Frédéric Tronnier (GUF)
|Acknowledgements: The author thankfully acknowledges Jeanette Klonk, Andrès Chomczyk Penedo and Iñigo de Miguel Beriain|
The following section provides recommendations for researchers conducting a survey in the framework of an ICT research and innovation project. They aim at being easy to understand, simple to implement, compliant with regulations, and adequate scientific practise.
In order for the survey to be legally and ethically compliant, data protection issues must be considered beforehand. Researchers should consult with their data protection officer (DPO) to receive advice on how to prepare and conduct a survey in a GDPR compliant way.
Planning the survey
A key principle of data protection is to minimize the collected data from respondents to the minimum that is required to achieve the specific task or purpose for which they were collected -this is called data minimization -. Researchers must always avoid any unnecessary intrusion on respondents’ privacy. Therefore, researchers should think about which specific information they need for their research purpose at the planning stage of the survey. They must balance how important the data are for the project, how intrusive the questions of the survey are and whether they can collect the relevant information through less invasive methods.
According to the minimization principle, researchers should prefer anonymized data over personal data. If this is not possible (and they should be able to demonstrate why not), pseudonymized data are the most recommendable option. Regarding the amount of data, the minimization principle forces researchers to gather as few data as possible. In this regard, opting for a large dataset must be justified. Special categories data, such as biometric data of individuals, should not be collected if this is not strictly necessary. Surveys should avoid hypersensitive questions, meaning questions that could harm respondents and/or related entities such as employers, political parties, or other individuals.
Preparing the survey
Before conducting the survey, researchers should address how they plan to inform potential respondents about the data protection aspects of the survey, i.e. their rights, how the processing will be done, if data will be shared with third parties, etc. In particular, researchers should carefully plan how to comply with any request from a data subject exercising one of their rights.
Obtaining respondents informed consent
Consent is a legal basis for data processing according to the GDPR. Although there are other legal bases such as the public interest (see Art. 6 GDPR), researchers should prefer respondents’ informed consent to process personal data. Seeking the consent of an individual to participate in research reflects the right of an individual to self-determination and also his/her fundamental right to be free from bodily interference whether physical or psychological and to protect his/her personal data as well as the opportunity to choose what shall or shall not happen to them. These are ethical principles recognized by human research regulation and guidelines.
In recent years, social media has often been used as a tool for recruiting participants in a survey. However, this practise is highly troublesome from a standpoint of data protection. To begin with, it is not easy to determine the respondent ‘s real age. Some social media tools users involve an incredible number of minors. If a researcher recruits a minor in a survey through the use of social media tools, informed consent will not be valid (unless parental consent is provided for in compliance with the relevant national regulations). Furthermore, it might expose minors to potential risks which could harm them. Similar concerns apply to the elderly population or other vulnerable individuals, who might be unable to deal with the technologies used by the survey.
The use of tools and services
It is crucial to analyze the legality of the tools and services that are to be used for the survey beforehand. This includes services with which survey data is gathered, stored and analyzed. Researchers must consider the following points regarding the service provider used:
- Location of the servers of the tool or service providers. Ideally, data should be stored within the EU.
- Whether data is sent to third parties.
- Availability, reliability and reputation of the service provider.
- Certification under ISO 9001/27001 or other international standards.
- Deployment of cookies to respondents.
- Whether compliance with GDPR and national legislation can be demonstrated.
In general, researchers should prefer service providers that are based in the EU and comply with European standards regarding the gathering, storing and analyzing of the survey data.
Compliance with national, EU and international law
The creation and execution of the survey have to comply with both European and national law. First, controllers must ensure GDPR compliance as well as many other relevant EU provision. Then, they should check compliance with national legislation as there might be specific situations referring to the research or the processing of special categories data. For instance, Art. 89(3) GDPR describes safeguards and derogations relating to processing for achieving scientific research purposes, but national regulation may add further requirements.
At an international level, most of the relevant legal documents are soft law for individuals and legal entities, i.e. not legally binding. Nevertheless, there are relevant guidelines, such as OECD “Guidelines on the protection of privacy and trans-border flow of personal data” (2013) and “Recommendation of the Council on Digital Security Risk Management for Economic and Social Prosperity” (2015), which researchers should take into account. Researchers should therefore be aware of new and upcoming regulation as well as changes in existing regulation, be it national or international.
By fully understanding the legal and ethical complications of the collecting and processing of personal data in a project, controllers can ensure that the legal provisions applicable to thz processing of personal data will be respected during the entire course of the project. As a general rule, all personal data should be processed in accordance with European data protection provisions, even if the data is obtained outside the EU. If your survey is conducted in an non-EU country, remember that national law may vary and make sure you comply with every national protection regulation involved as well as keeping compliance with European and international statutes on data protection. Pay special attention to any ethical rules and regulations, stemming from national laws and directives. Such national directives may require additional targeted ethical interventions.
After the survey has been conducted: withdrawal criteria
For a variety of reasons, a survey participant may withdraw from participating at any time after the survey was conducted. Data obtained from the respondent must be deleted immediately and not used in the results going forward. Withdrawal procedures must be compliant with EU and national law and have no consequences for the respondent. The same applies if your survey is part of a series of surveys. Therefore, the withdrawal of a participant should not only lead to the deletion of data from the last survey but also to the deletion of the data in previous surveys. You should inform survey participants about the deadline upon which they can no longer exercise their right to withdraw consent, if the data is to be aggregated and anonymized. If the data is anonymized it is no longer considered personal data and the GDPR does not apply anymore. Erasing the data from the aggregated data may then be too costly, or outright impossible. The ISO/IEC STANDARD 20889 provides an overview on privacy enhancing data de- identification terminology and techniques that may be applied to (pseudo)anonymize data. Similarly, the right to be forgotten is not absolute and does not apply for scientific research purposes if appropriate safeguards, according to Art.89(1) GDPR are put in place.
1For an overview on ethics in ICT: Ethics of information and communication technologies. 2012. European Group on Ethics in Science and New Technologies to the European Commission. Opinion No.26. Doi: 10.2796/13541 ↑