Protecting your data

On what basis will you process my data?

Under the General Data Protection Regulation (GDPR), the University has to identify a legal basis for processing personal data and, where appropriate, an additional condition for processing special category data.

In line with our charter which states that we advance learning and knowledge by teaching and research, the University processes personal data for research purposes under Article 6 (1) (e) of the GDPR: “Processing is necessary for the performance of a task carried out in the public interest”.

Special category data is processed under Article 9 (2) (j): “Processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes”.

Research will only be undertaken where ethical approval has been obtained, where there is a clear public interest and where appropriate safeguards have been put in place to protect data.

In line with ethical expectations and in order to comply with common law duty of confidentiality, we will seek your consent to participate where appropriate. This consent will not, however, be our legal basis for processing your data under the GDPR.

How will you use my data?

Data will be processed for the purposes of research, as outlined in this notice.

Will you share my data with 3^rd parties?

No. Data will be accessible to the project team only. Anonymised data may be reused by the research team or other third parties for secondary research purposes.

How will you keep my data secure?

The University will put in place appropriate technical and organisational measures to protect your personal data. Interviews will be audio recorded, if you give permission. These will be transcribed and the audio file destroyed. Only members of the project team will be able to access the transcripts. Information will be treated confidentiality and shared on a need-to-know basis only. The University is committed to the principle of data protection by design and default and will collect the minimum amount of data necessary for the project.

Will you transfer my data internationally?

Possibly. The University’s cloud storage solution is provided by Google which means that data can be located at any of Google’s globally spread data centres. The University has data protection compliant arrangements in place with this provider. For further information see, https://www.york.ac.uk/it-services/google/policy/privacy/.

Will I be identified in any research outputs?

No. Anonymity is offered to all research participants and the research team will be careful to anonymise any ‘indirect identifiers’ of participants. We will adopt a pseudonym for you and any other individuals or entities you may mention. Transcripts will be carefully checked to assess if there are any indirect identifiers of the participants. Personal details from which you may be directly identified will be kept separately (and securely) from the research data.

How long will you keep my data?

Data will be retained in line with legal requirements or where there is a business need. Retention timeframes will be determined in line with the University’s Records Retention Schedule. Transcripts will be electronically stored on the university’s secure cloud storage system for up to 10 years after which they will be destroyed.

What rights do I have in relation to my data?

Under the GDPR, you have a general right of access to your data, a right to rectification, erasure, restriction, objection or portability. You also have a right to withdrawal. Please note, not all rights apply where data is processed purely for research purposes. For further information see,

www.york.ac.uk/records-management/generaldataprotectionregulation/individualsrights/.

Questions or concerns

If you have any questions about this information sheet or concerns about how your data is being processed, please contact Dr Jane Suter in the first instance: jane.suter@york.ac.uk. If you are still dissatisfied, please contact the University’s Acting Data Protection Officer at dataprotection@york.ac.uk.

Right to complain

If you are unhappy with the way in which the University has handled your personal data, you have a right to complain to the Information Commissioner’s Office. For information on reporting a concern to the Information Commissioner’s Office, see www.ico.org.uk/concerns.