Working with Personal and Sensitive Research Data 12/11/20

Editor's Notes

• #2: Welcome​ Introduce myself​ Housekeeping – we will be recording. Names will be removed from the recording.​ Ask questions in the Chat box or on mic​ ​ !!! REMEMBER TO ACTUALLY RECORD IT !!!
• #3: Before I start I’m going to flag up our website where you can find loads of information about Data Management Plans and everything else we support, and how to contact us.​
• #4: (? minutes) Overview of the webinar There is quite a lot of content to get through, we will stop for discussion at various points throughout and there will be time for questions at the end but if you have a burning question please feel free to interrupt me!
• #6: This is the definition according to the GDPR. GDPR (General Data Protection Regulation) was brought in in 2018, it is a supplement to the Data Protection Act and applies to anyone who processes the data of EU residents. If you're working with personal data outside the EU, make sure you are fully aware of the Data Protection laws that apply. GDPR provides greater rights and protection to individuals across the EU. Personal data only includes information relating to natural persons who: can be identified or who are identifiable, directly from the information in question; or who can be indirectly identified from that information in combination with other information. Therefore, PSEUDONYMISED DATA IS STILL PERSONAL DATA You need a lawful basis to process personal data – for research this is usually by gaining informed consent.  Don’t forget that consent for processing personal data is separate from ethical consent. This is an entirely separate requirement about consent to participate in research, which you must have. If you are handling personal data you need to fill in the Information Asset Register. Instructions on how to do this are on the DP intranet site (coming up)
• #7: Also known as special category data. It is personal data that needs more protection because it is sensitive. If you are handling sensitive data you must complete a Data Protection Impact Assessment form – you can access this through the DP intranet site which we will share in a moment. You must always ensure that you have a legal basis for handling this type of data. For research this will be either explicit consent or for research purposes. But, there are further conditions that you must also satisfy for processing special category data – see the guidance from the Information Commissioners Office and contact DP team if you need advice.
• #8: These are some rights you need to be aware of, particularly when you're writing your consent forms and planning how you will store your data. We’re not going to focus too much more on GDPR now as we don’t have time and it could take all day but for more info head over to the ICO website or contact the DP team at the OU (link coming up)
• #12: A Data Management Plan (DMP) is a project document which describes the data (or similar evidence) that a project will collect, how it will be stored during the project, how it will be archived at the end of the project and how access will be granted (where appropriate). We always advise anyone working with data to write a DMP but they are even more important when the data in question is sensitive or personal, as thinking about these issues at the outset of a project helps reduce the risk of data breaches. There is lots of guidance on our website, and DMPOnline is available to help you write your plan. If you need advice or would like us to review your plan please send us an email, we’re here to help you!
• #15: In order to make sure that research data can be made available for future reuse, it is important that consent for future reuse of the data by other researchers is sought from participants. Participants should be informed how research data will be stored, preserved and used in the long-term, and how confidentiality can be protected when needed. It may be advisable to offer different levels of consent – so participants can opt in or out to specific activities. There may be a point after which participants can no longer withdraw from a project due to anonymisation. Make this clear on your consent form and include a date. You should also destroy completed consent forms once the data has been anonymised. However we advise you to retain an example of your consent form and information sheet and archive it alongside your data in order to demonstrate that consent was obtained to collect, share and preserve the data. It’s also important to think about what valid, informed consent really means – ensure you clearly tell participants what you plan to do with their data, using simple, clear language. They need to have genuine choice and control. You cannot rely on silence, inactivity, pre-ticked boxes, or opt-out boxes. You must also keep records of consent.
• #16: Anonymisation = removing ALL personal identifiers (data subject is no longer identifiable) Pseudonymisation = allows for some form of re-identification, no matter how unlikely or indirect (or may be even intentional, such as allocating participant IDs and retaining a record that links participants to their identifier) but remember, you shouldn’t keep personal data longer than you need it! Anonymisation is a valuable tool that allows data to be shared, whilst preserving privacy. The process of anonymising data requires that identifiers are changed in some way such as being removed, substituted, distorted, generalised or aggregated. A person's identity can be disclosed from: Direct identifiers such as names, postcode information or pictures Indirect identifiers which, when linked with other available information, could identify someone, for example information on workplace, occupation, salary or age You decide which information to keep for data to be useful and which to change. Be mindful that removing key variables, applying pseudonyms, generalising and removing contextual information from textual files, and blurring image or video data could result in important details being missed or incorrect inferences being made.  It’s best to decide on anonymisation techniques at the outset – include this in your data management plan. Costs for anonymisation can be included in research grants. It also helps to ensure consent is informed and specific if you can give details of anonymisation to participants at the outset.
• #17: Encryption is a way to enhance the security of a message or file by scrambling the contents, so that only someone who has the right encryption key can read it. Sensitive information should be encrypted when: ‘At Rest' - when stored on the University network or mobile devices. Some storage options automatically encrypt files at rest e.g. OneDrive. Encryption is especially important if saving personal data to a mobile device that can easily be lost, such as a USB memory stick. ‘In Transit' - when transferred outside of the OU to third parties.
• #19: Consider scanning any physical documents you need to retain, for more secure storage