Carrying out research is something we are all familiar with, but we might not necessarily be up to date on the laws which are associated with it. Everyone has heard of GDPR - but practically speaking, how has it impacted on how you should approach research?
A seminar held by the University of London outlined the main concerns; although it was aimed at academics, it was useful for information professionals. We must be aware of the rules regarding the gathering, storing, re-use, and disposal of research data.
Striking a balance between privacy and knowledge
For the legal minded amongst us, the new data protection laws have been in force for several months, however there has been no case law to help interpret what the legislation says. Researchers, and those institutions responsible for overseeing their work, are taking a measured approach and they are keen to strike an intelligent balance of applying the rules but not stifling important research.
Every living individual has the right to privacy, which is enshrined in the Universal Declaration of Human Rights. As Eleanor Roosevelt stated,
Where, after all, do universal human rights begin? In small places, close to home - so close and so small that they cannot be seen on any maps of the world. Yet they are the world of the individual person; the neighborhood he lives in; the school or college he attends; the factory, farm, or office where he works.
All subsequent legislation has attempted to be faithful to that commitment; but with greater protection come challenges to legitimate research. In drafting the original regulation, the EU recognised the value of new research, its impact on society, and the need for solid high quality knowledge. Therefore safeguards were built in to ensure that this could continue unabated.
In previous years it seemed that work prior to the commencement of a project focused on funding applications. However institutions and organisations now require researchers to identify whether they will be collecting personal data and submit a data management plan.
The researcher must think carefully about the type of data they are collecting so they can decide under which category it falls. All data needs protection if it contains identifiers such as ID numbers, addresses, as well as economic, physical, mental, or and social identity.
But this can be further complicated when you are dealing with ‘Special categories’. Such categories concern an individual's race, sexual orientation, their politics or membership of trade unions, or their health, including genetics, biometrics, or criminal convictions.
As a more measured and slow pace in law collides with increasingly invasive and developing technologies, these sensitive areas will continue to be problematic for researchers. In practice, this plan isn’t designed as an obstacle to research, but rather to balance individuals’ rights to privacy with the legitimate pursuits of academic research.
This plan will also get researchers thinking about international collaboration. This is important when you are planning to transfer data overseas, where there are different standards of data protection. They might need to consider ‘privacy shields’ and take advice on whether the exceptions around pursuit of knowledge apply.
There are exemptions. Data can be collected - or processed - under certain circumstances all of which are specified in the legislation. Of most interest to researchers are those exemptions where: 1) consent is obtained and 2) there is a legitimate public interest. Rules don’t apply when there is primary source material for living people, through publically available biographies, their use of social media etc.
In the seminar there was discussion around consent, and the importance of a practical understanding of the legislation. We were referred to the ICO guidelines with the proviso that these relate to the GDPR, and not research in general. However, where researchers do rely on consent, individuals obviously have the freedom and choice to give it - and retract it at any time.
Before commencing any data collection, data subjects need to understand why the information is being collected, whether it is proportional to the researcher’s needs, what will happen to the data, whether it will be going overseas, and whether it will be protected. Researchers should ensure that their records are fully auditable, and contain relevant privacy statements with an affirmative opt in.
Often data from research projects is retained and reused in a different context. The individual concerned should be made aware of this. In order to protect their rights, this needs to be made explicit to the individual with a full explanation - in plain English - of the safeguards in place to protect their rights and freedoms. If information is to be stored for later use, it needs to be securely encrypted, with added protection if it is of a sensitive nature.
Previously it was easy to ensure sensitive data was destroyed at the end of a project; paper research records around funding, papers, administration, staff, or correspondence could be disposed of appropriately. However the majority of information is now kept online, so it is more at risk from privacy breaches. Questions about the preservation of records have arisen, as under data protection principles it might be more risky to keep it, than not.
The point of a Data Management Plan is not to hinder research, but to ensure that everything is done in the spirit of the data protection and freedom of information legislation. It ensures that issues are addressed as soon as possible, and prevents future problems. As always, guidance is available from the relevant university or institution. There is nothing to prevent important research which helps in the generation of valuable knowledge, but it is essential to ensure respect for the way that information is processed.
And finally, let’s imagine you have followed all the appropriate rules, presented your findings in the right way… As mentioned above, the pace of technology doesn’t just affect the law, but it has consequences for future access. In certain legitimate archive projects, there have been challenges around digital obsolescence. For instance the digital doomsday book is now unreadable. This is an entirely separate issue but one of real interest to library and information people.
How can researches, librarians and archivists ensure that we preserve datasets for future use? What are your experiences around data management plans?