Lifespan of personal data processing, data protection principles and the protection of data in scientific research
If processing of personal data is necessary for the implementation of the study, the lifespan of the processing must be planned from beginning to end. The controller must ensure compliance with the principles of data protection and protect the personal data in accordance with the risks related to the processing.
The implementation of the study must be designed with an effective realisation of data-protection principles in mind.
The data-protection principles state that personal data must be
- processed lawfully, fairly and in a transparent manner in relation to the data subject
- collected and processed for a specific and lawful purpose
- collected only to the amount necessary with regard to the purpose of the processing
- updated when required ‒ inaccurate personal data must be erased or rectified without delay
- kept in a form which only permits the identification of data subjects for as long as it is necessary for the purposes of processing the personal data
- processed confidentially and securely
Data-protection principles must be considered in detail already at the planning stage of the research. The controller is also accountable for the effective implementation of the principles. It means that the controller must document how data-protection principles are taken into account in the practical implementation of the study. The research plan can be used to demonstrate compliance with the requirement of accountability.
Adherence to the principle of data minimisation has been emphasised with regard to the processing of personal data for scientific research. The processing of personal data for research purposes is only permitted if the study would be impossible to implement without it. The purpose of processing personal data is often specified through the research question, and the necessity of collecting personal data must be justified by it. Minimisation also requires minimising the storage time of personal data, so the duration of the study, processing of the materials and their destruction at the conclusion of the study should be specified in the research plan. The research plan must also specify whether the research consists of a cross-sectional or a follow-up study.
Risk assessment and designing safeguards
The number of measures required by data protection regulations increases with the risk posed to individuals by the processing of personal data. Technical and organisational safeguards are particularly important for protecting personal data in the context of scientific research. The controller must always asses the risk posed by the processing of personal data to the data subjects and implement safeguards in proportion to the risk. Identifying the necessary safeguards requires defining the environment in which the research material will be processed in practice (e.g. the technical platform, premises, data transfers) and the personnel processing it (controller, joint controllers, processors, researchers and other staff).
The research materials can be processed via remote connection. The controller must ensure that the remote environment also complies with the data security requirements for processing the materials. Researchers must be given detailed instructions on the devices to use, methods of processing personal data, and the appropriate protection and use of the materials. Remote work environments increase the risk of outsiders gaining access to the materials, for example.
The risk assessment must be carried out from the perspective of the research subject, i.e. the data subject. The controller must evaluate the damage and harm that inappropriate processing of the personal data could cause to the data subjects. For example, unlawful disclosure of health information to third parties can cause anxiety, fear of stigmatisation or discrimination. The disclosure of personal identity codes can pose a risk of fraud or identity theft.
The risk assessment must address
- the nature of processing (e.g. special categories of personal data, personal identity codes and data subject to non-disclosure for personal safety reasons);
- the scope (e.g. number of data subjects and storage time);
- the context (e.g. the vulnerable position of the data subject and confidentiality); and
- the purposes of the processing (e.g. will the data be used in decision-making or will the processing have other judicial effects).
Once the risks posed by the processing of personal data to data subjects’ rights and freedoms have been identified, the next step is to evaluate the severity and likelihood of each risk and the resulting damage. The severity of the damage caused to data subjects varies depending on the risk. Damage can be
- minor (e.g. waste of time or momentary annoyance);
- limited (e.g. a feeling of invaded privacy with no permanent damage);
- significant (e.g. a feeling that one’s fundamental rights have been violated, such as feeling discriminated, or serious psychological damage such as depression or phobias); or
- high (e.g. long-term or permanent physical or psychological damage or rupture of family ties)
The assessment of probability involves evaluating the likelihood of the risk being realised. When the damage and its probability have been identified, the controller records the safeguards intended to address the risk.
The higher the risk involved in the processing of personal data, the more safeguards the controller is required to implement in order to secure the personal data. Safeguards seek to protect the personal data against inappropriate processing and damage to the data subject. They combat both internal threats (e.g. threats caused by the project’s own personnel, processors, processing devices or environment) and external threats (e.g. unauthorised access to the research materials). The safeguards are also influenced by the format of the research materials (paper questionnaire forms, recorded or videoed interviews, electronic spreadsheets, tissue samples stored in a laboratory, etc.).
Safeguards can seek to prevent unauthorised use in advance, for instance by restricting access to the materials. The lawfulness of processing can also be ensured through retrospective means, such as collecting log data that can be used to investigate suspected violations.
Implementation costs and the possibilities of a new technology must be considered in the choice of safeguards. Safeguards can be technical (e.g. firewalls, anti-virus software, encrypted connections for data transfer) or organisational (data protection instructions and training for personnel, NDAs, access rights limited by duties).
A research organisation requires its scientists to pass a data protection course and sign a non-disclosure agreement before processing personal data. The purpose of this safeguard is to ensure that the personnel processing personal data during the study are aware of the confidentiality of personal data and their non-disclosure obligation and are able to process personal data correctly and securely. The organisation also has other technical and organisational safeguards in place.
Impact assessments in scientific research
Research activities often involve processing several types of data on each data subject (often also including special categories of personal data), so the risks of such processing are often high. An impact assessment is required if the envisaged processing of personal data poses a high risk to the rights and freedoms of individuals.
The processing of personal data for scientific purposes often involves a high risk, making an impact assessment mandatory. An impact assessment is required when two or more of the following conditions are met:
- The processing involves special categories of personal data or other data of a highly personal nature.
- Personal data is processed on a large scale.
- The processing involves aggregation of data.
- The processing involves individuals in a vulnerable position, such as patients, children or the aged.
- The processing involves the use of new technological and organisational solutions or innovations.
- The processing involves biometric data.
- The processing involves genetic data.
- The processing involves location data.
- The controller wishes to derogate from the obligation to inform the data subjects by virtue of Article 14, paragraph 5(b) of the GDPR.
- The controller wishes to derogate from other rights of the data subject.
The controller is required to consult the Data Protection Ombudsman before the start of processing personal data if the impact assessment shows that the envisaged processing would result in a high risk to data subjects and the controller has been unable to introduce measures to lower the risk. A prior consultation request can be filed using an online form on the Office of the Data Protection Ombudsman’s website.