As of May 2018, the use of personal data on all projects that work with the European Union (including all of the Rising from the Depths awards) must comply with the General Data Protection Regulation (GDPR). Personal data means any information, which relates to an identified or identifiable person. As soon as you collect or are sent data about a person, you are a data controller, this means you are responsible for GDPR compliance of this information.
Some of the data that you might collect could be:
- Images of participants (posted onto social media/blogs/websites)
- Surveys
- Sign-up sheets
- Voice and video recording
- Bank details/payment forms with bank details
The key aspects of GDPR in relation to Rising from the Depths Projects are:
- The obligation to inform people that you have their data and how you are using it
- The obligation to give everyone the right to ask you to remove their data, see what data you hold on them and to ask you how this will be used
- Ensuring you inform people of these rights in a way that they fully understand, this doesn’t need to be a form, this could be orally explaining their rights to them
- Collecting the minimum amount of data needed for the purposes of our research
- Notifying people if their data has been compromised
- A duty to collect all data accurately
If you are collecting data for vulnerable groups, such as children, or if English isn’t the group’s first language, you need to carefully consider how you ensure the participants understand GDPR regulations and their rights regarding their data. You may need to be creative in how you provide information on the storage of data, this could be done orally, using images, videos or given in a written format.
In your risk assessments for your project, it can help to include a section on GDPR. Considering the loss and theft of laptops and memory cards. Then also think of the resolutions to this, such as not using personal devices, ensuring you encrypt data, and password protect it. When there is a breach of data, you need a way of notifying everyone whose data you are holding, consider this as part of your plans.
Data minimisation means we need to hold the minimum amount of data and only for the time that we require it. Ensure that you are deleting data correctly; destroying data on the computer means deleting the file and deleting it from your deleted folder when it is no longer needed. For physical data, this needs to be shredded or incinerated.
Consider how much you need your data to be personally identifying. Do you need names attached to the data? Do the people you are sharing the data with need these identifiers? If the data does not need to be identified then anonymise it, or consider anonymising the data to certain groups (e.g., the academic team might have personal identifiers, but additional researchers such as post-docs might not need this).
You cannot use data for any purpose except for those explicitly set out in your case for support. This must be explained to the people you are collecting data from. If you later find another use for their data, you cannot use the data for this new purpose. When you no longer need the data, please destroy it as above.