All of the research undertaken at BCU is underpinned by policies and procedures that ensure we comply with all of the regulations and legislation that govern the conduct of research. This includes data protection legislation: the General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) 2018, which cover how we must handle your personal data.
1. What is research?
Research undertaken by BCU staff and student researchers who are studying towards a doctorate is intended to make an original contribution to knowledge by discovering something new or updating current knowledge on a topic. Research of this kind is typically published by the researcher in order to share that knowledge with others. Some students undertake research projects as part of a taught degree course. Although this activity may not produce an original contribution to knowledge, the University does still consider this research and will protect the data generated from this activity in the same way.
Some research may involve human participants and contain personal data from its participants. Therefore, research has a special status under the law. This means that we must appropriately protect any research data that we obtain that contains personal data.
2. What is personal data?
Personal data is any data that relates to you or identifies you as a living individual. This may be specific, such as your name, but also includes any data that it is possible to identify you from if it is combined with other information that is readily available.
For example, while data may not contain your name, if it does contain your postcode, gender and your workplace, it may be possible to identify you using this combination of information or this information combined with other information available elsewhere. As this is the case, we would treat this data as personal data and protect it accordingly.
Personal data also includes sensitive personal data (known as special category data under the law), which includes things such as race, sexuality, religious beliefs or physical or mental health status. If the study you are taking part in wishes to collect special category data about you, you will be informed in the participant information sheet and you must provide specific consent for this data to be obtained.
3. What is your Legal Basis for processing my personal data?
Data protection laws require BCU to have a valid legal basis for processing your personal data. As a publicly-funded organisation, we have to ensure that it is in the ‘public interest’ when we use personally-identifiable information from people who have agreed to take part in research. This is our legal basis for research and it means that when you agree to take part in a research study, we will use your data in the ways needed to conduct and analyse the research study.
If any other legal basis is being used for processing your data, such as consent, you will be made aware of this on the participant information sheet you receive prior to signing up for the study.
4. Who is responsible for my personal data?
When BCU manage research projects, we will act as the Data Controller, which means we will determine the purpose of collecting personal data and the manner in which is it done. As the Data Controller, we are responsible for complying with data protection laws.
In some cases, the organisation funding the research may be the lead on decision making regarding personal data, if this is ever the case it will be made clear to you on the participant information sheet you receive prior to signing up for the study.
5. What personal data will you use for your research?
The personal data that is obtained and processed for the purposes of research will depend on what the particular project you are involved in seeks to achieve. What is collected will always be proportionate to the needs of the project, as researchers can only collect the minimum amount of data needed for their research purpose.
Some data that we collect and process may be classed as ‘special category’ data. This data can sometimes be called sensitive data, which may include but is not limited to: your gender, ethnicity, sexuality or religious beliefs. Whether this kind of data is collected depends on the research project and you will be informed of what sort of information will be gathered about you on the participant information sheet you receive prior to the researcher asking for your consent. If you have any questions about the data that is being collected about you in a particular study, please ask the researcher managing the study.
6. Who will my personal data be shared with?
Your personal data will be shared within the team who are undertaking the project that you are involved in, however any data from the study that is published, will not be able to identify you.
It may sometimes be necessary to share your personal information with researchers outside of the University for the purpose of achieving the research outcomes, however if this is the case, you will be made aware of this on the participant information sheet you receive before taking part in the study.
In order to manage the personal data collected from all of the studies the University runs, a select and specific number of people outside of the research team will have access to your personal data. The Data Protection Officer will need access to your personal data in order to support you to apply your data subject rights in the event that you want to.
7. Will my data be used for more than one study?
On some occasions, particularly in health and social care research, when you agree to take part in a research study, the information about your health and care may be provided to researchers running other research studies in this organisation and in other organisations. These organisations may be universities, NHS organisations or companies involved in health and care research in this country or abroad. You will be informed of this on the participant information sheet before you consent to take part in the study, and your information will only be used by organisations and researchers to conduct research in accordance with the UK Policy Framework for Health and Social Care Research.
8. What safeguards are in place for protecting my personal data?
In order to protect the personal data we process about you, the University must have specific safeguards in place in order to protect your rights and freedoms. BCU has the following safeguards in place:
- Policies and procedures explaining to staff and students how to collect, use and store your information safely;
- Ethics committees to scrutinise and approve any research projects that involve personal data;
- Encrypted devices to obtain and store personal data;
- Digital systems to securely store electronic personal data;
- Secure storage for physical personal data
- A Data Protection Impact Assessment will be completed for high risk research projects
9. How long is my personal data kept for?
Any identifiable personal data will only be kept for the minimum amount of time necessary in order to carry out the research. For any data that can be anonymised, which means to remove the features that make the data identifiable to you, we ask that researchers do this as soon as possible. In some cases, we may not be able to anonymise your data as it is necessary for achieving the outcome of the research. In these cases, we will store your data securely and using the appropriate safeguards for the length of the project and for a defined period following the end of the project, based on our data retention policy.
Documents such as consent forms must be kept for a number of years after the research has been completed. This is so that we have a record of your participation in the event you wish to raise any issues or concerns with us about your participation in the research. This time period is also defined in our data retention policy, but can also be specified by the research funder.
You will be made aware of the length of time your personal information will be held for on the participant information sheet you receive prior to signing up for the study.
10. What are my rights concerning my data used in research?
Under the GDPR and DPA 2018, you have the following rights as a data subject:
- The right to be informed about the collection and use of your data;
- The right to erasure, or ‘the right to be forgotten’;
- The right to access your data;
- The right to rectification of inaccurate or incomplete data about yourself;
- The right to restrict processing of your data;
- The right to object to processing of your data.
These rights can be limited in research in cases when applying the right would prevent or impair the achievement of the research purpose. lease be aware once your personal data has been anonymised as part of our safeguarding we will not be able to action any data rights request as this is an irreversible process and the data in no longer classed as identifiable.
If you withdraw from the study, we will keep the information about you that we have already obtained. To safeguard your rights, we will use the minimum personally-identifiable information possible.
11. Who can I contact about my data?
If you have any questions about how we use your personal information, or wish to exercise any of your rights detailed above, please contact:
Data Protection Officer
Information Management Team
Joseph Priestley Building
Birmingham City University
6 Cardigan Street
12. How can I complain about the way my data is being handled?
We are dedicated to being compliant with data protection legislation. Any concerns or complaints regarding the security of research-generated personal data should, in the first instance, be raised with the University’s Data Protection Officer using the above details.
If it is felt that the complaint or concerns have not been dealt with satisfactorily, a formal complaint can be made to the University Secretary, please contact:
15 Bartholomew Row
Telephone: +44 (0) 121 331 7602
In the event that the complaint remains unresolved, the Information Commissioner’s Office can be contacted.
Information Commissioner’s Office
Tel: 030 123 1113
Changes to this privacy notice
This privacy notice may be updated from time to time so you may wish to check it each time you submit persona linformation to BCU. The date of the most recent versions will appear on this page (see version control). We encourage you to check our privacy notice from time to time to ensure you understand how your data will be used and to see any minor updates. If material changes are made to the privacy notice, for instance how we would like to use your personal data, we will provide a more prominent notice (including, for certain services, email notification or correspondence of privacy notice changes).
Updated: 11 October 2018