10 December 2018
The rules for handling information relating to research participants changed on 25 May 2018, when the new EU General Data Protection Regulation (GDPR) came into force. The Data Protection Act (2018) also become law on 23 May 2018.
The new legislation brings increased expectations of organisations (such as universities, research units and other research organisations) processing personal data.
Organisations need to be lawful, fair and transparent when processing or controlling the processing of personal data.
However, the new legislation is not intended to impede research.
The attached document describes the seven key principles of good data handling/processing and also provides more in-depth descriptions of the legal implications, requirements, and exemptions involved.
There is no rule that says you have to rely on consent to process personal data for scientific research purposes.
Researchers must implement appropriate safeguards, in keeping with recognized ethical standards, that lower the risks of research for the rights of individuals. For psychological research, we recommend using the general principles set out in the Code of Human Research Ethics.
To this end, “in relation to the gaining of consent from children and young people in school or other institutional settings, where the research procedures are judged by a senior member of staff or other appropriate professional within the institution to fall within the range of usual curriculum or other institutional activities, and where a risk assessment has identified no significant risks, consent from the participants and the granting of approval and access from a senior member of school staff legally responsible for such approval can be considered sufficient. Where these criteria are not met, it will be a matter of judgement as to the extent to which the difference between these criteria and the data gathering activities of the specific project warrants the seeking of parental consent from children under 16 years of age and young people of limited competence” (Code of Human Research Ethics, 2014, p. 17).
Nevertheless, appropriate measures must be taken to inform participants (or their parents or guardians) of the nature of the processing of the data and the rights available to them in relation to requesting full anonymization, the withdrawal or deletion of data and the retention period for the data.
Researchers are required to provide this information in all circumstances, regardless of whether consent is the basis for processing, “in a concise, transparent, intelligible and easily accessible form, using clear and plain language”.
This must be provided before or at the time the data is first collected and it must include the researcher’s identity and contact information, the intended purposes of the processing activities.