Because good research needs good data

Five Things You Need to Know About RDM and the Law: DCC Checklist on Legal Aspects of RDM

This checklist is intended to help researchers and support staff involved in developing or delivering support for research data management (RDM).

** Please note that this guide is somewhat out of date as it was written before the GDPR came into force in 2018.  We are currently working on an update.**

By Mags McGeever, Angus Whyte and Laura Molloy

Published: September 2015

Browse the guide below or download the PDF.

** This publication is available in print and can be ordered from our online store **

Please cite as: McGeever, M., Whyte, A. & Molloy, L. (2015). ‘Five Things You Need to Know About Research Data Management and the Law. DCC Checklist on Legal Aspects of RDM’. Edinburgh: Digital Curation Centre. Available online: /resources/how-guides

Contents

Introduction

1. Protection of Personal Data

2. Freedom of Information (FOI) and Environmental Information (EIR)

3. Intellectual Property Rights (IPR) in data and databases

4. Data sharing, licensing and re-use

5. Legal Considerations of Cloud Service Provision

Notes

Acknowledgements

Introduction

Who is this Checklist intended to help?

Researchers and support staff involved in developing or delivering support for research data management (RDM). For shorthand we use the term “research data professionals”. Please note the content refers mostly to UK legislation. Readers based elsewhere should consult guidance specific to their own legislative and regulatory contexts.

What does this Checklist cover and what does it exclude?

The checklist covers the main challenges for RDM support services, and the services and sources of legal information available to them. The Checklist summarises the following common elements of the main challenges for RDM support:

  1. Protection of Personal Data
  2. Freedom of Information (FOI) and Environmental Information (EIR)
  3. Intellectual Property Rights (IPR) in Data and Databases
  4. Data Sharing, Licensing and Re-use
  5. Legal Considerations of Cloud Service Provision

The Checklist aims to supplement more detailed guidance, including any advice available through your institution. Likely sources would include information governance or records management specialists, the research ethics committee, and research and enterprise office colleagues specialising in contracts, licensing and legal agreements.

For many researchers, especially those in health and medical fields and in social sciences, the legal aspects of RDM overlap with ethical frameworks and procedures. The Checklist does not include any specific guidance on those, or on funding body policies that relate to them. We include some references in the section on ‘Protection of Personal Data’.

Challenges for RDM support

There are many drivers for improved research data management, including opportunities presented by new technology, expectations of open access, and the need to meet research funder policies. Institutions are expected to develop a broad range of capabilities to ensure research data is properly managed and made accessible to its users1, 2. Legal issues have a bearing on how institutions respond to these challenges. The following RDM service areas will be particularly affected

a. Policy guidance: To ensure researchers are aware of the regulatory environment, data policy principles and expectations, and of appropriate use of exemptions that may justify withholding research data.

b. Data management planning support: To help researchers effectively manage legal risks arising from sensitive data, access requests and intellectual property rights (IPR).

c. Institutional governance processes: To ensure that sensitive data, access requests, and IPR are correctly handled at all stages of the research lifecycle.

d. IT and Computing support services: To ensure that sensitive data is held securely, and that publicly funded research data submitted to external repositories for long-term preservation is subject to legal safeguards that are equivalent to UK jurisdiction.

e. Staff development and training: To ensure content is relevant to providing secure and quality assured data management and curation.

Disclaimer – and further guidance

The DCC does not provide legal services of any kind. We provide this checklist ‘as is‘, and aim to ensure the content is accurate and relevant, but we cannot accept any liability arising from its use. For each topic we include recommended sources of further guidance, many of which are available on the archived Jisc Legal site. Please note that Jisc Customer Services now provides support with legal aspects of data management. Also consult your institution’s specialist staff for further guidance, and in case of doubt take professional legal advice.

1. Protection of personal data

Compliance with the UK’s Data Protection Act (the DPA) has been required since 1998. The Act is designed to strike a balance between the interests of the individual in maintaining privacy over their personal details and the potentially competing interests of those with legitimate reasons for using other people's personal data (see box 1). The DPA places obligations on you and your organisation if you process personal data, and in addition gives individuals certain rights in relation to data pertaining to them. The definition of ‘processing’ is broad and will include transfer, storage, alteration and deletion – i.e. it covers all interaction with the data concerned.

Your institution will have a framework in place to ensure the security of all personal data held for administrative reasons. The DPA also applies to personal data used for research, albeit with some exemptions, but it is a popular misconception that there is a blanket exemption for research. Institutions should ensure that researchers, staff and students are aware that the majority of the principles still apply to research.

Box 1. How the Data Protection Act defines ‘personal data’

Personal data means data which relate to a living individual who can be identified -

(a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

Sensitive personal data means personal data consisting of information as to -

(a) the racial or ethnic origin of the data subject,

(b) his political opinions,

(c ) his religious beliefs or other beliefs of a similar nature,

(d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),

(e) his physical or mental health or condition,

(f) his sexual life,

(g) the commission or alleged commission by him of any offence, or

(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

Source and further details: Information Commissioner’s Office www.ico.org.uk/for-organisations/guide-to-data-protection/key-definitions/

It is crucial for researchers and data professionals to be aware of the legal constraints. Advances in technology and in public expectations of data sharing have changed how researchers generate data and make it accessible. They also increase the potential for collaborative research. Increasingly global collaboration raises the issues of privacy and data protection more acutely, and poses the risk of unintentional legal infringement.

Under the DPA, eight data protection principles apply to handling personal data, shown in Box 2.

Box 2. Data Protection Principles

1. Personal data shall be processed fairly and lawfully. In practice this means that you must

  • Have legitimate grounds for collecting and using the personal data.
  • Not use the data in ways that have unjustified adverse effects on the individuals concerned.
  • Be transparent about how you intend to use the data, and give individuals appropriate privacy notices when collecting their personal data.
  • Handle people’s personal data only in ways they would reasonably expect, and
  • Make sure you do not do anything unlawful with the data.

2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

4. Personal data shall be accurate and, where necessary, kept up to date.

5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

6. Personal data shall be processed in accordance with the rights of data subjects under this Act.

7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Source and further details: Information Commissioner’s Office ico.org.uk/for-organisations/guide-to-data-protection/data-protection-principles/

Principles 7 and 8 need special attention if you use cloud services (see Section 5).

Research exemptions

Data used for research purposes is exempt from data protection principles 2 and 5. Also there is an exemption from the data subject's right of access where

  • Personal data is not processed to support measures or decisions with respect to particular individuals.
  • Personal data is not processed in a way that substantial damage or distress is likely to be caused to any individual.
  • The research results, or any resulting statistics, are effectively anonymised.

See  Protection of Personal Data: Further Resources for guidance, especially point (f).

European General Data Protection Regulation

The forthcoming European General Data Protection Regulation (GDPR) is a major change and is expected to come into force in 2018. The main provisions relevant to research include

  • Data controllers (including HEIs) need explicit consent to process personal data.
  • Mandatory to appoint a Data Protection (DP) officer for a public body or organisation with over 250 employees.
  • Mandatory obligations regarding transfer of personal data to countries outside the European Economic Area (EEA)
  • Data subjects have a new ‘right to be forgotten’ and to have personal data erased.
  • Data subject’s right to obtain their data in a structured, commonly used electronic format.
  • Introduces principles of privacy by default and privacy by design.
  • Obligation to notify personal data breaches within 24 hours, if feasible, or without undue delay.
  • Obligation to carry out a DP impact assessment prior to some processing.
  • Specific protection for children.
  • Clarification on processing of personal data for the purposes of historical, statistical or scientific research.

See Protection of Personal Data: Further Resources for guidance, especially points (j) and (k).

Protection of personal data: Checklist

1. Data protection is covered in any RDM guidance or training materials that you are responsible for, and:

  • Includes signposting to further guidance on research ethics. 
  • Will be updated to reflect changes e.g. the European Data Protection Regulation.

2. When planning research, the following points are covered, e.g. in a Data Management Plan:

  • All data is stored and labelled with the appropriate level of security/ confidentiality, and this is documented before depositing the data in a repository. 
  • Protection of any personal data that is collected or created. 
  • Compliance with the institution’s data protection guidance, and any IT or information security policy. 
  • Informed consent request should include consent for data preservation and sharing, unless an ethics committee deems this inappropriate. 
  • Sensitive data (if any) is securely stored and transferred. 

3. There is a clearly worded deposit agreement and adequate checks on any data deposited in any repository, so that it is only shared openly if it has been fully anonymised, and it is adequately protected otherwise. 

4. Any data repository that you are responsible for maintaining is operating consistently with the institution’s information security policy and relevant IT service guidance. 

5. Any personal data already retained is regularly appraised to determine whether it is still needed for the purposes it was retained for, or it could be anonymised (so it doesn't come under the DPA), or securely disposed of. 

6. Data subjects (or participants) can meaningfully exercise their right to object to the processing of data, on the grounds that it would cause them significant damage or distress. 

7. The institution makes plans for additional technical and organisational changes that may be needed to enable it to comply with the European General Data Protection Directive. 

Protection of personal data: further resources

a. Data Protection Act (1988), available at: www.legislation.gov.uk/ukpga/1998/29/contents

b. Data Protection Act (1988), Section 33 (the ‘research exemption’), available at: www.legislation.gov.uk/ukpga/1998/29/section/33

c. Data Protection Report (blog), available at: www.dataprotectionreport.com

d. University of Edinburgh (n.d.) ‘Researcher’s Guide to the Data Protection Principles’, available at: www.ed.ac.uk/records-management-section/data-protection/guidance-policies/research-and-the-data-protection-act/guide-principles

e. Jisc Legal (n.d.) ‘Data Protection’, available at: www.jisclegal.ac.uk/LegalAreas/DataProtection.aspx

f. Jisc Legal (n.d.) ‘Code of Practice for the HE & FE Sectors on the DPA’, available at: www.jisclegal.ac.uk/Portals/12/Repository/Data Protection Code of Practice for FE and HE.pdf

g. UK Data Archive (n.d.) ‘Overview of Anonymisation’ available at: www.data-archive.ac.uk/create-manage/consent-ethics/anonymisation

h. Information Commissioner’s Office (n.d.) ‘Topic Guide on Anonymisation’, available at: ico.org.uk/for-organisations/guide-to-data-protection/anonymisation/

i. Jisc legal (n.d.) ‘Data Protection Regulation’ available at: www.jisclegal.ac.uk/ManageContent/ViewDetail/ID/2308/Data-Protection-Regulation.aspx

j. European Data in Health Research Alliance (2015) ‘Frequently Asked Questions’, available at: www.datasaveslives.eu/faqs-and-glossary/

k. Jisc Legal (2014) ‘Data Protection and Research Data: Questions and Answers’, available at: http://goo.gl/HfCqZM

2. Freedom of Information (FOI) and Environmental Information (EIR)

Higher Education Institutions (HEIs) in the UK have a legal duty to comply with freedom of information (FOI) legislation. This legislation promotes greater openness and accountability in public bodies, which include HEIs, despite their increasing income from private and charitable sources.  It gives a general right of public access to all forms of ‘recorded’ information held by public authorities, sets out exemptions from that general right, and places a number of obligations on public authorities. Note that Scotland and the rest of the UK have different FOI legislation.  There is also separate, and stronger, legislation covering information of relevance to the environment - the Environmental Information Regulations 2004 and Environmental Information (Scotland) Regulations 2004. See Further Resources below for more guidance.

FOI is a wide ranging and multi-faceted requirement which is relevant to staff at all levels of your institution, including researchers and support staff. Under the legislation, HEIs have two main responsibilities: providing a publication scheme and handling requests for information.

Publication Schemes

HEIs should adopt and maintain a Publication Scheme (typically on the web). This links to documents proactively made available to the public by the HEI. Your institution is likely to provide this centrally.

Requests for information

The second main responsibility of HEIs is to respond to requests for information. This is extremely wide-ranging although so are the possible exemptions. The applicant requesting the information can be an individual or organisation from anywhere and does not have to be the subject of the information or be affected by its holding or use.  Applications must be made in writing but are not required to mention the legislation. Requests must be dealt with promptly within a maximum time frame of 20 working days. See Further Resources (g) for more detail.
 

Box 4. Definitions of ‘information’ and ‘datasets’ in FOI and EIR

Information can include “any recorded information …a public authority may hold. This includes information held on computers, in emails and in printed or handwritten documents as well as images and video and audio recordings. A request may be written in the form of a question, rather than a request for specific documents; it may be addressed to any person in a public authority. For a request to be valid for the purposes of FOI, the request must be made in writing, state the name of the applicant and an address for correspondence and describe the information requested. Under the EIR, verbal requests are also valid.” Note that the research data or information ‘held’ may include that which is funded by a HEI or produced under contract with it. See further guidance (b).

Dataset is defined in section 6 of the Protection of Freedoms act as follows:

“ ‘dataset’ means information comprising a collection of information held in electronic form where all or most of the information in the collection (a)has been obtained or recorded for the purpose of providing a public authority with information in connection with the provision of a service by the authority or the carrying out of any other function of the authority, (b) is factual information which—(i) is not the product of analysis or interpretation other than calculation, and (ii) is not an official statistic …and (c) remains presented in a way that (except for the purpose of forming part of the collection) has not been organised, adapted or otherwise materially altered since it was obtained or recorded.” See further guidance (c).

Environmental information is very broadly defined in the legislation, and could include research data, for example where it consists of “… written, visual, aural, electronic or any other material on… the state of the elements of the environment, such as air and atmosphere, water, soil, land, landscape and natural sites including wetlands, coastal and marine areas, biological diversity and its components…”. See further guidance (j).

Exemptions – absolute and qualified

The legislation tends to presume in favour of disclosure, although there are exemptions. The most relevant exemptions for research data professionals are likely to be data or information that has one or more of these characteristics:

  • produced in research intended for future publication;
  • people’s health and safety would be affected by its disclosure;
  • commercial interests of any person or organisation would be prejudiced;
  • it contains personal data.

The exemptions fall into two categories: absolute and qualified.

Absolute exemptions are cases where the information seeker’s request can be disregarded. Examples of these include data or information that has one or more of these characteristics:

  • otherwise accessible e.g. in your institution’s publication scheme, or institutional repository;
  • confidential material whose disclosure would lead to an action for breach of confidence (marking it as ‘confidential’ is not enough to fit this exemption);
  • personal information covered by data protection regulations, which still need to be upheld (if in doubt consult your FOI officer).

Qualified exemptions include unpublished research and are invoked on a case-by-case basis through a two-stage procedure

  1. Institution decides whether the exemption could be used.
  2. Institution applies the ‘public interest’ test to decide whether disclosing the information is more in line with the public interest than applying the exemption. 

Exemption for unpublished academic research

The exemption for academic research prevents the premature disclosure of research data genuinely intended (rather than just vaguely planned) for publication. This is exempt from disclosure if it relates to information obtained in the course of, or derived from, a programme of continuing research that is intended for future publication. A further subsection, however, provides that the information will be exempt only if disclosure would, or would be likely to, prejudice a matter listed in that subsection. Check with your institution’s FOI practitioner for help with this.

Datasets

The Protection of Freedoms Act 2012 (POFA) changed FOI legislation in England, Wales and Northern Ireland (but not Scotland). Under the new act, public authorities must proactively release datasets in a reusable format. The creation of this new ‘right to data’ means that datasets requested from public authorities must be provided in a useable format and thereafter published on a regular basis through the publication scheme, ensuring that all data published by authorities is made available in an open and standardised format so that it can be used easily and with minimal cost by third parties.

The new provisions are about how information is released, rather than what information is released.  They only relate to information that the institution holds as a dataset (as defined earlier).  There is no new duty to provide any information in response to an FOIA request that was not previously accessible, and there are no new exemptions from that duty in POFA. Any of the exemptions available offer a route to deciding that releasing a dataset would be ‘inappropriate’.

Institutions can also take into consideration other factors to decide whether it is ‘reasonably practical’ to convert a requested dataset into a reusable form. The legislation does not define ‘reasonably practical’ but the Information Commissioner’s Office (ICO) guidance says relevant factors may include the time and cost of conversion, technical issues and the resources of the public authority3. POFA also allows data-holding institutions to charge for the fulfilment of requests for datasets. 

Freedom of Information: Checklist

1. The institution has data governance processes in place to deal with FOI requests for research data, and relevant support staff are aware of applicable exemptions. 

2. The institution is responsible for categories of research information or that fit the FOI definition of a ‘dataset’. 

3. Researchers are given appropriate guidance on the application of FOI to data, including the applicable exemptions.

Freedom of Information: further resources

a. ICO ‘Freedom of information and environmental information regulations’, available at: ww.ico.org.uk/for-organisations/guidance-index/freedom-of-information-and-environmental-information-regulations/

b. ICO (n.d.) ‘FOI Legislation and Research Information: Guidance for the HE Sector’, available at: https://ico.org.uk/media/for-organisations/documents/1133/foi-legislation-and-research-guidance-for-the-higher-education-sector.pdf

c. ICO (n.d.) ‘Guidance on FOI and Datasets’, available at: www.ico.org.uk/news/blog/2013/~/media/documents/library/Freedom_of_Information/Detailed_specialist_guides/datasets-foi-guidance.pdf

d. ICO (n.d.) ‘FOI Definition Document for Universities and other HEIs’, available at: www.ico.org.uk/news/current_topics/~/media/documents/library/Freedom_of_Information/Detailed_specialist_guides/definition_document_for_universities_and_higher_education_institutions.pdf

e. University of Edinburgh (n.d.) ‘'Freedom of Information in Scotland and the rest of the UK’, available at: www.ed.ac.uk/schools-departments/records-management-section/freedom-of-information/about/scotland-uk

f. Jisc (2010) ‘Freedom of Information and Research data: Questions and answers’ - Andrew Charlesworth and Chris Rusbridge, available at: www.jisc.ac.uk/publications/programmerelated/2010/foiresearchdata.aspx

g. ICO (n.d.) ‘Guidance on the exemption for information intended for future publication’, available at:  ico.org.uk/media/for-organisations/documents/1172/section_22_information_intended_for_future_publication.pdf

h. ICO (n.d.) ‘ Guidance on commercial Interests exemption’, available at: - ico.org.uk/media/for-organisations/documents/1178/awareness_guidance_5_v3_07_03_08.pdf

i. ICO (n.d.) ‘Guidance on how to apply the FOIA exemption relating to personal data’, available at: