Privacy and Data Protection

This page contains information for project participants who agree to be interviewed as part of our research

 

What is this page about?

From May 25th 2018 the European General Data Protection Regulation (GDPR) comes into force. The new Regulation replaces and updates existing data protection laws. The GDPR applies to the UK and is not dependent on the ongoing negotiations over withdrawal from the European Union. 

 

What does the GDPR mean for me?

Under the GDPR anyone whose data is collected and who can be identified from that data, either directly or indirectly, is considered a ‘data subject’.

 

Data subjects have a number of legal rights, including the right to know what data is collected about them, what it is being used for and who they can contact if they what more information or wish to make a complaint or raise a concern.

 

People who agree to be interviewed as part of the Biomodifying technologies project are contributing personal data and have rights as data subjects.

 

What does the GDPR mean for researchers working on the Biomodifying technologies project?

The GDPR will not change the way personal data will be processed by the project, but it introduces new rights for data subjects about the way we process their data.

 

This page describes what these changes are and what they mean for data subjects. This information is in addition to that provided in the Participant Information Sheets, which remains valid.

 

Organisations such as a company, hospital or university holding and utilising personal information about one or more data subjects are considered ‘data controllers’. Data controllers have a responsibility to guarantee the rights of data subjects whose data they are processing.

 

‘Processing’ means any operation performed on personal data or sets of personal data including (but not limited to) collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, or dissemination of that data. Research using interview data counts as ‘processing’.

 

Most institutions processing large volumes of personal data will have, or should soon appoint, a Data Protection Officer (DPO). The DPO can act as a point of contact for anyone wanting to know what data an organisation holds about them and what it is being used for.

 

Who is the Data Controller for the ‘Biomodifying Technologies’ project?

The University of Oxford, The University of Sussex and the University of York are all Data Controllers for this project.

This means each institution has responsibility for information collected, stored and analysed as part of this research project.

Who are the relevant Data Protection Officers?

 

University of Oxford:  Max Todd Max.todd@admin.ox.ac.uk

 

University of Sussex:   Alexandra Elliott dpo@sussex.ac.uk

 

University of York: Durham Burt dataprotection@york.ac.uk

Who do I contact if I want to make a complaint?

You could contact the DPO of one or more of the Universities hoisting this research project.

 

If you feel it is appropriate and necessary you may also file a formal complaint with the UK Information Commissioner’s Office (ICO).

 

What information is this project collecting?

Personal data includes audio recordings of interviews, transcripts made of these audio recordings, email addresses of participants and correspondence with participants and potential participants.

 

How long will personal data collected for the Biomodifying Technologies be stored for?

Audio recordings will be retained for at least the minimum three years required by our funders the Economic and Social Research Council (ERSC). Anonymised transcripts will be retained and submitted for archiving to the UK Research Data Service. The lead researcher (M. Morrison) will be the data custodian and will be responsible for ensuring the secure storage and confidentiality of the data.

 

How will personal data be stored?

Physical copies of the recordings (e.g. on SD cards) will be kept in a locked filing cabinet. Digital copies will be stored on secure, encrypted devices at all times.

 

The recordings will be transcribed by an approved commercial transcription service with a non-disclosure agreement. Transcripts will be anonymised and assigned a code.

 

A key linking the codes to the personal details of interviewees will be stored securely and kept separate from the transcripts.

 

Will any personal data be transferred outside the UK?

No. Audio recordings will only be accessed by members of the research team and will not be shared with anyone else without the prior explicit written permission of the participant. No identifiable data will be shared with third parties.

 

Recordings and transcripts will be used for research purposes only. This will include submission to peer-reviewed publications of analysis of this data which can include selected quotes from the data set. Quotes in published works will be identified only by the code assigned to the transcript.

 

What is the legal basis for processing personal data collected by this project?

We are processing audio recordings, transcripts and other personal data under the public interest basis set out in the GDPR (Article 6(1)(e). Any special categories of personal data—for example relating to racial or ethnic origin, or political opinions, religious or philosophical beliefs—will be processed on the condition of scientific research (Article 9(2)(j) GDPR).

Can I withdraw my consent?

You are free to withdraw this consent at any point before, or during the interview, which will mean that any responses you have given will not be used during the data analysis.

 

You may also withdraw your consent after the interview, until 1st December 2019 at which point anonymised data will be prepared for submission to the UK Research Data Service as described above.

 

Data, in the form of anonymised quotes which are used in a published paper cannot be withdrawn.  You are free to refuse to answer any questions during the interview.

 

Can I access my data?

Yes. If you have participated in the project you can submit a data access request to the principal Investigator of the project (M. Morrison) to receive a copy of all personal data held about you by the project team. We will endeavour to supply you with this data within one month.

 

You also have a right to have any inaccurate personal data corrected, or completed. Your GDPR rights to objection or restriction of the processing of your personal data will be respected, unless this would prevent or seriously impair the object of our research.