This chapter explains the main issues related to personal data processing to be considered in the stage of planning your research. It deals with the important issues of the lawfulness of personal data processing, and research carried out based on consent or without consent. In addition, it explains the requirements for processing special categories of personal data and the rights of data subjects with regard to their data.
Data protection needs to be addressed throughout the research process and after its completion. On the one hand, in line with the principle of data protection by design, it should be considered at the project proposal stage when the tasks and division of work are not yet in place. On the other hand, data protection issues may arise years after the end of the project, for example, when the data collected for the original purpose are to be used in a further study. If it is clear already that the dataset is valuable or it could serve as a basis for another research project, consent should be asked from data subjects before the data are collected for the original work.
As data protection issues overlap with those of data management, it is recommended to deal with both simultaneously. For example, if a project involves pseudonymisation of personal data for security, it is possible to plan it early on: how to do it, who will have access to the key or the data, and what will be done with the key at the end of the project. All these decisions should be written down in the data management plan (see 2.2.1).
2.1. Where to start when personal data are to be processed in research?
2.2. How much personal data needs to be documented in research?
2.2.1. Data management plan
2.2.2. Data protection policy
2.2.3. Overview of personal data processing
2.2.4. Ethics committee’s approval
2.2.5. Data protection impact assessment
2.2.6. Informed consent
2.3. What must the consent include?
2.3.1. Consent must be freely given
2.3.2. Consent must be informed
2.3.3. Consent must be specific and unambiguous
2.3.4. Consent to data processing must be clearly distinguished from other requirements and consents
2.3.5. It must be possible to prove consent
2.3.6. Processing must be limited to what is described in the consent
2.3.7. Consent must be easy to withdraw
2.4. What to consider when personal data are processed without consent?
2.4.1. Data must be pseudonymised or additional requirements met
2.4.2. Reference should be made to the legal provision
2.5. How to ensure the lawful processing of personal data?
2.5.1. The legal basis is determined before the processing of personal data starts
2.5.2. Most appropriate legal basis must be determined
2.5.3. Related activities that may need a separate legal basis should be distinguished
2.5.4. People are given as much freedom of choice as possible
2.6. How to ensure fair processing of personal data?
2.6.2. It must be possible to communicate directly with the controller
2.6.3. Discrimination in the processing of personal data must be avoided
2.6.4. Exploitation of people’s needs or vulnerabilities must be avoided
2.6.5. Asymmetric power balance must be avoided
2.6.6. Processing of personal data is ethical
2.7. How to ensure transparent processing of personal data?
2.7.1. Provided information is clear, understandable and relevant
2.7.2. Time and channel of information are appropriate
2.7.3. Information on the algorithms used is provided
2.7.4. In the case of joint liability, a clear distinction must be made of what for and to what extent each person is liable
2.8. What to consider when using secondary personal data?
2.8.1. Secondary use may be compatible with the original purpose
2.8.2. Providing information to the data subject when collecting secondary data
2.8.3. Secondary data holders
2.8.4. There must be a suitable legal basis for secondary use
2.8.5. Approval of the ethics committee is required for special categories of personal data
2.8.6. Contract may be required for the transfer of data
2.8.7. Secondary use of disclosed personal data
2.9. How to respect people’s rights over their data in research?
2.9.1. Right to be informed about the processing of personal data
2.9.2. Right of access
2.9.3. Right to rectification of data
2.9.4. Right to erasure of data
2.9.5. Right to restriction of processing
2.9.6. Right to data portability
2.9.7. Right to object
2.9.8. Right to be protected against automated decision-making
2.10. What to consider when processing the data of vulnerable people?
2.10.1. Vulnerable persons and groups
2.10.2. Vulnerable person’s consent may not be voluntary
2.10.3. Processing of vulnerable persons’ data may jeopardise their rights and interests
2.11. What to consider when processing special categories of personal data?
2.11.1. Processing special categories of personal data without consent requires the ethics committee’s approval
2.11.2. Processing special categories of personal data requires additional safeguards
2.11.3. The concept of special categories of personal data can be difficult to apply
2.12. How precisely should the purpose of the study be formulated?
2.13. When is ethics committee’s approval needed?
2.13.1. Statutory obligation
2.13.2. Requirements of funders and publishers
2.13.3. Ethical considerations
2.14. How to assess the risks associated with personal data processing?
2.14.1. General method of risk assessment
2.14.2. Assessment of risks associated with personal data processing
2.14.3. Preparing a data protection impact assessment
2.15. What to consider when processing children’s personal data?
2.15.1. Minors cannot give consent but must be asked to assent to the processing of their data
2.15.2. Children must be informed about the use of their data in plain and clear language
2.15.3. Legitimate interest cannot be the legal basis for processing a child’s personal data
2.16. What to consider when processing the data of deceased persons?
2.16.1. Protection of deceased persons’ data serves to protect other people
2.16.2. After death, the right to give and withdraw consent passes to successors
2.16.3. Other rights of the data subject are not transferred to successors
2.16.4. Researcher is not obliged to keep an account of the life and death of the subjects
2.16.5. Data about the deceased may be processed on other legal bases