Privacy Notice for Research Participants

Research conducted by our staff and postgraduate research students is intended to make an original contribution to knowledge and understanding, which is effectively shared through publications, e.g. journal articles. Research conducted by our undergraduate and taught postgraduate students does not always make an original contribution to knowledge and understanding, and may not be published, but is integral to the students’ education and programme of study. This Privacy Notice covers all research conducted by Abertay staff and students, that involves the personal data of living research participants. This includes technological development and demonstration, fundamental research, applied research, privately funded research, studies in the public interest in the area of public health (Recitals 45. 53 and 159 of GDPR). Research has a special status under GDPR.

“Personal data” means any information relating to a living identified or identifiable person (so it may include information which if combined with other information could lead to individual identification).

For research, examples of categories of personal data gathered from research participants may include (depending on the individual research project, about which you will receive specific information):

• Personal identifiers: e.g., names, addresses, postcodes, dates of birth, emergency contacts etc.
• Human tissue, genetic or sequence information
• Images/ recordings of individuals
• Student ID numbers
• IP Addresses
• Testimonials that include personal data about an individual
• Information about your family or personal circumstances if relevant to the research project
• Opinions or characteristics
• Education and/or employment information
• Nationality
• Information that could identify an individual if it is combined with other information that is readily available.

'Special categories’ of personal data which are deemed to be ‘sensitive’ are defined as information relating to the following. The University may process this data, but only in specific and restricted circumstances, and always in accordance with Article 9 of the GDPR:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trades union membership
• Health/ medical data (including disability, genetic, biometric data)
• Criminal prosecution or conviction
• Data on children and other vulnerable individuals
• Data on a person’s social media or online activities (which could include mobile phone activity)
• Sexuality, sexual activity, sexual orientation
• Other information that can be deemed highly sensitive (e.g. might lead to reputational damage if disclosed)

Abertay University is usually the Data Controller and responsible for how we will decide how your personal information is processed (collected, used, shared, stored and deleted) by our staff and students conducting research involving participants and personal data. We will do so in line with the research objectives, ensuring that we collect only what is necessary and appropriate, and we will inform you of what we are collecting and how the information will be processed. The researcher (Abertay staff or student conducting the research) will provide this information to you within the Research Consent Form, before any data is collected.

Abertay staff or students may occasionally conduct research involving more than one Data Controller. In such cases, an agreement and/or contract will be put in place, which will clearly describe the responsibilities of each party.

Our researchers are asked to anonymise (remove identifiers) or pseudonymise (remove identifiers such as your name and replace this with a unique code or key kept separately) and then delete personal information collected as part of their research, at the earliest opportunity or when the research is completed. Our researchers are asked to delete personal information collected during a research project that will not be used to make an original contribution to knowledge and understanding effectively shared by publication. Only de-identified data will be made available to the public as Open Data unless you are notified differently within the Research Consent Form.

Researchers are obliged to retain research data for at least 10 years from the date of any resulting research publication. Researchers retain Research Consent Forms for as long as we continue to hold information about the data subject and for 10 years for published research. All personal information is kept in line with our policies or any regulatory requirements.

Personal data will usually be shared within the research team conducting the research project. If the personal data is to be shared with other research collaborators (e.g. other Universities or research institutes) that are not employed by or registered with Abertay University, you will be told about this in the Research Consent Form. Most personal data used in research will be de-identified before sharing more widely or publishing the research outcomes. If this is not possible, we will ask for your consent to make your personal information available to others.

We may on occasion use products or services provided by third parties (a Data Processor) who carry out a task on our behalf. In such cases we undertake appropriate due diligence and ensure appropriate contractual provision to ensure confidentiality and security is respected by the Data Processor. If researchers use a Data Processor to process your personal data they will provide you with details about this on the Research Consent Form.

Only fully anonymised data will be shared beyond the EEA.

Unless personal data has been manifestly made public by you (the research participant/ data subject), a researcher must gain your informed ethical consent to collect data from you and for processing; this is required as part of our Research Ethics Approval process. For “special category” data, a researcher must gain explicit informed consent from you for each item of sensitive “special category” data collected and processed. Sometimes our researchers will obtain personal data from research collaborators or from publicly available sources, in which case we will still comply with all relevant Abertay University policy and procedures.

In order to protect your rights and freedoms when using your personal information for research and to process special category information the University must have special safeguards in place to help protect your information.

We have the following safeguards:

• Policies and procedures that tell our staff and students how to collect and use your information safely.
• Training which ensures our staff and students understand the importance of data protection and how to protect your data.
• Technical and organisational measures that ensure your information is stored safely and securely. These include research procedures and guidance.
• All research projects involving personal data are scrutinised and approved by the University’s Research Ethics Committee.
• Contracts with companies or individuals (that are not Abertay University staff or students) have confidentiality clauses to set out each party’s responsibilities for protecting your information.
• We carry out Privacy Impact Assessments on high risk projects to ensure that your privacy, rights as an individual or freedoms are not affected.
• If we use collaborators outside of the EEA, we will ensure that they have adequate data protection laws or are part of privacy and security schemes such as the privacy shield in the US.

In addition to the above University safeguards, the GDPR and the DPA also require us to meet the following standards when we conduct research with your personal information:

• The research will not cause damage or distress to someone (e.g., physical harm, financial loss or psychological pain).
• The research is not carried out in order to do or decide something in relation to an individual person, unless the processing is for medical research approved by a Research Ethics Committee.
• The Data Controller has technical and organisational safeguards in place (e.g. appropriate staff training and security measures).
• If processing a “special category” of data, this must be subject to a further public interest test to make sure this particularly sensitive information is necessary to meet the objectives of the research project.

Abertay University conducts teaching and research under legislative authority: the University of Abertay Dundee (Scotland) Order of Council 1994. Article 4(1) provides that “The objects for which the University shall be conducted are to provide education, to undertake and carry out research, and to make suitable and adequate provision for teaching, learning, scholarship and research.”

The purpose of processing your personal data is to undertake research to benefit human knowledge, education and understanding, as described above under “What do we mean by research”.

The legal basis (including specific General Data Protection Regulation articles) for processing a participant’s personal data is:

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller [Article 6(1)€ of GDPR].

For research involving the collection and storage of sensitive “special category” data, we only do so where:

Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject [Article 9(2)(j) of GDPR].

Under GDPR you have rights in relation to the personal information we hold about you: You have the right to request access to, copies of, and rectification or erasure of, personal data held by the University and can request that we restrict processing or object to processing as well as the right to notification of this; to data portability (i.e. the right to ask us to put your data into a format that it can be transferred easily to a different organisation, subject to conditions).

It is important to understand that the extent to which these rights apply to research will vary and that in some circumstances a right may be limited if implementing it would prevent or seriously impair the research outcomes. These are not absolute rights and apply only in limited circumstances. You can object to your data being used for research purposes, but not where the research is being carried out in the public interest. We can only implement your rights during the period upon which we hold personal identifiable information about you. Once the information has been irreversibly anonymised and becomes part of the research data set, it will not be possible to access your personal information.

The rights of objection and restriction are complicated and each instance will be assessed individually. If you wish to exercise any of these rights, please contact the University Data Protection Officer.

If you are not happy with the way your information is being handled, in the first instance, you should contact the University’s Data Protection Officer (DataProtectionOfficer@abertay.ac.uk). If you remain unhappy with the response received from us, you have the right to lodge a complaint with the Information Commissioner’s Office at Wycliffe House, Water Lane, Wilmslow, SK9 5AF.

This privacy notice was last updated in October 2022 and may be amended from time to time. The next scheduled review is due to take place by September 2024.