Research involves the collection, processing and analysis of data. As such, a great proportion of researchers will spend their days handling personal and/or sensitive data. If you are in the UK, this means dealing with such data will require compliance with the Data Protection Act (DPA) 2018, which is the UK's implementation of the General Data Protection Restrictions (GDPR). Data protection compliance is regulated by the Information Commissioner's Office (ICO). Not only do data breaches risk sizable fines, but they can also serve to damage the reputation of the researcher and the organisation they are employed by. To protect your organisation from the devastating effects of data breaches, it's important that researchers undergo regular data protection training and understand what steps to take to protect data under the law.
Types of Data
Researchers handle a range of data types. The DPA 2018 regulates the use of personal data and special category data. Personal data is any information relating to a living, identified or identifiable person. Special category data is data that is regarded as more sensitive and is consequently subject to tighter restrictions. Examples of this type of data include: racial/ethnic origin, health or sex-life information, political opinions, and religious beliefs. This type of data may, for instance, be used in health research, and must be gathered and processed according to the directives laid out in Article 9 of the GDPR. Amongst other things, this article states that explicit consent must be given by the data subject for in order for their data to be processed.
The Issue of Consent
Data Protection legislation guides researchers to implement best practices, such as that of informed consent. Consent must be informed (consent given with the knowledge of the purposes for which their data will be used and/or transferred to), voluntary (consent should not be coerced), and fair (the individual should be given all/any supplementary information to ensure full transparency).
Whilst Data Protection regulation can seem overwhelming, especially regarding special category data. Following procedures of best practice and undertaking regular data protection training and refresher training can help keep compliance fresh in the minds of researchers.
Safeguard and Best Practices for Reseachers
There are a number of safeguards in place designed to protect the personal data of research participants. Research must receive approval from a research ethics committee. Data processing should be limited to what is strictly necessary (this is what is known as data minimisation). All who handle personal data should be literate in the principles of confidentiality and data protection. Data should be anonymised/pseudonymised wherever possible. If data is anonymised in line with the ICO's 'Anonymisation Code of Practice' then it is no longer regarded as personal data. However, it is important to recognise that the act of anonymisation is still classed as processing personal data.
Why is Data Protection Important in Research?
Improper data protection practices can result in a data breach. Data breaches can have unprecedented effects on both the data subjects (those whose data is stored and processed) and the organisations or individuals charged with protecting the data. The ICO can issue monetary penalties up to €20,000,000 or 4% of your annual turnover, whichever is greater, for data breaches where fault is determined.
Breaches can also quickly become tabloid scandals, and culminate in massive damage to your reputation or that of your employee. Given the potentially crippling effects that a data breach could have on your organisation and career, it is clear the importance that thorough data protection training has to play.
Most importantly, a data breach could result in damage to the rights, freedoms and privacy of your data subjects.