Over the last couple of months, I have been working on a new study, which involves the collection of personal information. Once the theoretical and design foundation has been identified there was only one more thing to prepare, participants’ consent. While it may seem like a trivial task, and I have done it on few occasions in the past, it turned out that it can become cumbersome and time-consuming. It is, of course, not always the case. However, whenever we perform any research involving humans we must ensure that their privacy and rights are appropriately addressed. The researchers from European Union are legally obliged to present study participants with consent satisfying the General Data Protection Regulation (GDPR) requirements. Not to mention, that often such research requires ethical board approval. In this post, first I will briefly present the general consent requirements, and then shift the attention to consent for scientific purposes.
The general consent requirements are described in detail in the Article 29 Working Party, Guidelines on Consent under Regulation 2016/679. The document is accessible on the IAPP website. I recommend reading this document because it provides examples allowing a better understanding of valid consent requirements. Additionally, the document contains sections that I will not be discussing, such as consent for children.
General Consent Requirements
Overall, the Article 29 Working Party clarifies, that there are major four requirements:
- Consent must be freely given.
- When we provide the data subject with the consent, we must ensure that the consequences of disagreeing with it are clearly explained and that we provide the data subject with an option to withdraw at any time.
- Additionally, the data controllers must ensure that they reduce the risk of power imbalance, an issue applicable mostly to public authorities. The appropriate consent guarantees that some services are still available to people, regardless of the consent disagreement.
- The consent must be granular. It should describe all processing activities, and ask data subject to an agreement to each of them separately. As it is stated in Recital 32 This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data.
- Lastly, there is an issue of detriment. According to the new regulation, the data controller must guarantee that the data subject may refuse to consent without detriment.
- Consent must be specific.
- The Art. 6 of GDPR defines that the lawfulness of data processing may be achieved only if the data subject has given consent to the processing of his or her personal data for one or more specific purposes. Hence, as per Article 29 Working Party, the controller must ensure purpose specification as a safeguard against function creep, granularity in consent requests, and separation of information related to obtaining consent for data activities from information about other matters.
- Consent must be informed.
- This seems like a requirement that is easy to meet. However, the GDPR is rather strict in regards to the information that must be contained in the consent. In short, the consent must include:
- the controller’s identity
- the purpose of each of the processing operations for which consent is sought
- what (type of) data will be collected and used
- the existence of the right to withdraw consent
- information about the use of data for decisions based solely on automated processing including profiling, in accordance with Article 22(2)
- if the consent related to transfers, about the possible risks of data transfers to third countries in the absence of adequacy decision and appropriate safeguard.
- Consent must be unambiguous.
- The data subject must understand that it agrees to the processing of personal data. This includes issues such as unnecessary interruptions that may occur in case of the electronic consent.
Well, that all seems rather easy. But what does it mean to the scientific research involving humans?
Consent for Scientific Research
The rules above apply to the scientific research consent. However, there are some exceptions guaranteeing researchers a little bit more freedom to collect and process data.
The GDPR Article 89 is dedicated to scientific, archival, and statistical data collection. According to the article, there are special safeguards that should be applied when data is collected for scientific purposes. This safeguards:
shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.
Additionally, according to the article, in some circumstances, the EU may allow for derogation from some of the rights referred to in GDPR. These are the following Articles: 15 (Right of access by the data subject), 16 (Right to rectification), 18 (Right to restriction of processing), 19 (Notification obligation regarding rectification or erasure of personal data or restriction of processing), 20 (Right to data portability), and 21 (Right to object). The derogation enables researchers more freedom around collecting and processing the data. For instance, when data become anonymous after the collection is completed it would be impossible for the controller (researcher) to guarantee the data subject access to the information etc.
In Article 29 Working Party there is, however, a strict requirement to fully identify the purpose(s) of the data processing.
It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.
Simultaneously, Recital 33 provides an exception for scientific research when purpose could not be specified by allowing for a more general form/description of the research purposes. This is, of course, not applicable to special categories of data (as defined in Article 9: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation).
In Article 29 Working Party, there is also another recommendation for the circumstances when data processing could not be specified. As a good practice, it is advisable to prepare a comprehensive research plan. Such a plan should be available for data subjects to take note of before they consent. The plan should contain information about the research questions and working methods.
Consent requirements fulfilled, it’s time to sit back and relax!
In this short writing, I was trying to clarify what are the requirements for scientific consent. Of course, I have not covered issues of sensitive data and the fact, that sometimes it is also necessary to acquire an ethical board approval. Still, I hope that I shed some light on the matter.
Also, I do realize, that in some instances, fully comply with the requirements would be difficult, hence the derogation provided in the GDPR. For instance, often it is impossible to provide in-depth details of the study, especially when performing psychological experiments. It could compromise the research, bias respondents, and lead to false findings. Hence, we have to be very careful when designing the study and preparing valid research consent.
Based on my experience, before you will start writing the consent I would advise you to think of the following:
- who will be subject to the study (for instance is it a minority, subgroup that would be easy to identify)?
- what data will be collected (will there be any sensitive or special category data)?
- how will you analyze the data (at the group or individual level)?
- if you think that you collect non-directly identifiable data, could anyone aggregate the data in a way, that may lead to the identification of a group or an individual?
- what safeguards are you going to implement (consider data minimization, anonymization, pseudonymization)?
- can you be transparent about your data processing?
- what security measures will you have in place?
- for how long you will store the data and where (are there any third parties included in processing or storing the data? If so, what are their policies)?
Once you answer these questions, follow the advice from the Article 29 Working Party and prepare your consent. If you are still unsure, talk to someone from your organization’s legal department to confirm whether the consent is valid. Also, remember to clarify who is the data controller and data processor in your research. You must provide their contact details. Similarly, you should provide the details of your local Data Protection Officer.
I hope you will find this short article helpful. If you want to find more information about the consent or General Data Protection Regulation, below I have provided few useful links.
I wish you valid consent, happy study participants, and incredible results!
Also, as always, I am looking forward to your comments about potential pitfalls of the GDPR compliant consent for scientific research – if you think there are any.
References and useful links
- European Commission. (2016). Regulation (EU) 2016/679 Of The European Parliament AND Of The Council of 27 April 2016. Official Journal of the European Union, (April).
- Union European. Article 29 Data Protection Working Party. Guidelines on Consent under Regulation 2016/679. (1995).