Transparency means that the data subject knows and understands how the personal data will be used in the research. To achieve transparency, the survey participant must have access to information both before the research and during data processing. On the other hand, the amount and quality of information to be provided is an estimated value, and a research study’s required level of transparency is not explicitly defined.
Below is a comment on the European Data Protection Board’s Guidelines 4/2019 on Article 25 of the GDPR, “Data protection by design and by default”, and a brief explanation of how to ensure as much transparency as possible in research.
2.7.1. Provided information is clear, understandable and relevant
When informing a data subject, the researcher must avoid complex words and sentences, professional terms, and ambiguity and avoid misleading the data subject. The information provided must not be a voluminous mass of text which is difficult to read. A good solution is to present the information in stages: a brief summary is made of the most important information, with references to additional information that give a more detailed overview of personal data processing.
The information must be provided according to the target group. For example, when information is presented to children and adults, it may be necessary to present it with different levels of comprehensibility. In certain situations, the information may require simplifying.
2.7.2. Time and channel of information are appropriate
Various ways should be used to provide information, taking into account the data subject’s needs. The information must be easy to find.
- If personal data are collected in the course of an interview, the most appropriate time for informing the respondent is immediately before the interview.
- If data protection information is sent to the person with the survey invitation, the information should also be available at the place of the survey before the collection of personal data starts. In addition to the information sheet, the information on personal data processing should be available on the website of the project or the university.
- If a researcher collects data through a social media platform, people should be informed, in addition to other channels, also through the social media platform.
- The most important information could be in machine-readable form, but the GDPR also allows to inform people orally if they so wish.
2.7.3. Information on the algorithms used is provided
The GDPR specifically covers automated personal data processing, which results in a decision about an individual or their behaviour based solely on automated processing and produces substantial effects (legal effects or consequences of comparable importance) on the individual. For example, it is unacceptable to make recruitment and financial decisions based on automated profiling.
If the researcher plans to use automated processing, such as machine learning algorithms, to make decisions or inferences about a person or their behaviour, it must be explained to the person. Explicitness is the ethical principle supporting transparency when using AI; any decision made without human intervention must be understandable to the survey participant. The person must also be told what the expected outcome of the solution is and what it will be used for.
However, the GDPR does not limit the general use of automated data processing. Machine learning methods, which aim to find significant relationships based on large amounts of data and numerous attributes, do not lead to legal consequences and are not limited in any way. The same applies to making statistical inferences from generalised data, which does not entail the obligation to provide information on each algorithm underlying the statistical calculation.
Therefore, the need to inform depends primarily on the impact of the processing on the individual and needs to be assessed case by case.
2.7.4. In the case of joint liability, a clear distinction must be made of what for and to what extent each person is liable
If several processors are responsible for the same processing operations, their tasks must be clearly distinguished. The joint responsibility of research institutions should always be agreed on in a separate agreement, which can specify to what extent they carry joint responsibility and to what extent separate responsibility.
Example If the university is responsible for the collecting and primary processing of personal data in an EU project, but data from all the project countries are sent to the co-responsible partner for aggregated analysis, such division of responsibility must be explained to the respondent. This way, the participants know which research institution controls the use of their data at each stage of the project and who they need to contact to exercise their rights. If the data subject does not understand which of the numerous research institutions on the list can access and hold their data, the information is not transparent enough. |