- How do I manage data protection?
- What is the General Data Protection Regulation (GDPR)?
- What is the Data Protection Act 2018?
Collection and use of data
All researchers must comply with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018). The GDPR defines personal data as any data that can be attributable to a living individual and does not have to include name, address, and date of birth or gender. The CI is usually the named Data Custodian of the study.
Storage of data:
- Physical storage - data should be kept in a locked filing cabinet, accessible only to the research team in a lockable room. Identifiable data will be transcribed and or anonymised and identifiers removed as soon as possible.
- Electronic Storage - including Cloud storage, IT programs and infrastructures, must be identified, risk assessed and validated where appropriate and data kept in an encrypted format, accessible only to the research team via a password protected BH or QMUL computer.
Participants must know that any information kept on them because of their involvement with the trial will be kept securely. The research findings of any study are to be stored at Barts Health/Queen Mary Modern Records Facility, 9 Prescot Street, London E1.
Individual rights over data
Individuals have a number of rights over their personal data, for example, to access any personal data that you have about them. The participant also has a right to request that you stop processing their data. However, in the research context, many of these rights are limited; although you must be able to show that complying with such requests would impair your research, that you have appropriate security measures in place and published research results will not identify individuals. For further details on data management please see SOPs 38a, 38b, and 11a.
The GDPR only applies to the European Economic Area (EU plus Iceland, Lichtenstein and Norway). If your study requires you to send data outside EEA special conditions apply and you should seek guidance.
Storing Human Tissue
Our Human Tissue Resource Centre holds the licence for storage of human tissue for research that covers tissue banks operating within BH and QMUL, which authorise an establishment to continue its activities. This licence applies only to those groups which have registered with the HTRC as it is essential that the requirements of the Human Tissue Act are complied with.
The GDPR 2018, accompanied by the Data Protection Act 2018 (DPA 2018), replaces all pre-existing provisions under the Data Protection Act 1998. The GDPR is intended to strengthen and unify data protection for all individuals within the EU. The HRA website provides full guidance both for those who manage data and for members of the public.
There is specific information on the HRA website for researchers, researchers should also be aware of the HRA guidance regarding patient information and healthcare research.
There is also an informative short film on YouTube that summarises the GDPR and the legal position in relation to personal information held for research purposes.
- Information about how the GDPR is managed at Queen Mary can be found here and the data protection privacy notice for QMUL research participants can be found here.
- Information about how the GDPR and privacy requirements are managed at Barts Health can be found here.
To discuss how this may impact your research please contact the JRMO research governance team at firstname.lastname@example.org
The GDPR allows member states some leeway in certain respects, one of which is in the processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. Therefore, some special conditions are laid out at Section 19 of the Data Protection Act 2018 (DPA 2018).
In short, you must have in place certain measures to safeguard personal data – such as appropriate protection and using the least data possible – and your research must not be likely to cause substantial damage or substantial distress to data subjects and must not be carried out for the purposes of measures or decisions with respect to a particular data subject, unless the purposes for which the processing is necessary to include the purposes of approved ‘medical research.’
If you have these safeguards in place, then exemptions exist to a number of data subjects’ rights and data protection principles.