All MRS websites use cookies to help us improve our services. Any data collected is anonymised. If you continue using this site without accepting cookies you may experience some performance issues. Read about our cookies here.
You are currently not logged in. Any progress made will be lost.
Background and scope of the legislation
The data protection rights defined in GDPR and the Data Protection Act 2018 are citizen centric rights which mean that the rights apply wherever data subjects are in the world.
It applies to:
Each EU country will adopt GDPR and introduce domestic legislation. In the UK GDPR has been translated into the UK Data Protection Act 2018. There are some variations as to how GDPR has been interpreted in domestic legislation.
The Information Commissioner’s Office (ICO) regulates the Data Protection Act 2018.
The European Data Protection Board (EDPB) regulates the GDPR.
The Data Protection Act 2018 is an Act of Parliament which defines UK law on the processing of personal data on identifiable living people. The Data Protection Act controls how personal information is used by organisations, businesses or the government.
There is a new EU General Data Protection Regulation (GDPR) which came into force in May 2018. Brexit will not change the requirement to adhere to GDPR and the Data Protection Act 2018. The MRS will also keep their website updated with advice.
In general, data protection is about ensuring people can trust you to use their data fairly and responsibly. If you collect information about individuals for any reason other than your own personal, family or household purposes, you need to comply.
The UK data protection regime is set out in the DPA 2018, along with the GDPR (which also forms part of UK law). It takes a flexible, risk-based approach which puts the onus on you to think about and justify how and why you use data.
Core Concepts
Core Concepts of Data Protection Act 2018 and GDPR are:
Transparency: being transparent about what is happening in any process. For research recruitment transparency requirements apply:
Accountability: being able to demonstrate you have taken responsibility for all data protection measures. Accountability principle applies to all irrespective of size, although how you implement requirements will be scalable. Examples of accountability requirements include:
Privacy by design and default – all research projects should be designed with privacy at the core, from the beginning, and built through the entire research process. For example, anonymising data, limited access, minimal data collected, etc.
Key Definitions used in the Data Protection Act
Before we go through the principles and rules which govern the collection and retention of personal data it is useful to understand the terms that are used in the Act.
These terms refer to the people who obtain the data and to those whom the data is about:
Data Controller - controller means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.
You are the data controller if you collect and/or keep identifiable data on participants including, but not exclusively, names, email addresses, telephone numbers and determine the purposes for which and the manner in which personal data is processed.
The Data Protection Act 2018 requires data controllers, which includes research recruiters, to register with the ICO. Recruiters are not exempt from registration. Registration can be completed online via: https://ico.org.uk/for-organisations/register . It is very straightforward and costs £40 to £2,900 with most organisations paying between £40-£60 (as per July 2019).
Data Processor - processor means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller
For instance you would be the data processor if you were recruiting from a client database/customer list and were not gathering or using any client data for your own purposes.
GDPR places specific obligations on both data controllers and data processors including the requirement to maintain records of personal data and processing activities, legal liability for breaches, having contracts in place, etc.
Data Subject - definition of a data subject is broadly a living natural person - this a technical term and in general the ICO will talk about 'individuals'.
For market and social research purposes this is anybody who is identifiable from data which you hold irrespective of whether individuals have participated in research or not. Any employees you have will also be data subjects under the Act as you will hold identifiable personal data about them.
These terms refer to how you store and process data:
Processing - the GDPR covers a wide range of activities performed on personal data including by manual or automated means.
It includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.
The GDPR applies to the processing of personal data wholly or partly by automated means as well as to non-automated processing, if it is part of a structured filing system.
These terms refer to the nature of the data held:
Personal Data - Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The GDPR applies to the processing of personal data that is:
Personal data only includes information relating to natural persons who: can be identified or who are identifiable, directly from the information in question; or who can be indirectly identified from that information in combination with other information.
In most circumstances, it will be relatively straightforward to determine whether the information you process ‘relates to’' an ‘identified’ or an ‘identifiable’ individual. In others, it may be less clear and you will need to carefully consider the information you hold to determine whether it is personal data and whether the GDPR applies. In research recruitment it is best to assume that the data you have is personal data and treat it as such.
Sensitive Personal Data - Special category data (sometimes called sensitive data as it needs more protection when it is being collected) means personal data about an individual's:
race
ethnic origin
politics
religion
trade union membership
genetics
biometrics
health
sex life
sexual orientation
In particular, this type of data could create more significant risks to a person’s fundamental rights and freedoms. For example, by putting them at risk of unlawful discrimination. In addition there are separate safeguards for personal data relating to criminal convictions and offences, or related security measures, and largely the same conditions apply to this data as with special category data.
Types of Data
Three types of data:
The risk profile for each type of data is different. The highest risk is with identifiable data and the lowest is anonymous. Research data is most likely to be identifiable data and recruiters should treat all data as identifiable data.
The rules for using personal data in the Data Protection Act 2018
The principles of the Data Protection Act 2018 are that data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
Fines
The legislation has a fine regime of two tiers:
Higher fines for breaches of basic principles including consent conditions, data subject rights, transfer and non-compliance with orders by regulators (such as the ICO).