Human Subject Research performed at The New School (excluding Parsons Paris) is more likely to be covered by the Federal Policy for the Protection of Human Subjects (the “Common Rule”) than the GDPR. The GDPR generally applies only to research activities that involve Personal Data being collected from research participants physically located in a European Economic Area (EEA) country at the time of collection (even if the participant is not a citizen or resident of the EEA) and/or the transfer of Personal Data collected under the GDPR from an EEA country to a non-EEA country (e.g., the United States). The GDPR does not apply to activities involving the collection of Personal Data from research participants who are physically located within the United States at the time of data collection (even if the individual is an EEA citizen).
Researchers should contact the New School Office of Research Support's Human Research Protection Program (HRPP) before embarking on any research project involving human subjects.
Consent as a legal basis¶
The GDPR requires a Legal Basis to collect and Process (e.g., analyze) Personal Data. In order to use Personal Data for research, the legal basis that will usually apply is consent from the Data Subject. The Common Rule also requires consent from the Data Subject. Although some of the details around how consent information is presented differ between the two regulations, the main requirements are broadly similar.
Consent must be freely given, specific, informed, and unambiguous with regard to the Data Subject’s wishes by a statement or by a clear affirmative action:
- Freely given means the individual must have a realistic choice, or the realistic ability to refuse or withdraw consent. Individuals in a position of authority cannot obtain consent. To be valid, consent cannot be coerced. Consent is not “freely given” where there is a clear imbalance of power between the Data Controller and the Data Subject, or when the delivery of goods, services, or other benefit is conditioned on the recipient giving consent.
Specific means the consent must be explicit and transparent and contain the following information:
- Identity of the Principal Investigator
- Purpose of the Personal Data collection
- Types of Personal Data collected, including listing of any Special Categories of Personal Data
- The right to withdraw from the research and the mechanism for withdrawal
- Identify who will have access to the data
- Time period for which data will be stored (may be indefinite)
- Information regarding data security, including storage and transfer of data
- Information regarding automated decision-making about the individual, including Profiling
- Whether and under what conditions data may be used for future research, either related or unrelated to the purpose of the current study
The above information is commonly provided to the participant via an Informed Consent Form, which combines the consent form and privacy notice into a single document. See the HRPP website for form templates.
Informed means that subjects are made aware of the risks, how their data will be safeguarded, their rights in relation to the research (as described below), and how to exercise those rights.
Unambiguous means consent is given through a statement or clear affirmative action.
- This may be by a written or oral statement or other affirmative act demonstrating consent. For instance, checking a box can indicate consent, while silence or pre-ticked boxes that require unchecking (opting out) cannot.
- Investigators should be able to demonstrate that a particular Data Subject consented to the research. Consent records, including time and date of consent, must be maintained for each Data Subject.
- If the consent form serves multiple purposes, the request for consent must be clearly distinguishable within the document.
- There is no ability for the Institutional Research Board (IRB) to waive informed consent under GDPR.
Researchers using consent for research purposes can seek broad consent from Data Subjects for research activities. This means that data can be stored for longer periods and individuals’ rights to erasure and to object can be limited. For archival research projects, Data Subjects’ right to data portability can also be limited.
Legitimate interests as a legal basis¶
For research projects using existing data sets or third party data (i.e., data not directly provided by the individual or where no contractual relationship with the individual exists), “legitimate interests” may be used as the Legal Basis for Processing.
Use of this basis requires clarity as to who the Data Controller will be, and what the Data Controller’s legitimate interests are, so that it can be determined whether the Data Controller’s interests are overridden by the fundamental rights and interests of Data Subjects. Balancing the Data Controller’s rights against the rights of the individual requires that research be carried out in the least intrusive and most privacy-enhancing way.
Students may conduct research as part of their undergraduate or postgraduate work. Students will be the Data Controllers and therefore responsible for their research until they submit their dissertation. At that time The New School becomes a joint Data Controller with the student.
The only exception to this is where a student Processes Personal Data while working on a project led by a university research group. In this case, the student and the university are both Data Controllers from the outset.
|Jul 2020||D. Curry||
Parts of this guideline are adapted from the University of Edinburgh’s compliance checklist, the contents of which are used with permission.