GDPR Key Facts for Research

GDPR Key Facts for Research

The following information was published by the MRC Regulatory Support Centre on 13th June 2018, compiled with the support of the Information Commissioner's Office, NIHR and NHS R&D Forum.

Should we have been fully compliant by 25th May?

• The Information Commissioner said 25th May wasn’t a deadline. It's the beginning of a long journey of continuous improvement.

• Study activity or recruitment doesn’t need to stop if researchers haven't updated their participant information sheets. Compliance with GDPR can come in many different forms. It's better to do transparency well, than to rush it.

• We do things well in the research sector. GDPR wasn’t designed to impede research. It reflects longstanding good research practice, such as ethics approval, research and information governance, and the common practice of pseudonymising data. Further compliance is needed, e.g. meeting the new transparency requirements and accountability.

• Don’t assume too many responsibilities yourself, talk to your Data Protection Officer (DPO) and Information Governance experts.

What are the important messages and myth busters?

• Much of GDPR is about being lawful, transparent and fair when collecting, using or holding (processing) personal data, in line with safeguards for research.

• Joint data controllers are permitted e.g. where a Clinical Trials Unit is involved.

• There is no requirement to delete research data. In fact the ICO say you can keep personal data indefinitely if you are holding it for research.

• GDPR says any personal data can be used for research, regardless of the initial reason for collection, subject to safeguards, transparency and fairness.

• Researchers do not need to re-consent participants. ‘Task in the public interest’ is the most appropriate lawful basis when processing data for research in the NHS and universities. For research controlled by charity organisations and commercial companies it’s ‘legitimate interest’. Not consent. Therefore GDPR’s consent requirements don’t often apply to research. Obtaining consent to take part in research and for disclosure of confidential information is important, GDPR doesn’t change this.

• Screening of medical notes by care teams for study recruitment is still allowed. NHS organisations need to inform patients through transparency information (meeting the new requirements), and uphold confidentiality requirements (confidentiality hasn’t changed).

• GDPR permits ‘big data’ research. Data minimisation means that data must be adequate to properly fulfil the purpose, relevant, and limited to what is necessary for that purpose. It is necessary to use large volumes of different types of data to support some methodologies.

• Not all genetic data is personal data. It depends on uniqueness and identifiability (both direct and indirect), like it does for all data. See What is personal data?

• Researchers can still share data with other researchers in line with confidentiality requirements. Researchers need to anonymise data, or get participants’ permission to disclose confidential information to other researchers if participants would not reasonably expect it. If sharing is for a new purpose, i.e. not what participants have been told, researchers and data controllers need to inform participants in line with GDPR transparency requirements.

What should we be doing now about ensuring transparency?

• Remember that transparency is about better informing patients, public and participants about research; it is not about getting permission. Therefore making transparency information understandable and drawing people's attention to it is key.

• In the first instance all NHS organisations should have a notice on their website that references their role participating in research. The HRA have produced some transparency wording for NHS participating sites that explains what research is and what can be expected.

• GDPR includes precise transparency requirements to better inform participants. There should be a layered approach, so once your organisational notice is in place project-specific information should highlight it.

How do we inform participants of the revised transparency notice?

• How to inform participants depends on the study population, and what opportunities are coming up, e.g. study visits, newsletters, etc. Re-contacting participants is not a risk-free activity. If researchers don't have contact details, it’s not necessary (and often not legal) to get them. Contact details (e.g. full address) may be needed for the research analysis but may be out of date (out of date research data is allowed under GDPR). It’s not appropriate to use old contact details and often not appropriate to update them. A more general way to inform, using best efforts, is likely to be better, e.g. internet, social media, local newspaper, etc.

• Transparency is related to fairness. Processing activities should depend on what participants have been told. Where there are new uses of data, participants need to be informed and given the opportunity to object. Researchers should outline what withdrawal from the research project means, particularly with respect to data that has already been collected. Research is largely exempt from the right to erasure, so all data about a participant doesn’t necessarily have to be deleted. Researchers should consult their DPO if they receive a request about a subject right. They may choose to respect the right to erasure and decide to delete all data. If so, they need to work out how deletion can be achieved and what impact it will have on the integrity of the research, and the risk of re-contacting the participant in the future.

• How participants are made aware of study-level transparency information is the responsibility of the data controller (often the sponsor) in consultation with the research team. See also MRC Regulatory Support Centre GDPR Resources and HRA guidance.

What is the National Data Opt-out in England and how does it relate to GDPR?

• The national patient opt-out in England is not related to GDPR, it’s about confidentiality. Opt-outs don’t apply when there is research consent, irrespective of the GDPR lawful basis.

• For the research community the national data opt-out has no impact where a patient has consented to take part in a research study and has agreed for their data to be used in that study. Nor will it affect studies that use anonymised data. The national opt-out therefore only applies to studies that have section 251 support from CAG.

And finally!

• If you’re not sure, ask ACCORDHRA, MRC or NHS R&D Forum GDPR work stream for escalation. Please tell us your experiences so we can develop resources to spread these kind of messages.

• Remember you should be thinking about all the personal data you collect, use or hold in your department not just personal data for research studies.

• Overall don’t panic, take time to make sensible decisions: 25th May wasn’t a deadline.