Data Privacy
Working with data from or about people? Whether you are collecting data or reusing previously collected data that is personally identifiable, you should consider data privacy issues and ensure you are managing data responsibly. If you are working with data from people residing in the EU, EEA, UK, or the People's Republic of China, you will have specific legal obligations.
What is personally identifiable data?
Data such as names and ID numbers is directly identifiable. Indirectly identifiable data enables personal identification when used in combination, for example, age+occupation+census tract or birthdate+gender+college major.
What is Data Privacy?
Different types of personal data have different levels of risk associated with them. Data is “classified” by levels of risk to the subject; privacy means protecting data appropriately for the level of risk. For more information, see the Reed data classification and handling guidelines.
When is human subjects review (IRB) required?
Research on human subjects that will be published or presented, including a senior thesis, requires review and approval by the Institutional Review Board (IRB). Research for course assignments that will not be distributed publicly does not require IRB review.
How can I protect personal data used in my research?
Whether or not your research requires IRB approval, you should develop a plan to meet your legal and ethical responsibilities as a researcher and follow these best practices:
- Get informed consent when gathering personal information, and only use the data for research purposes.
- Only collect risky data if it is integral to your research, or try to make the data less risky. For example, do you need the exact date of birth, or will age suffice? Can you anonymize personal information you collected?
- Only save personally identifiable data as long as it’s needed for your research, which could include future needs such as presentations or archiving requirements. Develop a plan for securely deleting sensitive research data when it is no longer needed.
- If data will be shared, FileRobot is more secure than email for transferring sensitive data.
- Follow Reed’s Data Privacy Policy and link to it from data collection instruments (it is already linked from the Reed Qualtrics template).
- Secure your data with strong passwords, whole disk encryption, and reliable backups.
- Follow terms of service and security requirements for data acquired from external sources
Special considerations for data gathered in Europe
If your data is being collected from human subjects in the European Union (EU), the European Economic Area (EEA), or the United Kingdom (UK), then you also need to comply with the General Data Protection Regulation (GDPR). Under GDPR there must be a legal basis for collecting personal data. For most scholarly research, the legal basis is the legitimate interests of the researcher.
Personal data are “personally identifying” data either alone or in combination with other data. Special categories of personal data include information relating to health, race, sexual orientation, biometrics, political views, religion, genetics, or children. Higher risk data carries higher standards for protection.
If your research may involve EU subjects, follow these steps:
- Determine whether GDPR is applicable
- Are the data subjects located in the EU, EEA, or UK while participating in the study?
- Is personal information being collected?
- Are the data subjects identifiable, either directly or indirectly?
- Does the personal data fall into a “special category”?
- Justify the legitimate interest in gathering and processing the data
- Ensure that the specific data items being collected are necessary for the purpose(s) of the research
- Evaluate and document the risks to the data subjects
- Develop a plan for managing and deleting the data in a manner that balances your research needs with subject risks
- Review What is the ‘legitimate interests’’ basis? from the UK Information Commissioner’s Office.
- Follow the best practices for data security and privacy, as described above
- Take the free GDPR training available from CITI Program
- Create a CITI Program account (make sure you are affiliated with Reed)
- Take the course on GDPR for Research and Higher Ed (at least the GDPR Overview)
- For more information, take the course on GDPR: Noncompliance Risks and Mitigation Strategies
Special considerations for data gathered in the People’s Republic of China
If your data is being collected from human subjects in the People’s Republic of China, then you also need to comply with the Personal Information Protection Law (PIPL). PIPL applies to personal information about an identifiable person in China. If the data is truly anonymized and cannot be reversed, then PIPL no longer applies.
Under PIPL, there must be a legal basis for collecting and processing personal information. For scholarly research, the most likely legal bases are either:
- Obtaining informed consent of the individual,
- Processing personal information already disclosed by the individual or otherwise lawfully disclosed. This is most likely if you are receiving a previously-collected data set.
Personal information includes name, date of birth, address and phone number. Sensitive personal information may cause harm to the individual if leaked or illegally used, and includes religious beliefs, health, financial accounts, location data, specially designated status, or information relating to minors under 14. Higher risk data carries higher standards for protection.
If your research involves human subjects in China, follow these steps:
- Determine whether PIPL is applicable
- Are the data subjects located in China while participating in the study?
- Is personal information being collected?
- Can the data be anonymized?
- Does the personal information fall into a “sensitive category”?
- Will the personal information be transferred out of China?
- Justify the legal basis for gathering and processing the data
- Ensure that the specific data items being collected are necessary for the purpose(s) of the research
- Evaluate and document the risks to the data subjects
- Develop a plan for managing and deleting the data in a manner that balances your research needs with subject risks
- Obtain consent to collect personal information
- Consent must be given freely, voluntarily, and explicitly on a fully informed basis
- Separate consent must be obtained to collect sensitive personal information.
- Separate consent must be obtained to transfer personal information out of China
- If previously collected personal information is being transferred to you, you are an entrusted party. You must have an agreement with the data source that defines the categories of data, purpose, time limit, and handling methods of the personal information.
- Follow the best practices for data security and privacy, as described above
- Learn more about PIPL from these resources:
- Translation: Personal Information Protection Law of the People’s Republic of China, 8/20/2021 by DigiChina, Stanford University.
- China Personal Information Protection Law (PIPL) FAQs, 4/6/2022 by Bloomberg Law
- China’s Personal Information Protection Law (PIPL), by UC Irvine Office of Research