How do we approach transparency in research under GDPR?

Under the GDPR, transparency relates to providing information to people about the processing of their data. Some of this is addressed at an organisational level in providing public information about use of data. There are important differences in the transparency requirements between organisations directly collecting information from research participants and organisations receiving information indirectly from another organisation.

Participant data that is no longer identifiable or where the participant cannot be identified on its own, or in combination with other accessible information, is no longer personal data, and the GDPR transparency requirements do not apply.

This means that your organisation needs to understand what personal data it is currently responsible for processing as a controller, and will in future be processing, so that it can publish transparency information. You should use the information below to determine what further information, if any, should be given to participants of individual studies, and how to provide it.

You should take into account what mechanisms you have to provide transparency information, including publishing or providing information via participating sites, relevant patient groups etc., and be able to justify your decisions about transparency.

 

The table below sets out the transparency requirements under GDPR:
Personal data obtained directly from participants Personal data obtained indirectly
Name of controller and contact details (including of data protection officer) Required Required
Purposes of the processing, as well as the legal basis Required Required
The legitimate interests of the controller or third party, where applicable Required Required
The categories of personal data concerned Required
The recipients or categories of recipients of the personal data, if any Required Required
The period for which the personal data will be stored Required Required
The data subject’s rights under GDPR (see note A below) Required Required
The right to lodge a complaint with the ICO Required Required
The source from which the personal data originate, and if applicable, whether it came from publicly accessible sources Required
Whether the provision of personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data (see note B below) Required
Any automated decision-making, and, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject (see note C below) Required Required
How appropriate or suitable safeguards are achieved in relation to any personal data transferred out of Europe Required Required

Notes:

A: For research, there are conditional exemptions to subject rights, so you should set out that an exemption may apply and will depend on the circumstances.

B: This is not applicable to research

C: In this context automated decision-making refers to use of personal data in machine learning or other technologies that will result in a decision about the individual, eg a diagnosis. Electronic randomisation technologies are not included.