European Union General Data Protection Regulation
What is the GDPR?
The General Data Protection Regulation (GDPR) is a data protection law that applies broadly to the processing of personal information of individuals by organizations established in the European Economic Area (EEA) (which includes countries in the European Union (EU) plus Iceland, Liechtenstein and Norway), regardless of where the processing takes place; and by organizations outside the EU/EEA, where those activities are related to offering of goods or services to individuals in the EU/EEA, or monitoring of behavior of individuals that takes place in the EU. Generally speaking, the regulation applies to all personally identifiable data that are collected, used, stored, or otherwise processed about covered individuals by any method, including electronic and paper records.
How does GDPR apply to human subjects research?
The GDPR relates to human subjects research by:
- Establishing the circumstances under which it is lawful to collect, use, disclose, transfer, destroy, or otherwise process identifiable research data that are covered by GDPR and the circumstances under which it is lawful to transfer research data outsde of the EU/EEA.
- Establishing certain rights of research subjects over their data, including rights to access, amendment, and erasure.
- Requiring researchers to implement appropriate data security measures that are appropriate to the risks posed by the processing of those data.
- Requiring notification to data protection authorities, and possibly affected individuals, of personal data breaches, including the accidental or unlawful destruction, loss, alteration, or disclosure of research data.
What is "personal data" under GDPR?
"Personal data" refers to any information that relates to an identified or identifiable natural person, i.e. an individual, not a company or organization. Under GDPR, the terms "identified" or "identifiable" cover a broader spectrum of information than how those terms are used in other research regulations, e.g. Common Rule and HIPAA. Examples of identifiable data under GDPR include names, email addresses, IP addresses, cookie numbers, voice or image recordings, dates unique to an individual, e.g. birthdates, appointment dates, and locations, e.g. physical address, GPS information. Other examples include combinations of information that may be used to identify an individual, such as combining information about a person's place of employment, amount of education, marital status, and place of birth.
- GDPR and Coded Data
GDPR uses the term "pseudonymized" to refer to data that can no longer be attributed to a specific individual without use of additional information; this can be achieved by removing identifiers directly from data and linking the data to identifiers via codes, e.g., coded data, provided that appropriate measures are in place to ensure that individuals cannot be re-identified. Under GDPR, pseudonymized data are still considered personal/identifiable and must comply with GDPR.
- GDPR and Anonymized Data
GDPR does not apply to data that have been fully anonymized. Anonymized data are defined as information that is "rendered anonymous in such a manner that the data subject is not or no longer identifiable" based on “whether means are reasonably likely to be used to identify” the individual. This is a fact-specific inquiry that takes into account available technology and the cost and time required to identify the individual. Accordingly, depending on the facts and circumstances, key-coded data may not be considered fully anonymized under GDPR.
- GDPR and Data Minimization
Processing of personal data for research purposes is subject to principles of data minimization under the GDPR, which means that personal data should only be processed to the extent that, and for so long as, it is necessary in relation to the purposes for which they are collected. GDPR specifically requires researchers to pseudonymize or anonymize personal data to the extent consistent with the objectives of the research.
What is a “legal basis” for processing personal data under GDPR?
Processing of personal data is only lawful under GDPR if one of a limited number of legal bases explicitly set forth in the law apply to the processing. In most cases, the legal basis for academic research will be the “legitimate interests” of the researcher. This requires a fact-specific balancing to ensure that the legitimate interests of the researcher in performing academic research are not overridden by the fundamental rights and freedoms of individuals, particularly if children are involved. Informed consent can also be a legal basis for processing of research data (see further discussion below).
What are “special categories” of data under GDPR?
The GDPR considers the following information to be “special categories” of data:
- Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership
- Genetic or biometric data
- Data concerning health, sex life, or sexual orientation
The processing of special categories of data is prohibited under GDPR unless a specific exception applies. In the research context, special categories of data may be processed for public health activities, scientific and historical research, statistical purposes, and matters of substantial public interest, in each case, to the extent such processing is based on EU or member state law.
In many cases, subjects’ explicit consent will be required to collect information from these special categories of data where no other exception applies. Consent should be given by a clear affirmative act establishing a freely given, specific, informed, and unambiguous indication of the subject’s agreement to processing of the special categories of data. This agreement could include signing a form, ticking a box on an Internet site, or providing verbal agreement. Silence, pre-ticked boxes, or inactivity would not constitute consent. Subjects must have the right to easily withdraw their consent at any time.
In addition, note that processing of personal data relating to criminal convictions and offenses is prohibited under the GDPR unless it is being carried out by a public authority or as authorized under EU or member state law.
What should I do to ensure my research will be GDPR compliant?
- Ensure and document that you have a legal basis under GDPR for the collection and use of personally identifiable information, and that an exception applies if you are processing special categories of data.
- Collect only the minimally necessary data needed to complete the study. Identifiers should be collected only if necessary. (NOTE: Qualtrics collects IP addresses by default. Select Anonymize Response to prevent Qualtrics from collecting IP addresses).
- Ensure the subject notification and/or consent form(s) is compliant with GDPR requirements (see discussion below).
- Use NYU GDPR-approved online data collection or storage platforms, such as NYU Qualtrics or NYU Box.
- Use NYU-owned electronic devices, e.g., computers, jump drives, audio recorders, or physical facilities, e.g., campus offices, to store data. Personal devices, e.g., personal cell phones, personal laptops, and personal physical facilities, e.g., home offices, should not be used to store data.
- Ensure that data are pseudonymized, i.e., coded, and, if applicable, encrypted, as soon as possible.
- Ensure that you can respond to subjects’ requests to act on their rights, e.g., rights to access, transfer, amendment, or erasure (see discussion below).
- Ensure you can comply with requirements to report data breaches (see discussion below).
What must be included in subject notification/consent forms?
If you are not relying on consent as the legal basis for the research (or as the exception to processing of special categories of data), then subjects need only to be notified, i.e., active consent is not required, of certain information, including:
- The identity of the Principal Investigator.
- The categories of data that are being collected, the purposes for which the data will be used, and where the data originated (if not obtained directly from the data subject).
- The length of time that personally identifiable information will be kept.
- Their rights under GDPR, including:
- The right to request access to the personally identifiable information, as well as the right to request correction of any information that is inaccurate or incomplete.
- The right to request a copy of personally identifiable information in electronic format so that data can be transmitted to third parties or directly to the subject.
- The right to request that personally identifiable information no longer be used for the purposes of the research, including if the subject withdraws from the study.
- The right to request erasure of personally identifiable information, as well as the right to restrict processing of information to certain limited purposes where erasure is not possible.
A statement that their rights may be limited in order to ensure the integrity of the study and for the research to be reliable and accurate.
- The researchers’ legal basis under GDPR for the collection and use of personally identifiable information.
- A description of any Internet platforms or services, e.g., Qualtrics.com or Box.com, or offline service providers that may process their data on behalf of NYU or other third parties to whom data may be disclosed.
- A statement acknowledging that personally identifiable information will be transmitted to NYU researchers in the United States, or to other countries outside of the EU/EEA where data protection laws may not be as strong as the laws in the EU/EEA.
- A description of any automated decision-making or profiling that is performed using the data.
- A description of how they can exercise their rights, including:
- The contact information for the Principal Investigator.
- The contact information for the NYU Data Protection Officer (DPO).
- The contact information for the Data Protection Authority (DPA) in the subjects’ country. See list of national DPAs here.
If the subjects’ consent will be obtained (see discussion above), in addition to all of the information included in the notification (see list above), the consent information should include:
- The types of special categories of personal data that will be collected.
- A mechanism for subjects to freely give their unambiguous consent, e.g., signature or ticking a box on an Internet site.
- Notice that the individual has the right to withdraw his or her consent at any time.
The GDPR notification/consent information should be presented separate from the research study consent form, i.e., GDPR information should not be integrated into the research consent form.
Under GDPR, what should I do if my study includes personal data from children?
If the child subjects are competent to understand and act on their rights under GDPR, then they should be presented with the GDPR notification/consent. In this case, the children have the rights under GDPR, not the parents. The determination of whether the child subjects are competent may depend on the law of the EU/EEA state and on their age, maturity, status, or condition. The notification/consent language should be appropriate for the age and developing capacities of the children. Note that the GDPR notification/consent is separate from the research study consent/parental permission. For some studies, parents may be required to give parental permission for their child to participate in the study, but they would not be required to be notified of their child’s rights under GDPR.
If the child subjects are NOT competent to understand and act on their rights under GDPR, then their parents should also be provided with the GDPR notification/consent. In some cases, such as for studies involving very young, pre-literate children, only the parent must be provided with the GDPR notification/consent. If the researcher maintains an ongoing research relationship with the child subjects, e.g., multi-year, longitudinal research, then the researcher should provide the children with the GDPR notification/consent once they are able to understand the information.
What should I do if a subject exercises their rights under GDPR, e.g., rights to access, transmission, amendment, or erasure?
If a subject contacts you about exercising their rights under GDPR, you should first verify their identity. If you have reasonable doubts concerning the identity of the individual making the request, you may request additional information to confirm their identity. After verifying their identity, you should attempt to accommodate the subjects’ request regarding their data. Generally, GDPR requires that requests be accommodated without undue delay and in any event within one month of receipt.
If you are unable to accommodate their request, e.g., because it may jeopardize the integrity of the study, notify the NYU IRB and the NYU Data Protection Officer as soon as possible. Include the following information:
- IRB study number, e.g., IRB-FY2019-1234.
- A description of the subjects’ request; if applicable, include a copy of the email or letter from the subject.
- A justification for why you cannot accommodate the request, e.g., why accommodating the request would jeopardize the integrity of the study.
What should I do if there is a breach of personal data?
GDPR has strict rules regarding reports of data breaches. In some cases, NYU must report data breaches to EU GDPR supervisory authorities and/or affected individuals within 72 hours of discovery of the incident. If you discover a breach, immediately notify the NYU IRB and the NYU Data Protection Officer. Include the following information:
- IRB study number, e.g., IRB-FY2019-1234.
- Description of the breach, e.g., What happened? How did the data breach occur?
- Description of the personal data, e.g., nature of data, volume/amount of data, number of subjects involved.
- Assessment of risks and consequences to subjects.
- Proposed measures to address breach, including, where appropriate, measures to mitigate possible risks or consequences. These measures should NOT be implemented until further notification from the IRB or Data Protection Officer.
The NYU IRB and Data Protection Officer will assess the breach and notify you of any additional required actions, if applicable.
Does research involving data collected from Internet surveys fall under GDPR?
GDPR may apply if personally identifiable data is being collected through Internet sites from subjects while they are in the EU/EEA. If you are unsure whether subjects may be in the EU/EEA and if identifiable data will be collected, then it may be necessary to add a question to the beginning of the survey asking if subjects are in the EU/EEA. The EU/EEA subjects can then either be provided with the GDPR notification/consent or prohibited from completing the survey.
To avoid collecting identifiable data from Qualtrics, the Anonymize Response option must be selected. This option prevents Qualtrics from collecting Internet Protocol (IP) addresses, which are identifiers under GDPR.
What if I’m collecting personal information under GDPR that isn’t covered by IRB regulations, i.e., does not constitute “human subjects research?”
Some data may be covered by GDPR as personal information but does not meet the definition of “human subjects” under IRB regulations. For instance, using publicly available, social media posts from individuals in the EU may fall under GDPR, but would not fall under IRB regulations, because the data does not constitute “identifiable private information.” In these cases, please review the Guiding Principles on the Applicability of the GDPR when Using Publicly Available Data for Research; as long as all of the data are publicly available, you do not need to contact the NYU IRB or submit for IRB approval.
What if I have additional questions about GDPR for human subjects research?
If you have additional questions about GDPR, contact the NYU IRB.