What is the GDPR?
The GDPR is a European Union law that went into effect on May 25, 2018. It establishes protections for privacy and security of “personal data” for and about individuals who reside in the European Economic Area (EEA).
How does the GDPR apply to human subjects research?
The GDPR will likely apply to a sponsoring institution or organization (the Sponsor) located or established in the EEA. Whether the Sponsor is a “controller” under the GDPR for the purposes of the study will depend on the nature of the project and the degree of involvement the Sponsor has with the collection, processing, and use of Personal (or identifiable) Data. These are entities (whether located in the EEA or in the United States (e.g., UMBC) that collect personal data and store, retrieve or transfer data that has identifiable elements.
What is “Personal Data”?
“Personal data” refers to any information that relates to an individual or identifiable person Examples of “personal data” include: a person’s name, email address, government-issued identification. Others include a unique identifier such as an IP address or cookie number, and personal characteristics including photographs.
Special categories of personal data which require a higher level of protection due to their sensitive nature and risk for greater privacy harm include: information about a data subject’s health, genetics, race or ethnic origin, biometrics, sex life or sexual orientation, political opinions, religious or philosophical beliefs, or trade union membership.
The GDPR considers “pseudonymized data” (e.g., coded data) to be “personal data” even when there is no keycode to link data to an individual data subject. . For example, if a US institution serves as the sponsor of a research study at a site located in the EEA and receives pseudonymized data from the EEA site, such data from the EEA site remains “personal data.”
When can Personal Data be anonymous?
The GDPR does not apply to data that have been anonymized. In order to be anonymized, there can be no keycode in existence from the Sponsor to allow re-identification the data.
What does this mean for UMBC investigators?
Human subjects research studies conducted in the United States by UMBC researchers may be required to comply with the GDPR if the research involves collecting Personal Data from research participants physically located in the EEA at the time of data collection. Research participants do not need to be an EEA resident.
NOTE: Data collected from participants who are physically located within the U.S. at the time of data collection – even if the participant are an EEA citizen — are not subject to the GDPR.
To comply with the GDPR, UMBC human subjects research studies:
- Should collect the absolute minimum personal data. Wherever useful, collect only de-identified data
- Set up online survey sites to only receive data you need. Turn off default settings that collect personal information including IP addresses
- If a study must collect identifiable data, prepare for the IRB and DoIT an executable plan to remove data in the event a participant requests their data be removed
- Ensure consent documents are in compliance with GDPR requirements
- Under GDPR, consent must be freely given, specific, informed and explicit. Use active “opt-in” language on on-line surveys (Click next to proceed to the survey). This is sufficient for active on-line data collection
GDPR requirements for consent documentation
Consent records, including time and date of consent, must be maintained for each subject. In the case of verbal, online, or any other type of undocumented consent, the Principal Investigator is responsible for maintaining a consent log indicating each subject (either by name or study ID number) and the date and time that they provided consent.
Consent must be explicit. If the consent form or consent script serves multiple purposes (e.g., a consent form that is also the recruitment email), then the request for consent must be clearly distinguishable within the document.
Each subject has a right to withdraw consent, at any time. Each subject must be informed of this right prior to giving consent. Withdrawal of consent must be as easy as giving consent.
Consent must be an affirmative action. This means that opt-out procedures or pre-checked boxes indicating consent are not permitted.
Consent information must be provided in clear and plain language in an intelligible and easily accessible format. Consent forms using excessive jargon or that do not have separate sections with section headings will be returned for revision.
Consent must be freely-given. Individuals in a position of authority cannot obtain consent, nor can consent be coerced. This means that faculty members or teachers cannot obtain consent from their own students.
Consent forms must contain the following information:
- The identity of the Principal Investigator;
- The purpose of data collection;
- The types of data collected, including listing of special categories:
- Racial or ethnic origin;
- Political opinions;
- Religious or philosophical beliefs;
- Trade union membership;
- Processing of genetic data;
- Biometric data for the purposes of unique identification;
- Health data; and/or
- Sex life or sexual orientation information;
- The right to withdraw from the research and the mechanism for withdrawal;
- Who will have access to the data;
- Information regarding automated processing of data for decision making about the individual, including profiling;
- Information regarding data security, including storage and transfer of data;
- How long data will be stored (this can be indefinite);
- Whether and under what conditions data may be used for future research, either related or unrelated to the purpose of the current study.
Information abstracted from and courtesy of Brown University Office of the Vice President for Research, https://www.brown.edu/research/gdpr-and-human-subjects
To best meet UMBC consent requirements, follow the instructions and use the appropriate template found here.