GDPR

You may have been hearing a lot lately about the new General Data Protection Regulation (GDPR) which came into effect on 25th May 2018

Many GDPR principles are similar to the old Data Protection Act (1998) which the MYRIAD project already complied with. The GDPR includes new and strengthened requirements for how we protect people’s data.

 

What it’s about: 

  • Being open with people about how we use their information
  • Not keeping their information longer than necessary
  • Making sure any information held is accurate
  • Making sure that it is safe
  • Knowing what we’ve got and what we can do with it (e.g. sharing)
  • Recognising a breach and knowing what to do

When your school first consented to participating in the MYRIAD project, we asked the Headteacher to read an information sheet and to agree to take part based on an understanding of how we would use the data collected as part of the study. There has been no change since then in the data we collect or in how or why we use it; the original information sheet remains valid and up-to-date. However, in the interests of greater transparency, we set out below the additional information that the GDPR requires organisations to provide when collecting data for the first time. Who is processing the data? People must be informed of the identity of the ‘data controller’, which means the body that decides how the data is to be used and that is legally responsible for looking after it. For the avoidance of doubt, the data controller for the MYRIAD project is the University of Oxford. However, as MYRIAD is a collaborative project, we share this responsibility with our research partners: the MRC Cognition and Brain Sciences Unit (University of Cambridge), University College London, the University of Exeter and King’s College London.

 

What is the legal basis for the processing of data?

The processing of personal data must have a lawful basis (a legally acceptable reason for collecting and using the data), which must be documented and communicated by the data controller. The data collected for the MYRIAD project is used for the purposes of publicly funded research. This means that the lawful basis for our use of that data under the GDPR is the ‘performance of a task in the public interest’, which is similar to the lawful basis that we relied on under the old Data Protection Act. We ask teachers, parents and pupils for their consent to take part in the project, but this is done for ethical reasons, rather than as a basis for processing of the data.

 

Retention

The GDPR requires organisations to be more upfront about how long they will keep people’s personal data. However, this issue is covered in the original information sheet, and there has been no change in the position since then.

 

Individual rights

The GDPR grants individuals a number of new or enhanced rights. Further information can be found here http://www.admin.ox.ac.uk/councilsec/compliance/gdpr/individualrights/. However, please note that there are exemptions from these rights in respect of data that is processed for the purposes of research. Nonetheless, all parties (schools, teachers, parents and pupils) have the right to withdraw themselves, and their data, from the study at any time. This right is explained clearly on the information sheets and consent/assent forms provided to participants at the point that they decide to participate/for their child to participate in the study. Parents are reminded of their rights twice in the study through a letter sent out from each participating school, and young people are reminded of this right at each assessment visit.

If you have any questions about this, please don’t hesitate to contact the MYRIAD team myriad@psych.ox.ac.uk