ETHICS AND DATA PROTECTION

Data protection is both a central issue for research ethics in Europe and a fundamental human right being linked to autonomy and human dignity, and the principle that everyone should be valued and respected. In research settings, data protection imposes obligations on researchers to provide research subjects with detailed information about what will happen to the personal data that they collect. It also requires the organisations processing the data to ensure the data are properly protected, minimised, and destroyed when no longer needed.

Depending on the setting or information in question, the failure to protect personal data against loss or misuse can have devastating consequences for the data subjects. It may also have serious legal, reputational and financial consequences for the data controller and/or processor. Particular attention should be paid to research involving special categories of data (formerly known as ‘sensitive data’), profiling, automated decision-making, data-mining techniques, big-data analytics and artificial intelligence, as such processing operations may pose higher risks to the rights and freedoms of data subjects. The fact that your research is legally permissible does not necessarily mean that it will be deemed ethical.

When developing and implementing your proposal, it is your responsibility to identify the appropriate legal provisions and ensure compliance. Comprehensively addressing data protection issues in your research proposal, which will become part of your contract if selected for funding, can make an important contribution to the accountability of the project. Note that in addition to the GDPR (EU’s 2016 General Data Protection Regulation) national legislation or related EU measures could also apply to your research.

Ethical aspect of the project

All topics with personal data (including illustrative videos) are covered by the Data Protection Act GDPR. In order to ensure that the project does not err on ethical issues, it would be wise to consult a local data and ethics protection specialist.

Each institution has its own set of rules for conducting research; in order to be correct, each partner must review its guidelines. Some procedures require informed consent, in other cases the permission of the ethics committee is required.

At Tallinn University ethics review is necessary if:

• The research involves individuals disregarding of the principle of informed consent (including toddlers and disabled people who cannot be asked for informed consent).
• The research involves minors (persons younger than 18 years) in a way that actively involves them in data collection and whose parents or caretakers are not asked for informed consent, which would make it possible for them to prevent the child's participation in the research.
• Conducting the research may result in endangering the safety and wellbeing of the research participants (including those conducting the research) and their relatives (special attention should be paid to handling sensitive topics and involving vulnerable groups, including detainees, minorities, etc.).
• Participation in the research carries a risk to the mental and emotional wellbeing of participants and/or their relatives (including those conducting the research) which exceeds the risk inherent in everyday life.
• Participation in the research results in a significantly stronger stimuli impact on the subject.
• The research deals with a sensitive topic.
• If the research is based on a special category of personal data or data which allows identification of the data subject, including the risk that the big data used is indirectly identifiable or able to be de-anonymised.

And if there is no need for ethics committee decision then you can just write:

None of the above criteria were present in the current study, so ethics review was not sought. The current study followed the procedure of informed consent and the participant’s rights were upheld at all times.

Ethical aspects to consider during planning

In your planning process try to imagine ethical issues that may arise during research and how to prevent or solve them. Pay special attention to risks and obstacles: if a large number of people refuse to participate, if you lose data, if it takes remarkably longer to collect data, etc. Which measures are taken to ensure respect to participants’ privacy and data protection? Possible conflicts of interest and subjectivity statement (researcher clarifies his/her connection to the research/participants).

• Potential ethical risks and their minimization.
• Possible inconveniences, dangers, side effects and burden on the subject, their minimization.
• Possible risks to the researcher, their minimization.
• Who benefits from the study and how?
• Does the study result in intellectual property, how have intellectual property issues been resolved?
• Potential conflicts of interest.
• Cultural constraints that may affect the experiment: language issues, cultural aspects of the particular class/school/country, the previous collaboration between the researchers and/or between researchers and teacher.

There is stronger legal protection for more sensitive information, such as:

• race
• ethnic background
• political opinions
• religious beliefs
• trade union membership
• genetics
• biometrics (where used for identification)
• health
• sex life or orientation

Data management

If personal data are processed in the course of the survey, describe the data protection issues and their solutions, paying attention to the following aspects:

• If personalized data are used or a database is created, justify why this is necessary.
• How personal data is protected, where and for how long it is stored and who has access to it?
• If personal data are transferred to third parties (incl. to a foreign country), for what purpose this is done and how the transfer takes place.
• In the case of pseudonymous personal data, describe where and for how long the code key is kept and describe who has access to it.
• If more than one institution is involved in the survey, indicate who manages the single database and / or is the controller of the personal data.
• Storing anonymous data - describe where and for how long and who has access to it.
• Describe the data protection measures to be applied in case of recording or filming.
• Describe the data destruction procedure.

If it is intended to process personal data without the data subject's consent, please justify the following: why it is impossible to obtain the data subject's consent and why the collection of personal data is indispensable; how to ensure that the processing of personal data does not infringe the rights of the data subject.

AN EXAMPLE:

ETHICS

• Researchers ensure respect for people and for human dignity, fair distribution of research benefits and burden and protecting the values, rights and interests of the project participants.
• Researchers also ensure that the project methodologies do not result in discriminatory practices or unfair treatment.
• Benefits are maximized and harm/risks minimized.
• Researchers ensure that data are kept securely and that publication (including publication on the internet) does not lead (either directly or indirectly) to a breach of agreed confidentiality and anonymity.
• It is understood that all collected material will be used in a legitimate manner in the X project and the researchers handling the data shall strive to not cause any harm or undue embarrassment to the parties involved.

THE DATA

Project X is committed to being transparent about how it collects and uses the data and to meeting its data protection obligations. This policy sets out the project's commitment to data protection, and individual rights and obligations in relation to personal data. The project will generate and collect video data, speech recordings, text documents, and metadata about individuals as far as is needed to meet the objectives of the project. All data generated within the project (regardless of the format or type) will be in line with the FAIR requirements for interoperability as required by the data centres where the data will be stored and made accessible.

1. Data protection principles
   Everyone responsible for using data follows the data protection principles which mean that the information is:
   • used fairly, lawfully and transparently
   • used for specified, explicit purposes
   • used in a way that is adequate, relevant and limited to only what is necessary
   • accurate and, where necessary, kept up to date
   • kept for no longer than is necessary
   • handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage

    

   During the X project the following data collection methods will be used for collecting the described types of data:

   • Quantitative data – questionnaires, surveys, activity logs from online participation, trace data from using technical devices
   • Qualitative data – video/audio recordings, interviews, focus group discussions
   The data will be collected by authorized researchers and assistants of the X project.

 

2. Rights
   The data collected belong to the X project. The Y University and partner universities manage the collected data on behalf to the project consortium and access is granted to the partners to use the data for research, study and demonstration purposes after proper anonymisation whenever required.

 

3. Confidentiality and data security
   Data is be use confidentially by the X project researchers. All collected data during the X project is treated with care to prevent potential breaches in privacy. We never store personally identifying information (such as names and addresses), while geographical information we do store will be sufficiently coarse grained to mean that it cannot be used to identify any one individual. Data we do release contains only this coarse grained information.
   The quantitative data collected during the project is fully anonymised prior any sort of publication, scientific or otherwise. Qualitative data such as interviews are anonymised prior any sort of publication whereas photos and video/audio recordings are only published after obtaining a required publication consent from the participants and only used for the project dissemination activities purposes (e.g., demonstrations in the project website).
   The data is stored at the X University and project partners servers in secure folders managed by the project researchers. The folder is shared for research and dissemination purposes with the project consortium partners when needed.

 

4. Documentation on data processing and content
   Quantitative data are maintained in the corresponding CSV matrix file and the changes to it are well documented, recording the version control as the file is updated with new entries. Data describing different processes (e.g., online participation logs, surveys results) is stored separately in corresponding files.
   Qualitative data are also described and stored according to their type (e.g. transcriptions, audio tapes and photographs) for each pilot session. The naming of the data files is systematic and consistent in order to facilitate data management during the research process.

 

5. Life cycle
   After the project ends and materials are produced the data created during the process will be archived at Tallinn University or partner universities and it can be used for further research re-use and study purposes.