Cookies on this website
We use cookies to ensure that we give you the best experience on our website. If you click 'Continue' we'll assume that you are happy to receive all cookies and you won't see this message again. Click 'Find out more' for information on how to change your cookie settings.
Skip to main content

Update: 25 May 2018

 

 

 

 

 

May 2018

We have received an update on GDPR from CTRG, below are the main points from their email:

CTRG will update their templates and also provide guidance to research teams. As they did when the HRA approval system came in, CTRG are planning a series of talks and workshops for departments and groups. Further information to follow.

Applying to CUREC

CUREC 1, CUREC 2 and CUREC 3 Research Ethics application forms have been updated to reflect the requirements of the new General Data Protection Regulation (GDPR), which takes effect on 25 May 2018.  The revised forms are available from the CUREC website and now ask for more specific information about how researchers plan to collect, manage and store personal data associated with their research. 

> Revised guidance about Data Protection and Research, incorporating GDPR requirements, has been prepared by the University’s Information and Compliance Team https://researchsupport.admin.ox.ac.uk/policy/data  

This guidance also includes a checklist for researchers to consider when preparing an application to the Medical Sciences Interdivisional Research Ethics Committee (MS IDREC) and drafting information for participants in research projects.  

The new forms are introduced with immediate effect and must replace any versions you may have stored locally. Please bear in mind that applications for ethical review using previous versions of the forms cannot be accepted after 30 April 2018.

further advice from the University

The university is working to ensure that its data processing (administrative as well as research related) is compliant with GDPR and the supplementary UK legislation, the Data Protection Act 2018. (Again, the bill is under review and not yet legislation.)

> This university information is behind Single Sign On https://www1.admin.ox.ac.uk/councilsec/compliance/dataprotection/gdpr/resources/

What will there the major changes for researchers?

Little will change for researchers who are already working in compliance with the Data Protection Act 1998. The principles of data protection remain the same, with just more focus on transparency and documenting compliance. Getting only the data you need, anonymising as soon as possible, and letting people know what you are collecting, and for what purpose, remain the same.

What about consent and processing?

There are no changes to consent requirements, as the ‘legal basis’ for processing data in research is “performance of a task carried out in the public interest (public task)” GDPR: article 6 1e.

Work involving “special categories” of data (such as health data) requires a further justification as per GDPR article 9 2j: “processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.”

Advice from HRA

Oxford University is still awaiting information from the HRA on GDPR and the Data Protection Act 2018, since many projects will be under their purview. 

The HRA have published some operational and background guidance, though this requires updating. In particular, links to the MRC and ICO are especially helpful as background reading.

The HRA plans to provide a ‘privacy notice’ to be included in current projects. Since it comes from them, it can be added without requiring amendment or their approval.University Data Privacy Notices for students, staff, applicants and alumni have now been published here:

 https://www1.admin.ox.ac.uk/councilsec/compliance/gdpr/privacynotices/ 

 

If you process data under any of these categories, please take a look. The next time you email your data subjects, please draw their attention to the new notices - you do not need to send them a separate email about this. 

 

 If you process personal data from groups not covered by the standard Privacy Notices you will need to write your own using the toolkit provided here:

 

https://www1.admin.ox.ac.uk/councilsec/compliance/gdpr/guidance/privacynoticetoolkit/ 

 

Start with the guidance itself

  https://www1.admin.ox.ac.uk/media/global/wwwadminoxacuk/localsites/councilsecretariat/oxonly/documents/How_to_write_a_Privacy_Notice.pdf 

 

The University is very happy with progress so far on GDPR compliance, and doesn't expect everything to be completed by the deadline. So please take your time to review the Notices and Guidance and get things right. If you need help, please contact your data privacy rep or anne.bowtell@medsci.ox.ac.ukUniversity Data Privacy Notices for students, staff, applicants and alumni have now been published here:

 https://www1.admin.ox.ac.uk/councilsec/compliance/gdpr/privacynotices/ 

 

If you process data under any of these categories, please take a look. The next time you email your data subjects, please draw their attention to the new notices - you do not need to send them a separate email about this. 

 

 If you process personal data from groups not covered by the standard Privacy Notices you will need to write your own using the toolkit provided here:

 

https://www1.admin.ox.ac.uk/councilsec/compliance/gdpr/guidance/privacynoticetoolkit/ 

 

Start with the guidance itself

  https://www1.admin.ox.ac.uk/media/global/wwwadminoxacuk/localsites/councilsecretariat/oxonly/documents/How_to_write_a_Privacy_Notice.pdf 

 

The University is very happy with progress so far on GDPR compliance, and doesn't expect everything to be completed by the deadline. So please take your time to review the Notices and Guidance and get things right. If you need help, please contact your data privacy rep or anne.bowtell@medsci.ox.ac.uk