Sensitive Data and Receiving Consent according to GDPR

In May 2018, new data protection regulations were introduced across the EU. The General Data Protection Regulation (GDPR) was developed to protect EU residents’ personal data collected by any person and organization, including the ones outside the EU. GDPR covers a wide range of processes including how an organization collects, processes, stores, transfers, and uses personal data. In other words, this means that if you are collecting data from EU citizens, you must abide by the GDPR. Within the field of research, GDPR acts as a safety instrument to improve the confidence and mutual trust between researchers and participants.

It is important to understand that researchers are data collectors, and GDPR also applies to their work processes. How should researchers meet the requirements set by GDPR while working with sensitive personal data? Here are some things to consider:

GDPR logo

What is sensitive data? Are you collecting sensitive data?

Some personal data by its nature is in the category of sensitive data and therefore needs strong protection. This type of data is called sensitive personal data and can be processed under certain conditions. According to the European Commission, the following data is considered sensitive and is subject to specific processing conditions:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Membership of a trade union
  • Health
  • A person's sex life or sexual orientation
  • Genetic data
  • Biometric data that is being used to uniquely identify a person.

Since the Covid-19 pandemic began, numerous interviews have been conducted to understand the impact of the pandemic on people and their loved ones. Since these conversations include data on interviewees’ mental health, it should be regarded as “sensitive data” and be treated with extra care.

According to GDPR in order to collect sensitive data, there are two important points to consider:

First, sensitive data should be vital to your research project. If this information is not absolutely necessary for your project, then you shouldn’t be collecting it in the first place. So the researcher should follow the logic of data minimization. 

Second, you need to ask for consent”. Consent of the data subject, or the interviewee, is absolutely critical to even begin the interview. Consent of the interviewee means any freely given, specific, informed, and unambiguous indication to the processing of personal data relating to him or her.

As an interviewer, you should receive the consent before the interview begins. The first important part here is to understand that consent must be freely given. Second, it is very important that consent is informed. Informed consent means the interviewee knows your identity as a researcher, what data processing activities you intend to conduct, the purpose of the data collection, and that they can withdraw their consent at any time. Data Protection Principles require that when any personal data is being processed researchers must provide transparent and plain language information to individuals whose data may be collected and analyzed.

Researchers should inform individuals of (1) who is processing the personal data, (2) with whom that personal data may be shared, (3) the purposes for which the data will be used, (4) for how long it will be retained and (5) what rights and privileges individuals have in terms of their personal data.

A researcher can receive the consent either orally or by a written statement prior to the interview. If you opt for receiving the consent orally prior to the interview, you should record this. Recording the consent and interview as a whole for the purposes of archiving, analysis, and fact-checking is among the best practices. 

Data controller versus processor from a GDPR perspective

It is important to figure out different roles and responsibilities people or organizations have under GDPR regulations when they are collecting data for research purposes. So what is the difference between a “data controller” and “data processor”?

According to GDPR and other privacy laws, the data controller possesses the largest share of responsibility when it comes to protecting the privacy and rights of the data's subject, such as the interviewee's name and sensitive content. They own the data and set the boundaries regarding how and why the data is controlled.

A data processor on the other hand is the third party that is chosen by the controller to process the data. Even though data processors are subject to less responsibility, it is very important for them to be aware of their responsibilities not to jeopardize the privacy and data security of their clients.

To put it into context, automated transcription and analysis tools act as “data processors” since they are hired or purchased by the researcher to process their data. They don’t have any rights to alter the data or transfer it with third parties unless there are special and secure clauses that allow such a transaction to take place.

What are the responsibilities of an automated transcription and analysis tool?

Automated transcription and analysis tools are used by researchers to convert their interviews to text in less time than it would take them to transcribe it manually. The AI-powered speed, and cloud-based data accessibility offer opportunities to increase productivity and research quality provided that researchers can quickly identify which questions yield more productive insights.

It is crucial that automated transcription service providers are aware of their responsibilities and maintain their client’s data in the most secure manner. This entails storing the data in secure servers, avoiding transfer of data to third parties who do not possess the necessary security measures to protect the privacy of the users, making sure sensitive data is stored within the European Union (EU), and complete removal of existing user data by explicit request.

Scrintal is created by researchers to offer researchers a secure transcription and analysis platform which frees up a massive amount of time from manual transcription which can be utilized for more productive work. We know how vital GDPR compliance and data protection are to our uses so the security of your data is our top priority.

  • All of our servers are located in the EU
  • We use AWS (Amazon Web Services) servers that are GDPR compliant and demonstrate compliance with rigorous international standards, such as ISO 27017 for cloud security, ISO 27018 for cloud privacy in addition to ISO 27001
  • All of your data is encrypted with AES256 which offers maximum computational hardness for the longest period of time.

Scrintal is also one of the few providers in its field to offer data processing agreements that are presented to its users before they upload their first recording. You can register here to have a 30-minute free trial.

Ece Kural's profile picture

Ece Kural

PhD Candidate @ Stockholm University