To comply with data protection legislation, it is necessary to take appropriate steps to protect personal data. Any personal data collected or used in a research project needs to be documented in a Data Management Plan, along with the safeguards that will be in place to mitigate any risks.
These should be documented in the following sections/questions of the BU Data Management Plan (DMP) template:
Ethical and legal compliance
Storage, back-up, and security
Personal data is any information relating to a living individual. If you're collecting data about someone who is alive, and it's possible to identify that someone, then you're collecting personal data. Individuals might be identifiable directly or indirectly.
Special category data is personal data that is more sensitive in nature, and so requires a higher level of protection. GDPR defines special category data as personal data about an individual's:
Information relating to criminal convictions or offences also require higher levels of protection.
Purpose
A Privacy Impact Assessment (PIA) (also known as a Data Protection Impact Assessment (DPIA)) is required when data processing activities are likely to result in a "high risk" to the rights and freedoms of individuals.
In a research context, this need may arise when research involves high-risk data processing, particularly when handling sensitive or special category personal data.
The primary purpose of a PIA is to identify and mitigate data protection risks early in the project planning stage. The requirement for a PIA often emerges as part of the Data Management Plan (DMP) and/or the ethics approval process and may also be required by a research funder or sponsor.
Additional information on conducting a PIA at BU is available from the BU's Data Protection SharePoint site. For support or questions, please contact the Data Protection Officer.
When Are You Likely to Need to Conduct a PIA?
A PIA is typically required if your research involves:
PIA Process
The PIA process involves assessing the scope, necessity, and proportionality of the planned data processing. It also includes identifying and implementing measures to mitigate potential privacy risks to participants.
This proactive assessment helps ensure that privacy considerations are integral to the project from the start, thereby reducing potential compliance issues and protecting participant rights.
Anonymisation
Anonymisation involves processing data to prevent the identification of individuals, directly or indirectly, from the data alone or in combination with other available information. Properly anonymised data is no longer classified as personal data and, thus, is not subject to data protection laws. Anonymisation is suitable when research results or shared datasets do not require identifiable information.
Pseudonymisation
Pseudonymisation replaces identifiable information with codes or pseudonyms. While pseudonymisation protects participants' privacy to a significant extent, it allows for re-identification if additional information is available. Consequently, pseudonymised data remains subject to data protection regulations and should be safeguarded accordingly.
Further information on these techniques and reference to guidance on how to utilise them can be found under the 'security section'.
Using PIAs in conjunction with anonymisation and pseudonymisation can enhance compliance and build participant trust, ensuring that privacy protections align with ethical and regulatory standards throughout the research project.