...
Privacy notice Department of Psychology, University of York
This document provides a description of default procedures used in the Department of Psychology, University of York, when handling personal data (data that could directly or indirectly identify who you are). The procedures described below are the standard processes in line with the procedures used at the University of York. For some projects, you might receive a different privacy notice specific to that project.
The legal basis for processing personal data
Under the General Data Protection Regulation (GDPR), the University has to identify a legal basis for processing personal data and, where appropriate, an additional condition for processing special category data.
In line with our charter which states that we advance learning and knowledge by teaching and research, the University processes personal data for research purposes under Article 6 (1) (e) of the GDPR:
Processing is necessary for the performance of a task carried out in the public
...
interest
Special category data is processed under Article 9 (2) (j):
Processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes
Research will only be undertaken where ethical approval has been obtained from the Department of Psychology's Ethical Committee, where there is a clear public interest, and where appropriate safeguards have been put in place to protect data.
In line with ethical expectations and in order to comply with common law duty of confidentiality, we will seek your consent to participate where appropriate. This consent will not, however, be our legal basis for processing your data under the GDPR.
Consent and testing in liaison with Schools
To be quite clear, the legal basis for processing personal data is 'in the public interest' and not 'consent'. In some circumstances it is preferable to undertake an opt-out (i.e., parents/guardians actively state that they do not want their child to participate in research) rather than an opt-in (i.e., parents guardians actively state they do want their child to participate) approach to data collection. Of course we will comply with a given school's policy in this regard and our default position is that 'opt-in' is the preferred option, but opt-out studies are not ruled out and will be sanctioned if approved by the Departmental Ethical Committee.
How will personal data be used
Researchers associated with each ethically approved study will be collecting data of a particular type and will be using this data in the pursuit of academic research. Each study will have its own aims and objectives and these will be stated clearly on the particular information sheet that will be provided to every participant. Moreover, only the minimum amount of personal data will be collected that is necessary to answer the research objectives.
How will confidentiality be assured?
It is typically the case that personal data will be processed via a unique participant identifier that will not reveal a given individual's identity. However, members of the project team will have access to information that links a given individual with the associated identifier. All reasonable steps will be taken to ensure this association is kept strictly confidential, that is, accessible only by members of the project team. In the majority of cases, data will be processed in a a pseudonymised form, namely, with respect to the participant identifiers. However, data can be be fully anonymised by removing participant identifiers. A given individual's identity will never be revealed without written consent being given by that person. It is possible that personal data may be shared anonymously with others for secondary research and/or teaching purposes. We are particularly mindful of cases where the data comprise audio/visual recordings and therefore a given individual's identity may be either impossible or difficult to conceal. We will seek explicit consent in matters concerning how these kinds of recordings will be usedThis is described in the information sheet provided to a participant at the start of the study. Where video or audio recordings are made, the participant will receive an additional information sheet and consent form explaining how those recordings will be used and processed.
Will personal data be shared with 3rd parties?
The default position is that personal data will only be accessible to members of the project team. In some cases however the work may be of a collaborative nature and hence the data will be made accessible to others from outside of the department. Information specific The information sheet will explain to the project will include details of when this is the case, who the 3rd parties are, participant whether personal data are shared outside the project team or not. Where personal details need to be shared, the information sheet will explain who the third parties are and what they will do with the data. As noted above, it is possible that personal data may anonymised data might also be shared anonymously with others for secondary research and/or teaching purposes. . When sharing data, it is possible the participant’s research data will be used by other researchers to answer new questions unknown to this study’s researchers.
How will data security be assured?
The University will put in place appropriate technical and organisational measures to protect your personal data and/or special category data. Information will be treated confidentiality and shared on a need-to-know basis only. The University is committed to the principle of data protection by design and default and will collect the minimum amount of data necessary for the project. In addition, we will anonymise or pseudonymise data wherever possible.
Where will personal data be stored?
The default position is that the data will be stored on university devices provided by the Department of Psychology. That is, data data will be held within the European Economic Area in full compliance with data protection legislation.
However, the university has access to cloud storage and currently this is provided by Google. This means that if the data are to be loaded onto this cloud storage then it can be located at any of Google’s globally spread data centres. The University has data protection compliant arrangements in place with this provider. For further information see, https://www.york.ac.uk/it-services/google/policy/privacy/.
Please note that if you are taking part online, many of our online studies are run through Gorilla.sc or Qualtrics. Both are GDPR compliant, frequently used online participation platforms. These platforms are the data processor, while the researcher in charge of the experiment remains the data controller (owner responsible for the data). The data will only be accessible to the researchers working on this project. Both Gorilla.sc and Qualtrics will never view or use any participant data, unless explicit permission is given by the researcher and the participant has given consent for their personal data to be accessed this way. Data will be stored at University of York servers and removed by the researchers from these platforms as soon as possible
How long will data be retained?
Data will be retained in line with legal requirements or where there is a business need. Retention timeframes will be determined in line with the University’s Records Retention Schedule. Please Please follow this link for further information information https://www.york.ac.uk/library/info-for/researchers/data/sharing/
What rights do you have in relation to your data?
Under the GDPR, you have a general right of access to your data, a right to rectification, erasure, restriction, objection or portability. You also have a right to withdrawal. Please note, not all rights apply where data is processed purely for research purposes. For further information see, https://www.york.ac.uk/records-management/generaldataprotectionregulation/individualsrights/ If you would like to access your right to portability, please contact contact dataprotection@york.ac.uk. In simple terms if you would like access to your data then please contact the university's data protection officer via the email: dataprotection@york.ac.uk
Online studies:
If you are taking part online, many of our online studies are run through Gorilla.sc or Qualtrics. Both are GDPR compliant, frequently used online participation platforms. These platforms are the data processor, while the researcher in charge of the experiment remains the data controller (owner responsible for the data). The data will only be accessible to the researchers working on this project. Both Gorilla.sc and Qualtrics will never view or use any participant data, unless explicit permission is given by the researcher with consent from the participant if personal data are accessed. Data will be stored at University of York servers and removed by the researchers from these platforms as soon as possible
Right to complain
If you have a concern about any aspect of a given study, then you should ask to speak with the researchers who will do their best to answer your questions. If you remain unhappy and wish to complain formally, you can do this through the complaints procedure of the University of York. Details Details can be obtained from the email address: registrar-and-secretary@york.ac.uk. If you are dissatisfied with the way your personal data have been handled please contact the lead researcher in the first case, or the University’s Data Protection Officer at at dataprotection@york.ac.uk. If you are unhappy with the way in which the University has handled your personal data, you have a right to complain to the Information Commissioner’s Office. For information on reporting a concern to the Information Commissioner’s Office, see see www.ico.org.uk/concerns.