Data Privacy - Processing personal data appropriately
Links to University resources for documenting your processing of personal data to ensure compliance with GDPR
If your research involves the collection or processing of data relating to living humans, then you are required to carry out this work in compliance with the Data Protection Act 2018/EU GDPR. To ensure compliance with these laws the University has developed a process for reviewing and documenting your data usage.
A breach of the DPA2018/GDPR can result in hefty fines for the University or draconian measures, so it is imperative that you complete these assessments, and as it can take significant time to obtain approval (especially where a full assessment is deemed necessary) you should undertake this work as soon as possible in the experimental design process - often in concert with an ethics application.
The University has prepared several resources to assist with the lawful processing of personal data, detailed below.
Research Data Oxford is a resource that provides advice on the complete lifecycle of research data, from planning (Data Management Pans), through ethics/legal issues, through preservation and sharing of data.
When you collect or obtain data from a third-party, it is important to document what you have, even if this isn't sensitive data. To achieve this, the University recommend the creation of a Data Asset Register:
When using WIN or BMRC compute facilities you will be asked to complete an asset register.
The University's compliance team have a dedicated section of their website which covers this topic:
Which includes information on creating privacy notices, retention policies, working with third party processors/software/service providers etc.
Where you are handling personal data you should pay particular attention to the Handling Personal Data section.
For any processing you need to determine your legal basis for processing the data, 'Consent' isn't always the appropriate one to choose! If you believe your processing is a legitimate interest, then you should complete an assessment:
Your data processing needs to fulfil the requirements of the DPA2018/GDPR requirement for Data protection by design (DPIA). Information on what this entails can be found here:
All research projects using identifiable personal data will need to complete a DPS (A1), and based on the outcome of that screening form, either a DPA (B1) or DPIA (B2). WIN IT and/or BMRC teams will assist with completion of the technical aspects of these forms.