IRB Guidance: GDPR and Research at UW
This page addresses how the European Union (EU) General Data Protection Regulation (GDPR) applies to data for research projects at UW-Madison.
What is GDPR?
GDPR is a European law that establishes data protections for privacy and security of personal data about individuals located in the European Economic Area (EEA). Specifically, the EEA includes the following countries:
Austria Finland Latvia Portugal Belgium France Liechtenstein Romania Bulgaria Germany Lithuania Slovakia Croatia Greece Luxembourg Slovenia Czech Republic Hungary Malta Spain Cyprus Iceland Netherlands Sweden Denmark Ireland Norway United Kingdom Estonia Italy Poland
What does GDPR cover?Unlike data privacy and security laws in the U.S., which tend to be directed to specific types of data (e.g. health information, student information), GDPR applies to the collection and use of all personal information:
- Through activities within the borders of EEA countries
- That is related to offering goods or services to subjects within the EEA, or
- That involves monitoring the behavior of subjects within the EEA
Why does this matter to UW-Madison?Where the university is working with personal data collected in, or transferred from, any of the above EEA countries, GDPR will be relevant. This includes data collected/obtained or used for research projects. Failure to follow GDPR's regulations if they apply puts the University at risk of noncompliance, monetary fines, and reputational harm. Fines associated with noncompliance under the GDPR can be up to 20 million Euros or 4% of the University's prior financial year worldwide annual revenue.
Therefore, it is essential that you confirm whether GDPR applies to your project and if so, ensure you comply with GDPR requirements related to research as listed below. If you have any questions about GDPR and your research project, please contact the IRB.
How does GDPR relate to research in general?
- It establishes the circumstances under which it is lawful to collect, use, disclose, destroy, or otherwise process "personal data."
- It establishes certain rights of individuals in the EEA, including rights to access amendment, and erasure (right to be forgotten).
- It requires researchers to implement appropriate technical and organizational security measures to ensure a level of data security that is appropriate to the risk of the data.
- It requires notification to data protection authorities and affected individuals within 72 hours following the discovery of a personal data breach, which is a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
"Personal data" is any information relating to an identified or identifiable natural person ("data subject"). An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
"Special categories" of personal data require a higher level of protection due to their sensitive nature and consequent risk for greater privacy harm. This includes information about a data subject's health, genetics, race or ethnic origin, bio-metrics for identification purposes, sex life or sexual orientation, political opinions, religious or philosophical beliefs, or trade union membership. Although criminal convictions and records are not considered "special categories" of personal data, this information is subject to amplified protections under the GDPR.
Anonymized Data: The GDPR does not apply to data that have been anonymized. However, under GDPR, there is no de-identified (or "anonymized") safe harbor akin to HIPAA. Whether data can be considered anonymized, and therefore not subject to GDPR, must be determined based on the facts and circumstances, considering all the means reasonably likely to be used, either by the person in control of the data ("controller") or by another person, to identify the natural person, directly or indirectly.
Coded or Pseudonymized Data: Data that has been "pseudonymized" (coded data - can no longer be attributed to a specific data subject without the use of key-code information that is kept separately) remains personal data that is subject to GDPR.
How Research Activities May Invoke GDPR
First, not that citizenship is irrelevant to whether GDPR applies. For example, EEA citizens who reside in the U.S. would generally not be covered by GDPR, while citizens of other non-EEA countries residing in the EEA generally would be covered.
There are several ways that research activities may invoke GDPR:
- Activities within the borders of EEA countries, such as conducting a multi-site trial in an EEA member state.
- Offering goods and services, regardless of whether connected to payment, to data subjects in EEA countries. Examples of arrangements that could be said to offer services to EEA data subjects include providing a mobile application to EEA residents for tracking medication compliance and which transfers such data to the study team, or collaboration agreements with research institutions in EEA countries to share data with U.S. researchers for analysis. Mere accessibility of a website by EEA residents alone is not enough to demonstrate offering a service, but websites aimed at EEA residents could be (e.g., websites aimed at recruiting EEA data subjects into a study).
- Monitoring behavior of subjects within the EEA, such as reviewing data collection and adverse events related to data subjects in EEA; collecting information related to EEA data subjects' online presence such as through social media; collecting information about EEA data subjects via online surveys; or tracking their internet browsing.
GDPR requires a legal basis to collect and process (e.g., analyze) personal data. In order to use personal data for research, the legal basis that generally will apply is consent from the data subject.
Consent must be freely given, specific, informed and unambiguous as to the data subject's wishes by a statement or by a clear affirmative action:
- Freely given means the individual must have a realistic choice, or the realistic ability to refuse or withdraw consent. Individuals in a position of authority cannot obtain consent, nor can consent be coerced.
- Specific means the consent must be explicit and transparent and contain the following information:
- Identity of the Principal Investigator
- Purpose of the data collection
- Types of data collected, including listing of any special categories of data
- The right to withdraw from the research and the mechanism for withdrawal
- Identify who will have access to the data
- Time period for which data will be stored (can be indefinite)
- Information regarding data security, including storage and transfer of data
- Information regarding automated process of data for decision making about the individual, including profiling
- Whether and under what conditions data may be used for future research, either related or unrelated to the purpose of the current study
- Informed means that subjects are made aware of the risks, how their data will be safeguarded, their rights in relation to the research (as described below), and how to exercise those rights.
- Unambiguous means consent is given through a statement or clear affirmative action.
- This may be by a written or oral statement or other affirmative act demonstrating consent. For instance, checking a box can indicate consent, while silence or pre-ticked boxes that require unchecking (opting out) cannot.
- Investigators should be able to demonstrate that a particular subject consented to the research. Consent records, including time and date of consent, must be maintained for each data subject.
- If the consent form serves multiple purposes, the request for consent must be clearly distinguishable within the document.
- There is no ability for the IRB to waive informed consent under GDPR.
- The right of access to their data
- The right to request corrections to their data
- The right to withdraw and to request erasure of their data. In this case, data may be retained only if it is anonymized or if another legal basis exists to retain the data. This may include:
- The need to protect scientific research if deletion would render impossible or seriously impair the research objectives; or
- The need to protect the public health by ensuring the accuracy and quality of data related to medical care or to investigational drugs and devices
- The right to request transfer of their personal information to a third party (such as a personal physician) in a format suitable for re-use
Certain types of research activities are more likely to collect personal data from EEA data subjects without the knowledge or intent of the research team. For instance, data collection from social media platforms could easily contain personal data from EEA data subjects. Similarly, online survey research may enroll EEA data subjects.
Researchers may want to verify where data is coming from by, for example, including a screening question asking whether potential subjects reside in an EEA country. In this case, researchers can ensure the consent form complies with GDPR or can remove a potential subject from the pool.
Data Breach - Responsibilities
The GDPR has very strict rules and timelines regarding report of data breaches. Any data breach occurring on a project involving GDPR-covered research must be reported within 24 hours upon identification of the breach to the Office of Legal Affairs (608-263-7400), in addition to any report that must be made to the IRB. The following information should be communicated:
- Type of breach
- Nature, sensitivity, and volume of personal data
- Severity of consequences for individuals
- Number and characteristics of affected individuals
- Ease of identification of individuals
- Protocol number