Data Security

To determine whether a study is subject to the GDPR, the type of study population must first be considered. If a study involves using, collecting, or processing data in person, or online, from anyone located in one of the countries of the EEA, the study is subject to the GDPR. The broad nature of this regulation extends beyond mere citizenship. For example, data from a U.S. citizen studying abroad in one of the EEA countries would be regulated by the GDPR.

A second consideration is whether the data to be collected/analyzed is personal and/or sensitive. Any research utilizing personal data from research participants located in the EEA must adhere to the requirements of the GDPR. The scope of personal data under the GDPR is broader than Protected Health Information (PHI) in the U.S.

Items listed as personal information under the GDPR include:

• Name
• Home address
• Email address
• Income
• Identification card number
• IP address
• Cookie ID (for electronic research)
• Phone identifiers
• Data held by a hospital or doctor that could uniquely identify a person
• A combination of information that could lead to the identification of a subject may also be considered personal information under the GDPR

De-identified data is not regulated by the GDPR. Data is considered de-identified if there are no reasonable means through which someone who has access to the de-identified data can re-identify a research participant.

The GDPR affects the consent requirements that must be considered when conducting research involving persons located in the EEA. If your study is subject to the GDPR, make sure your consent includes the GDPR required conditions of consent listed below.

• Under the GDPR, consent must be:
• Clear and Distinguishable via some Affirmative Action (signed consent form)
• Freely Given (voluntary)
• Specific (describes what information is collected and shared, and for what purpose)
• Informed (proper consent process)
• Unambiguous (explicit in description)
• As easy to withdraw as it is to give. If consent is obtained via checking a box, the method of withdrawing consent must also be as easy as checking a box.

The GDPR contains a few other participant rights, such as a right of access, a right to be “forgotten,” and a right of “erasure.” The right to be forgotten and the right to erasure mean that once data are no longer needed for their original processing purpose, or the research subject has withdrawn their consent, a subject has the right to refuse/withdraw from further data sharing.

The GDPR requires a privacy notice in addition to the informed consent form. A copy of the privacy notice should be given to the participant during the informed consent process. A GDPR privacy notice informs individuals what data is collected, where and how it was collected, and for what purpose it was collected. The privacy notice language can be found in our primary informed consent templates and should be included in the informed consent if research is governed by GDPR.

Privacy notice language to be included in the informed consent:

The European General Data Protection Regulation (GDPR) provides individuals whose data will be collected with certain rights. These rights include:

• The right to access, correct, or request that your data be removed from the study;
• The right to restrict processing of your data;
• The right to object to the processing of your data;
• The right to withdraw your consent w/out any penalty; and
• The right to complain about the data collection/handling process. For any complaints, please contact the University of Kentucky Data Privacy at 859-257-4594 and/or the University of Kentucky Office of Research Integrity at 859-257-9428.

The right of access to data contains several requirements that a researcher must meet to successfully carry out research involving members of the European Union. Included in this right of access is information about the:

• Categories of personal data processed
• Recipients or categories of recipients
• Planned duration of storage of information
• Right (and instructions on how to) file a complaint regarding the collection of data
• Safeguards that will be in place for data protection and confidentiality

If personal data is also “sensitive,” it requires additional protection. Data that is considered “sensitive” may only be obtained/accessed after active and explicit consent is obtained from the individual to whom it refers. Additionally, this information may only be obtained for a specified purpose, of which the subject is fully aware (no deception research).

Sensitive data includes data concerning a subject’s:

• Health
• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Sexual orientation and/or data concerning an individual’s sex life
• Biometric data

The GDPR does not include provisions for a waiver of informed consent.

GDPR defines a child (for the purposes of personal data use) as an individual under the age of 16. For any personal data collected from this class of individuals, the “holder of parental responsibility” must explicitly consent to use of that child’s data.