Data protection information
Under the General Data Protection Regulation (GDPR), the University has to identify a legal basis for processing personal data and, where appropriate, an additional condition for processing special category data.
In line with our charter which states that we advance learning and knowledge by teaching and research, the University processes personal data for research purposes under Article 6 (1) (e) of the GDPR:
Processing is necessary for the performance of a task carried out in the public interest
Special category data is processed under Article 9 (2) (j):
Processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes
Research will only be undertaken where ethical approval has been obtained, where there is a clear public interest and where appropriate safeguards have been put in place to protect data.
In line with ethical expectations and in order to comply with common law duty of confidentiality, we will seek your consent to participate where appropriate. This consent will not, however, be our legal basis for processing your data under the GDPR.
How will you use my data?
Data will be processed for the purposes outlined in this notice.
Will you share my data with 3rd parties?
Personal data will be accessible to the project team at York and Birmingham only. Anonymised data or, with the participant’s permission, real names may be reused by the research team or other third parties for secondary research purposes.
How will you keep my data secure?
The University will put in place appropriate technical and organisational measures to protect your personal data and/or special category data. For the purposes of this project all diary entries, activity entries, and video recordings will be stored on the app which will be accessible only to the researchers and web designer in the first instance. You can choose whether the information you share is private to you, to only the researchers, or to the rest of the project app and website. We will store any paper records in a locked drawer. All Zoom discussions will be password protected, and if consent is given for these to be recorded, only the researchers will be able to access this information.
Information will be treated confidentiality and shared on a need-to-know basis only. The University is committed to the principle of data protection by design and default and will collect the minimum amount of data necessary for the project. In addition, we will anonymise or pseudonymise data wherever possible, unless we have consent to use a participant’s real name.
Will you transfer my data internationally?
Possibly. Data may be stored on a secure server based at the University of York or on the University’s cloud storage solution. We are using Google cloud storage for our database, and we are also using Mailjet for storing data related to emails.We're using Algolia to enable the researchers to search through thousands of entries for research, as well as to store any data we have on participants. We're also using VideoAsk which is storing any video interactions the participant makes. We may be storing a participant's information the participant has made public on Netlify too, which is our host for the app and website.
Will I be identified in any research outputs?
Participants will be anonymous in research outputs. However, you may be asked whether you would like to be identified by your real first name or a pseudonym in research outputs. Where you choose to be identified using your real name, we will ask you to complete an additional consent form for this.
Some personal information, such as ethnicity, benefits claimed, or a general description of family circumstances or employment status, may appear in outputs.
How long will you keep my data?
Data will be retained in line with legal requirements or where there is a business need. Retention timeframes will be determined in line with the University’s Records Retention Schedule. Interview and workshop data will be retained for 10 years following their last use in a research publication.
What rights do I have in relation to my data?
Under the GDPR, you have a general right of access to your data, a right to rectification, erasure, restriction, objection or portability. You also have a right to withdrawal. Please note, not all rights apply where data is processed purely for research purposes. For further information see, https://www.york.ac.uk/records-management/generaldataprotectionregulation/individualsrights/.
Questions or concerns
If you have any questions about this or concerns about how your data is being processed, please contact the University of York research integrity office on 01904 322 712 or at [email protected] in the first instance. If you are still dissatisfied, please contact the University’s Acting Data Protection Officer at [email protected].
Right to complain
If you are unhappy with the way in which the University has handled your personal data, you have a right to complain to the Information Commissioner’s Office. For information on reporting a concern to the Information Commissioner’s Office, see www.ico.org.uk/concerns.