1. The UK General Data Protection Regulation (UK GDPR), tailored by the Data Protection Act 2018, protects the rights of individuals by setting out certain rules as to what organisations can and cannot do with personal data. The meaning of ‘personal data’ is set out in section 4 below.
2. A key element to protecting personal data is the principle to process individuals’ data lawfully and fairly. This means we need to provide information on how we process personal data and we should only process the personal data if there is a legal basis specified in the (UK GDPR) for doing so. The term ‘processing’ refers to any operations performed on personal data, whether these operations are automated, or not. Common examples of processing are collecting, sharing, recording, organising, structuring, storing, modifying, consulting, using, publishing, combining, erasing and destroying personal data.
The University takes its obligation under the UK GDPR very seriously and will always ensure personal data is collected, handled, stored and shared in a secure manner.
3. This Privacy Notice outlines how your personal data will be processed, in relation to research projects carried out at Middlesex University. It will also provide guidance on your individual rights and how to make a complaint to the Information Commissioner’s Officer (ICO), the regulator for data protection in the UK.
4. Personal data means any information that relates to or is capable of identifying you, the research participant, as an individual. This can include direct identifiers such as your name, address/postcode, and biometric data (e.g., voice). It also includes indirect identifiers such as your gender, date of birth, place of work, or other information such as your opinions or thoughts, that can be combined to identify you.
5. We may also collect and use personal data which is referred to as ‘special category’ personal data in the UK GDPR. Special category personal data is data relating to: race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (where this is used for identification purposes), health data, sex life or sexual orientation.
Collecting and using your personal data
6. All research projects/studies are different and the information collected will vary. You will be given Participant Information (before giving your consent to take part in the project/study) that will provide details of how your personal data will be collected and the specific purpose for which it will be used. Researchers will only collect information that is essential for the purpose of the research.
Legal basis for processing your personal data
7. The UK GDPR requires us to have a valid legal reason to process and use personal data about you. This is often called a ‘legal basis’. The UK GDPR requires us to be explicit with you about the legal basis upon which we rely in order to process information about you.
8. In the context of research, the lawful basis upon which we will process your personal data is usually where “Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” (Article 6 of UK GDPR).
9. We will also process personal data as permitted by Article 9, of the UK GDPR which permits processing necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
10. Where we need to rely on a different legal condition, such as consent, we will inform you of this in the Participant Information provided to you.
11. Your information will usually be shared within the research team conducting the project/study you are participating in, so that they can identify you as a participant and contact you about the research project/study.
12. Responsible members of the University may also be given access to personal data used in a research project/study for monitoring purposes and/or to carry out an audit of the project/study to ensure that the research complies with applicable regulations. Individuals from regulatory authorities (people who check that we are carrying out the project/study correctly) may require access to your records. All of these people have a duty to observe and respect the confidentiality of personal data in line with legal requirements, including requirements under the UK GDPR requirements.
13. If we are working with other organisations and individuals and information is shared about you, we will inform you in the Participant Information given to you. Information shared will be on a ‘need to know’ basis relative to achieving the research project’s objectives, and with all appropriate safeguards in place to ensure the security of your information. We will enter into appropriate data sharing agreements with such organisations.
Transferring data outside Europe
14. In the majority of instances your personal data will be processed by Middlesex University researchers only but may involve collaboration with researchers at other institutions. Where we will process personal data in collaboration with researchers at other UK or European Union (EU) institutions, we will enter into appropriate data processing agreements which will specify the safeguards that have to be in place to comply with UK data protection law, and if applicable, EU data protection law in cases where personal data will transfer to countries of the EU. You will be informed if data is to be processed by Middlesex University researchers only or in collaboration with researchers at other UK or EU institutions.
15. In any instances in which your personal data might be used as part of a collaboration with researchers based outside the EU, we will enter into appropriate data processing agreements with those organisations, which will specify all necessary safeguards that have to be in place to comply with the UK GDPR requirements for safeguarding personal data that is processed in territories outside of the UK and the EU on the basis of rights and protections that apply to the processing of personal data in the UK. You will be informed if your personal data is to be processed by researchers outside of the EU.
Storage and security
16. The University takes a robust approach to protecting the information it holds with dedicated storage areas for research data with controlled access.
17. Alongside these technical measures there are comprehensive and effective policies and processes in place to ensure that users and administrators of University information are aware of their obligations and responsibilities for the data they have access to. By default, people are only granted access to the information they require to perform their duties. Training is provided to new staff joining the University, existing staff regularly undergo re-training and expert advice is also available.
Storage and security
18. Your information will not be kept for longer than is necessary and will usually be kept in an anonymised or pseudonymised format. The length of time for which we keep your data will depend on a number of factors including the importance of the data, the funding requirements, the nature of the project/study, and the requirements of the publisher. Details will be given in the Participant Information Sheet for each project/study.
Your rights under data protection
19. Under the UK GDPR you have the following rights:
- to obtain access to, and copies of, the personal data that we hold about you;
- to require that we cease processing your personal data if the processing is causing you damage or distress;
- to require us to correct the personal data we hold about you if it is incorrect;
- to require us to erase your personal data;
- to require us to restrict our data processing activities;
- to receive from us the personal data we hold about you which you have provided to us, in a reasonable format specified by you, including for the purpose of you transmitting that personal data to another data controller;
- to object, on grounds relating to your particular situation, to any of our particular processing activities where you feel this has a disproportionate impact on your rights.
20. Your rights to access, change (rectify), or remove your information (erasure) may be limited, as we need to manage your information in specific ways in order for the research to be reliable and accurate. If you withdraw from the study, we may not always be able to remove the information that we have already obtained. We must comply with a request to erase personal data, or to rectify personal data that is inaccurate unless there are grounds for refusing the request specified in the UK GDPR. To safeguard your rights, we will use the minimum personally-identifiable information possible. The Participant Information given to you will detail up to what point in the study data can be withdrawn.
21. If you submit a request for access to your own personal data (subject access request) the University should disclose to you your personal data, which you are entitled to receive on the basis of your request. This will take place within one month of your request, unless there is a justification for extending the response time by a further two months.
22 If you are not satisfied with how the University has handled your information or dealt with any request for your information, you have the right to complain (See section 25 below).
23 None of the above precludes your right to withdraw consent from participating in the research study at any time. However, note as stated in section 20, we may not always be able to remove the information that we have already obtained; and if that is the case, we should explain the reasons for this and the legal justification.
24. If you have any questions about the research project you are participating in, please contact the researcher conducting the project using the contact details you were supplied with in the Participant Information given to you.
Exercising your rights including the right to complain
25. If you want to exercise any of the rights specified in section 19 above, or to complain if you are unhappy with the way your information has been used, you should contact the University’s Data Protection Officer (contact details below),
The University’s official contact details are:
Data Protection Officer
Tel: +44 (0)20 8411 5000
26. The University will seek to deal with your request without undue delay, and in any event in accordance with the requirements of the UK GDPR. Please note that the University will keep a record of your communications to help us resolve any issues which you raise. Records retained will be in accordance with the University’s retention schedule.
How to Make a Complaint to the Regulator
27. If you are dissatisfied with how the University has dealt with a request you make relating to your personal data, or you believe that your data protection or privacy rights have been infringed, you should contact the UK Information Commissioner’s Office (ICO), which oversees data protection compliance in the UK. Details of how to do this can be found at: (https://ico.org.uk/make-a-complaint/).