Following the implementation of GDPR in May of this year, the Health Research Authority released transparency wording for use in Participant Information Sheets.
The recommended wording for data transparency has been updated following consultation with various stakeholders and public involvement and feedback on the initial published wording to provide a clearer more layered approach.
The user group developed a short summary text for the Participant Information Sheet which is supplemented by a generic leaflet. The text for both is now live on the HRA website.
What information should be used in my PI Sheet?
The HRA website section is here. Click on ‘Transparency wording for all sponsors’ – this will take you to this page which contains the information to be used.
To access the text to be used in preparing the leaflet to accompany your PI Sheet, click here. If you are on the HRA website section, the text appears once you click the heading ‘Template wording for generic information document’.
What does the revision in text mean for me?
If you have already updated your information sheets with the previous wording, you do not need to do anything.
The revised wording can be uses for new studies, but the HRA will accept the previous wording if you have already submitted your application or prepared your information sheet for submission.
If you do wish to change your wording to the new text, please email Research Ethics so that your participating sites can be contacted.
It is important that researchers understand what the General Data Protection Regulation (GDPR) means for them and the personal data that is processed during their research. Compiled with the support of the Information Commissioner’s Office, the UKRI have provided a GDPR overview for researchers, which sets out guidance and signposts to further sources of information.
You will no doubt have received the emails yourself: don’t forget to opt in, click here to stay in touch, we don’t want to lose you. The General Data Protection Regulation, or GDPR, comes into force on May 25, and organisations and businesses large and small are racing to ensure the way they collect, store and use the personal data of their customers and clients meets the new, higher standards of this new European Union privacy law.
Compliance with GDPR can be costly, requiring organisations to analyse the way they work, the data they use, how it is handled and secured. Documenting how personal data is held and processed is tedious and time consuming, as is developing procedures for dealing with individuals’ requests to see the data held on them, security breaches that involve loss of data, or assessing the privacy impact of some new product or service.
The ICO has produced guidance for charities, and reading it you might think that the challenges charities face are the same as those facing any small business. Both have limited resources, time and money to spend on ensuring compliance. Losing or misusing personal data leads to the erosion of trust, irrespective of whether those affected are paying customers or charity donors. But scratch beneath the surface and you can see how GDPR causes unique problems for small charities, particularly those that work to help society’s most vulnerable.
Duty of care
The new privacy regulations require that personal data is “processed in a manner that ensures appropriate security of the personal data”. Any security expert will tell you that perfect security is impossible, so businesses can meet this requirement by investing in security considered “good enough” to meet the duty of care to their clients and customers.
But for charities, the duty of care they have for both their vulnerable client base and their donors is so strong that a culture of cost-cutting has formed. Because charities lack the expertise to understand the risks they face, they may wrongly believe they are avoiding risks, or accept risks without understanding the implications. Ultimately, this works against charities investing in the security they actually need. A report commissioned by the UK Department for Culture Media and Sport in 2017 found this culture even led to some charities intentionally relying on out-of-date or low technology solutions. In one case, a charity was even prepared to accept the risk of damaging data losses, in the hope that their donors would be sympathetic and appreciate that, to them, cybersecurity is a luxury they cannot afford.
The new privacy regulations are built around fair treatment, but this also fails to appreciate the ethical tensions faced by charities. Under GDPR, organisations can only collect data from individuals when they have a legal basis for doing so, for example that the individual has given their consent (such as signing up for an email newsletter), or that the organisation must do so in order to comply with a legal obligation (such as banking information required to meet money laundering regulations). However, complications arise because while an individual may give consent, they may also withdraw it.
Imagine, for example, that Bob suffers from a drug addiction. In a moment of clarity, he checks into a rehab centre for help, and gives consent for the centre to collect what personal data they require. But Bob later relapses, and – to keep this information from his family – withdraws his consent and exercises his right to be forgotten, demanding that the rehab centre deletes the data on him that it holds.
The GDPR provides some discretion for processing personal data in matters of life and death, but not if Bob is capable of giving consent. And so the rehab centre faces a dilemma: it can assert Bob isn’t capable, exposing themselves to the risk of a fine should he report them to the ICO. Alternatively, they can comply and expose Bob to future risks that may threaten his health or life, and reduce or remove the information they know that might one day help save his life.
ICO guidance for not-for-profits should answer the sorts of questions regularly raised by charities. But instead it treats small charities like any other small business. The ICO claims the is information that charities want, but it is not the information they need. If guidance fails to acknowledge the risks to small charities, what incentive do charities have to invest time and money following it?
What charities need are less platitudes on what they should be doing – they already know this – and more advice on how to do it, given the very particular challenges they face. In a speech given to the charities attending the Funding and Regulatory Compliance conference last year, the information commissioner said that getting privacy right can be done, that it should be done, and she would say how it can be done. Yet as the deadline looms, charities are still waiting to hear about the “how”.
Using work from her doctoral research, Jane Henriksen-Bulmer has devised a customised Data Protection Impact Assessment (DPIA) process for charities, which she is now putting into practice at StreetScene. This helps them evaluate how privacy impacts their business workflows, and the privacy risks they face.
To help other charities benefit from this work, we will be running a free GDPR for Charities workshop on June 11th at the EBC. The workshop will share the results of this work with around 50 participants who work for or with local charities, and provide hands-on training on the process and complementary design techniques and software tools that charities can put into immediate practice. We’ll also be running a panel with invited speakers to discuss the challenges that small charities face with GDPR.
Although this work is helping local charities, we hope our work leads to more debate on how everyone (and not just big business) can ‘build in’ sustainable security and privacy.
Research Professional have interviewed Sarah Dickson, Head of the Medical Research Council Regulatory Support Centre, on what researchers need to know about the GDPR (General Data Protection Regulation), which comes into force on 25th May.
Click on the RP article to find out about who is affected, what data we’re talking about, how GDPR affects you as a researcher, consent, fairness and transparency, and who you should talk to.