need to review existing agreements in place between them. These agreements are likely to need amendment to make them GDPR compliant, particularly in relation to the issues around identifying categories of Personal Data and the purpose of the processing (i.e. granularity).
Can I still make use of the CDRC's existing datasets following the implementation of the GDPR?
In order to make use of existing personal datasets, you will need to ensure that by 25th May 2018 your processing is compliant with the GDPR.
You will need to consider the seven overarching principles set out above and ensure that you have a lawful basis for processing the personal data that you already hold.
This may involve a certain amount of housekeeping on your existing datasets as there are currently no “grandfathering” provisions. In any event, you should keep a written record of your reviews so that you are able substantiate your conclusions about GDPR compliance.
The CDRC will keep records of the lawful bases for holding personal data for research. A Transparency Notice will also be maintained and be available on the CDRC website. Personal data are held within the CDRC secure laboratories (ISO27001 accredited or Police Assured Secure Facility). All outputs from the secure laboratories undergo stringent checks to ensure no personal or disclosive data are released. The CDRC will undertake an audit of all project approvals granted prior to GDPR and Users affected will be made aware of any issues.
How can I meet the requirement to achieve the principle of data minimisation when carrying out my research?
When carrying out research using Personal Data the aim is ideally to anonymise the data so that the data is no longer subject to the constraints of the GDPR and you have greater freedom to use it.
Anonymous data is defined by the GPDR as “information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.” The GDPR provides that it does not concern the Processing of such anonymous information, including for statistical or research purposes.
If anonymisation cannot be achieved, steps should be taken so that the smallest possible risk is run that the Personal Data being used could be used to identify or linked to an individual. The GDPR encourages researchers to mitigate this risk using pseudonymisation.
Pseudonymisation is defined as “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information and that additional information must be kept separately and subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable person.”
When does a Transparency Notice need to be provided?
Under the GDPR there is an obligation to provide individuals with certain information about what you are going to do with their data. This includes:
- your identity and contact details;
- what personal information you are collecting about them;
- how you are collecting it;
- the grounds that you are relying on for the processing of the personal data (such as necessary for legitimate purpose);
- the purpose for the processing;
- who you are sharing their data with;
- how long you are keeping their data for;
- if you are transferring the information outside the EEA; and
- that they can complain to the ICO if they are unhappy with your handling of their personal data.
Special Note: Direct collection v. indirect collection
If you are collecting personal data directly from a data subject, you must give them the transparency information detailed at above when you collect the personal data from them.
You will regularly be collecting personal data from sources other than the individual that the data is about (i.e. indirectly). This may be:
- by obtaining the date from a commercial third party, such as a loyalty card provider;
- from publicly available records such as census data; or
- by covert measures such as the use of sensors or CCTV.
You must be sure that when the collection of the data took place, the transparency requirements were complied with. This may involve asking third parties collecting the data to confirm that they fulfilled the transparency requirements of the GDPR. However, it will remain your responsibility to satisfy yourself that the third parties’ responses do in fact indicate compliance. Where these records are public records there is specific authority in the GDPR for the use of those datasets. If you are responsible for collecting data by covert means, you must meet the transparency requirements yourself.
When you are collecting data from third parties, this obligation will not apply to your research purposes where the provision of such information to the individuals will be impossible or involve a disproportionate effect. Where provision of this transparency notice to each data subject would be impossible or involve a disproportionate effort, there are special provisions: please see the flowchart titled ‘Schedule 1: The General Data Protection Regulation’. However, you will still need to make this information publicly available (e.g. by publishing it on your website).
What techniques can I use to help achieve the principle of data minimisation?
The precise context and circumstances in which a research project is carried out and its objectives will have a direct impact on the techniques which should be employed to ensure respect for the principle of data minimisation.
Techniques that can be used to help achieve the principle of data minimisation include:
- removal of one or more variables that directly or indirectly identify individuals from the data;
- aggregation of data so that only totals are shown, and removing records where an individual can be identified despite the application of other protection techniques.
- global recoding – this method makes variable values less specific, and therefore the data less informative. An example of this is instead of using a postcode of an individual, you might group them by area of the country so that a London postcode becomes South-East, or use age ranges rather than specific ages of individuals;
- hashing the data – this means to use an algorithm to map data to a fixed length, which cannot then be reversed; and
- salting the data – this involves adding an extra secret value to the end of an input and extending the length of the original data.
Before undertaking a research project you should carry out an assessment to decide on the techniques to be used. Assessing the appropriate techniques to use is in fact carrying out a data privacy impact assessment on the project being planned. The results of this assessment should be documented and passed to your data protection officer for accountability purposes.
At the CDRC we wherever practical for research purposes acquire and make available pseudonymised, anonymised, aggregated or hashed data.
When carrying out research as part of CDRC, do all the obligations set out in the GDPR apply?
Processing Personal Data for scientific or historical research purpose or statistical purposes is exempt from certain provisions of the GDPR, provided that there is a Lawful Basis for the research (the Research Exemptions). The Research Exemptions may not cover all academic research.
The definition of research under the GDPR is very wide, and indicates that social science research is part of scientific research. This means that the research that the CDRC and its partners are doing is likely to be ‘research’ for the purposes of being able to take advantage of the Research Exemptions.
However, all Processing in relation to which you wish to rely on the Research Exemptions must comply with (a) the GDPR safeguard requirements and (b) the Data Protection Bill safeguarding requirements.
(a) The GDPR safeguarding requirements
In order to rely on the Research Exemptions the GDPR states that the research must be carried out subject to appropriate safeguards for the rights and freedoms of the Data Subjects .These safeguards must ensure that technical and organisation measures are in place in particular to ensure respect for the principle of data minimisation.
(b) The Data Protection Bill safeguarding requirements
The Data Protection Bill as currently drafted stipulates that in order to rely on the Research Exemptions you must also ensure that the Processing complies with the following two safeguarding conditions which mirror those currently in place under the current Data Protection Act regime:
- the Processing must be subject to appropriate safeguards for the rights and freedoms of the data subject if it likely to cause substantial damage and distress to a data subject; and
- the Processing must not be carried out for the purposes of measures or decisions with respect to a particular Data Subject.
The CDRC ensure safeguarding requirements are adhered to through the Research Approvals Process whereby CDRC Users are required to provide detail on their planned use of CDRC data, proposed outputs and ethical approval for the work. Our independent review process ensures that the Data Partner(s) in question are aware of how their data will be used and agree to the research and that our independent academic review process ensures that the research has scientific merit and/or is for the benefit of society. Access to CDRC personal data is controlled and analysis undertaken within the secure environment with outputs checked to ensure results are not disclosive.
How can data be linked and loosely coupled?
All such processing should be done in accordance with the data minimisation principle.
The main issue you will need to consider is whether by linking or loosely coupling the personal data you are profiling individuals. We set out below the considerations relating to profiling.
If the linking or loose coupling do not result in profiling, then the processing activity is not affected by the special requirements.
What is profiling and why does it matter?
Profiling means: any form of automated Processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Profiling forms the basis of a wide range of scientific research. Compiling datasets together is an important feature of your research. The process of compiling the datasets can result in an individual being profiled.
Under the GDPR profiling means any form of automated Processing of personal data to evaluate certain personal aspects. The GDPR says that individuals have the right not to be subject to decisions made automatically that provide legal effects or significantly affect these individual.
The right not to be subject to automated decisions does not apply where:
- the decision is necessary to fulfil a contract with the individual;
- the relevant processing is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
- the decision is based on the explicit consent of the individual.
However, if the profiling of personal data in the research does not result in making any decisions that that significantly affects the individual, then the profiling provisions will not apply. It may, however, be an issue to be addressed by those who use the results of your research and a holistic view should be taken at the outset to identify data protection law issues. You may wish to consider addressing this point in your application to your Ethics Committee for approval for the research project.
What is aggregation and can data that has been subject to aggregation still be Personal Data?
Aggregation is where data is added up and displayed as totals, so no data identifying individuals in shown. This can be a useful tool for data minimisation.
If there are small numbers in the aggregate totals then it may be possible to identify individuals from the aggregate, depending on the other information given. Avoid using aggregation in this instance or remove the class of personal data with small numbers from any published data.
CDRC output checking procedures have been put in place to prevent disclosive data being released from the secure laboratories. Where there are small numbers contributing to a cell, should be suppressed, combined or removed. Details are included in Appendix 3 of the CDRC Controlled Data Project Proposal Form.
If using aggregate data to profile individuals, please see profiling section above.
Can modelled data be Personal Data?
Modelled data will be Personal Data if it is possible to identify a living individual from it or from it together with other information that is, or is likely to be in the possession of the Data Controller.
If the research used in the modelled data is based on non-Personal Data, and no living individual can be identified from the model, then the modelled data are not personal Data.
Are there further requirements for processing Personal Data relating to criminal convictions or offences?
Personal Data relating to criminal convictions or offences must only be processed either:
- under the control of official authority; or
- where authorised by Union or Member State law which provides for appropriate safeguards for the rights and freedoms of Data Subjects.
This is governed by the Police and Criminal Justice Directive (PJC Directive) rather than by the GDPR.
What does Brexit mean for the GDPR?
The UK government has confirmed that GDPR will come into force on 25 May 2018. In addition, it has confirmed that it intends to incorporate the provisions of the GDPR into national law so that it continues in force past Brexit, and the draft Data Protection Bill has entered Parliament. However, the government has also said that the Court of Justice of the European Union (CJEU) will cease to have authority over national law, so at this stage it is unclear how subsequent clarifications and developments of the GDPR CJEU case law will take effect on national law.
In some parts of the GDPR the text is unclear. The ICO and the Article 29 Working Party are drafting various guidance, and we may change our view of the effect of particular parts of the GDPR.
In addition, the UK courts continue to hear data privacy cases and the law evolves, particularly regarding the new tort of intrusion of privacy.