The General Data Protection Regulation (GDPR) requires all organisations collecting personal data to do so in a fair and transparent manner. Researchers are advised to note the guidance below.
City’s Data Protection Policy and legislative guidance
Researchers are advised to read City’s Data Protection Policy and find out about data protection legislation inforce in the UK and overseas.
City's data protection policy (internal access only) sets out staff and student responsibilities under the Act and how the legislation applies to research data.
Information about the GDPR is available on the City Staff Hub (internal access only).
if you are collecting research data outside the European Economic Area (EEA), you need to ensure you also comply with the data protection or privacy legislation for the country data collection takes place. Data Protection Laws of the World is a useful online source or you may contact the Information Compliance Team at firstname.lastname@example.org if you require further guidance.
Data protection factors to consider before designing an online survey
The following FAQs highlight the key data protection issues researchers should take in to account when designing an online survey.
Only collect the personal data you need to collect for your research. Under the legislation you must be able to justify why you are collecting the personal data.
You must be able to justify why you are collecting the personal data and the lawful basis for processing.
Detailed guidance is provided on City’s Research ethics forms and templates.
It is important to consider whether you are treating survey respondents fairly and lawfully at all times. It is one of the fundamental principles underpinning the data protection legislation.
Will the respondents object to how their personal data is used? How you told them all they need to know before completing the survey?
If you were the survey respondent, how would you interpret the information have provided? Look carefully at your questions from the survey respondent’s point of view? Is it a clear and accurate?
From May 25th 2018, there is a statutory requirement to provide the information below before you collect personal data from individuals if it is applicable.
Further guidance on fulfilling these provisions will be provided in due course at Information Compliance (internal access only).
- Identity and contact details of the controller (and where applicable, the controller’s representative) and the data protection officer, Dr William Jordan who can be contacted at DPO@city.ac.uk
- Purpose of the processing and the lawful basis for the processing. Detailed guidance is provided on City’s Research ethics forms and templates.
- The legitimate interests of the controller or third party, where applicable
- Any recipient or categories of recipients of the personal data
- Details of transfers to third country and safeguards
- Retention period or criteria used to determine the retention period
- The existence of each of data subject’s rights
- The right to withdraw consent at any time, where relevant
- The right to lodge a complaint with a supervisory authority
- Whether the provision of personal data part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data
- The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences.
- Withdrawal of research data: in addition to the requirements above, it is best practice to inform individuals if there is a date beyond which, personal data cannot be withdrawn from the survey, because it has been fully anonymized, this needs to be clear to individuals before they complete the survey.
- Free text boxes: if you use free text boxes, please inform individuals against providing additional sensitive or personal data in addition to the information required and if the survey is anonymous against providing personal or sensitive personal data that may identify them.
- Consent to use quotations: you must obtain individual consent to use anonymised or attributable quotations from survey responses.
- Signposting to sources of further information and support: If you are collecting personal data on a sensitive topic for anonymous and surveys where the participants are known to the researchers, you have a duty to provide links to additional sources of help and guidance ta appropriate points throughout the survey and at the end
- Duty to disclose information: You should make clear if there are circumstances (for example statutory requirement to report safeguarding issues) in which you have a duty to disclose information provided by respondents.
Under GDPR consent has to be freely given, specific, informed, unambiguous indication by statement or clear affirmative action.
This can be achieved by asking everyone to tick a box to confirm that they have read the information about the survey and agree to take part in it unless you are collecting special category data (sensitive personal data) when consent has to be confirmed in words.
Research data needs to be held on City IT systems or on a City approved third party.
City ensures that its IT systems and those of approved third parties met the security requirements of the data protection legislation. All research data in transit must be held on an encrypted device.
City’s standard research data retention policy is for the research data to be kept for 10 years after the research project is completed. However, some research funding organisations have much longer retention periods. It is the researcher’s responsibility to abide by these requirements. If you have any queries about retention of your research data please contact the Information Compliance Team at email@example.com
City has put in place an agreement with Qualtrics, which sets out rights and responsibilities for both organisations with regard to personal data – how it is processed, who owns and has access to the data, security arrangements and where it is stored. City insists that the personal data is held within the European Economic Area (EEA) and not in the USA. Whilst the agreement has been set up to protect personal data, it also affords the information governance protection required for all research data.
How do I access Qualitrics?
If you sign up to use other online survey tools – for example Google Survey or Survey Monkey - the agreement is between you and the company. Any data you collect will be held by the company and not by City, University of London.
If this is personal data , you will be in breach of City’s Data Protection Policy
If any of the personal data collected is lost, stolen or used inappropriately, City will be liable for any fines under the DPA/GDPR, even though the agreement will be between you and the survey company, because the research is conducted as part of your work or studies at City.
Failure to follow City’s policies and procedures to protect personal data, may result in disciplinary proceedings.