Lawfulness: First and foremost, all of the personal data processing that you do must not break the law. Clearly, the processing of personal data for the purposes of criminal activity would be unlawful. However, processing may also be unlawful if it results in:
- a breach of a duty of confidence. Such a duty may be stated, or it may be implied by the content of the information or because it was collected in circumstances where confidentiality is expected – medical or banking information, for example;
- your organisation exceeding its legal powers or exercising those powers improperly;
- an infringement of copyright;
- a breach of an enforceable contractual agreement;
- a breach of industry-specific legislation or regulations;
- a breach of the Human Rights Act 1998. The Act implements the European Convention on Human Rights which, among other things, gives individuals the right to respect for private and family life, home and correspondence.
Lawful Basis under GDPR
GDPR also requires that you have a valid lawful basis in order to process personal data. There are six available lawful bases for processing (GDPR Article 6(1)(a)-(f). No legal basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on the purpose of the data processing.
Fairness: You must use people's personal data only in ways they would reasonably expect and that will not give rise to any unjustified adverse affects to the person involved. Fairness also requires that you ensure that people understand how you intend to use their data and that what you do in practice matches up with what you have said.
Transparency: This requires that you inform people clearly and in understandable language, how you intend to use their personal data.Close
Data can only be used for a specific processing purpose that the subject has been made aware of and no other, without further consent.Close
Data collected on a subject should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”, i.e. no more than the minimum amount of data should be kept for specific processing.
Organisations should only process the personal data that it actually needs to process in order to achieve its processing purposesClose
Data must be “accurate and where necessary kept up to date”. Data holders should build rectification processes into data management / archiving activities for subject data.Close
Personal data should be “kept in a form which permits identification of data subjects for no longer than necessary” - i.e. Data no longer required should be removed.Close
- GDPR Article 5(2) requires that the data controller "be responsible for, and be able to demonstrate, compliance with the principles"
- All employees, researchers or students in an organisation, who collect and/or controll the content and use of personal data are individually responsible for compliance with GDPR
- What personal data is being collected, processed and stored?
- How has the personal data been obtained?
- What is the legal basis for collecting, processing and storing each of the personal data sets?
- How is the data being processed?
- Who can access the data?
- What security measures are in place?
- Systems to facilitate access to data, correction of errors, timely deletion of data, removal of data on request
- Comprehensive but proportionate, governance measures (including maintenance of documentation on data processing activities)
- Effective communication and/or training programmes to ensure staff who collect and process personal data are aware of their GDPR obligations.
GDPR Article 5
GDPR Recitals 26 and 39
This guidance has been prepared by the HRB to help researchers in the health domain comply with GDPR requirements.
It is intended to be general guidance for educational and informational purposes only.
It is not legal advice.