Data protection for research projects
Information for researchers and academics
The EU General Data Protection Regulation (GDPR), which also enforces a number of changes in data protection law for research purposes, came into force on 25 May 2018. In addition to the GDPR, the Law on Data Protection and the Freedom of Information (HDSIG) in the state of Hesse dated 26 April 2018 has to be followed in research. The following overview summarises the most important changes that result from the two amendments in the law for research projects. Any changes compared to the previous legal situation are marked in bold type.
The GDPR contains many exceptions and a great deal of preferential treatment for research. In return for this openness towards innovations, it requires researchers to arrange certain guarantees for the persons affected by the gathering of personal data in order to safeguard their fundamental rights.
These guarantees (Article 89 Para. 1 of the GDPR and Section 24 Para. 3 in conjunction with Section 20 of the HDSIG) cover elements like technical/organisational measures to
- implement the general principle of minimising data,
- pseudonymise the personal data, if research purposes can still be achieved in this way,
- further process the data in anonymous form, if this is possible (anonymous data is not personal and the data protection law does not apply to it).
Data can be processed either after consent has been gained or in line with any statutory authorisation:
Any consent provided by the data subject must be voluntary, specific, informed, unambiguous and verifiable. The consent must be as specific as possible. It must particularly cover the data categories, the purpose of the processing work, any further use and the time when the data will be deleted. A lower degree of specificity is only permissible if it is academically essential that the type of processing cannot yet be fully determined. If any consent is used to process particular categories of data, these types of data must be precisely specified. Particular categories of data are personal data according to Article 9 Para. 1 of the GDPR, if it is possible to determine the racial and ethnic origin, political opinions, religious or ideological convictions or membership of a trade union, or genetic data, biometric data to clearly identify an individual person, health data or data on a person’s sexual life or an individual’s sexual orientation. Data subjects must be informed that they can cancel their consent at any time before providing any notice of consent. It must be as simple to cancel the consent as to issue it in the first place. Consent from a parent or legal guardian must be obtained for persons aged under 16.
2.2 Legal permission
It is permissible to process data without any consent if a statutory provision allows this.
According to Section 24 Para. 1 of the HDSIG, it is permissible to process particular categories of personal data if this is necessary for the research work and research interests override the data subject’s interests that are worth protecting. Consideration must be made in each individual case on whether this is relevant; the significance of the research purpose for the general public, the depth of the encroachment on the fundamental rights of the data subject and the guarantees offered to them all play a role here.
Data processing is permissible for normal data according to Section 3 of the HDSIG. In line with this, data processing is legitimate if it is necessary to complete public service tasks or to pursue public interests. As one of the main tasks of the university is to conduct research, according to the Higher Education Act in Hesse, its members may process personal data for research purposes. The university also needs to offer the guarantees that are feasible for the research purpose in this case.
2.3 Handling data processing
These guarantees, which have to be provided, if this is possible for the research purpose, are listed in Section 20 Para. 2 Sentence 2 of the HDSIG in a catalogue of 10 measures. The most important measures have already been mentioned (cf. 1.)
According to Article 5 Para. 2 of the GDPR and Section 24 Para. 2 of the HDSIG, documentation must be provided that the researcher is complying with the data protection regulations and how this is achieved (not just preparing a record of processing activities according to Section 30 of the GDPR).
Anybody who has personal data processed by somebody else (e.g. data collection, data processing, data storage, drop boxes, cloud computing) must comply with the instructions for processing the order. This primarily involves signing a service contract that contains the specifications in Article 28 Para. 3 of the GDPR.
According to Article 35 of the GDPR, each researcher must provide an assessment of the impact of the envisaged processing operations to protect personal data if any form of processing poses a high risk to the rights and liberties of individual persons because of the type, scope, circumstances and purposes of the processing work – particularly if new technologies are being used. This is normally assumed if the researcher is processing special categories of personal data in a comprehensive manner or is processing extensive personality profiles
Data subjects largely have the same rights as they had in the past. However, they are worded in a clearer and more detailed manner in Article 12ff of the GDPR:
Before any data is processed, the data subject must be extensivelyinformed about the content according to Articles 13 and 14 of the GDPR. When processing video data, the duty to provide information in Section 4 Para. 2 of the HDSIG must be respected too. The rights of the data subject to information, correction, restriction and raising objections are, however, restricted according to Section 24 Para. 2 of the HDSIG in order to facilitate the research work. The same applies to the right to have data deleted in Article 17 Para. 3 d) of the GDPR. All these rights for the data subject are excluded if satisfying them will probably make it impossible to achieve the purposes of the research work or seriously impair this.
Selected problems related to the admissibility of processing data are addressed below:
4.1 Publishing the results of research work
The publication of personal data is only permissible according to Section 24 Para. 4 of the HDSIG if the data subject has provided special consent for this or the publication concerns an individual in contemporary history and the publication is essential to present the results of the research work.
4.2 Research data management
The data must first be anonymised or pseudonymised prior to any long-term storage of personal data at the end of the research project. It may only be stored in personal form if the recognised features of research data management can be satisfied in this form. The verifiability of the data is then governed by the rules of good academic practice related to research (DFG: 10 years).
Whether it is permissible to re-use personal data if making a change to the purpose of the research work depends on the assessment of whether the data can be reconciled with the original purpose in each individual case. Any further processing with a different purpose must be assessed according to Article 6 Para. 4 of the GDPR: the guarantees that are given are important here. If the data has been anonymised, there is no data protection problem anyway. If the data has been pseudonymised and there is good protection against any disclosure, it is normally assumed that the risk to the data subject is low and the research purpose can take precedence.
4.3 Transferring data abroad
Transferring data to a country outside the European Union and the European Economic Area is only permissible according to Article 44ff of the GDPR if adequate guarantees exist that the personal data will be treated there in a similar way and the data subject will have comparable rights there as in the European Union. This also applies to using American platforms (e.g. the Facebook Group).