Research Data Protection Assessment Procedure

This Procedure applies to all research projects undertaken at Manchester Metropolitan University. It is important that researchers are familiar with this procedure, and understand the roles and responsibilities set out in this document. Please be aware that in some circumstances, the researcher will be required to complete a separate research Data Protection Impact Assessment (Research DPIA) for their research project, but in other instances, this will not be required (because the process is partly embedded in the EthOS application process).

This quick guide section has been included so that researchers are able to understand which requirement is applicable to them, i.e. whether the process is automatically included in the EthOS application, or whether a separate Research DPIA is required. Please contact [email protected] if you are unsure how this procedure applies to your research.

Requirement to conduct a separate Research DPIA

You will be required to complete a separate Research DPIA in the following situations:

1. You are directly prompted in EthOS that this is a requirement.
2. You are prompted in EthOS to contact [email protected] because your responses indicate that your project could be high risk in data protection terms, and the data protection team believe the project would benefit from a separate Research DPIA being conducted (for example, because your project may contain complex data protection considerations which require further documentation).

No requirement to conduct a separate Research DPIA

1. You are not prompted directly to complete a separate Research DPIA in EthOS.
2. You are not prompted in EthOS to contact [email protected].
3. You are prompted in EthOS to contact [email protected] because your responses indicate that your project could be high risk, but the data protection team confirm that a separate Research DPIA is not required  (for example, because the data protection considerations can be adequately set-out within the EthOS application).

You are however still required to follow this procedure.

This procedure defines the University’s approach to data protection assessments in research. It sits alongside the University’s Data Protection Assessment Procedure for business processes and projects.

The requirement to conduct a Data Protection Impact Assessment (DPIA) is set out in the data protection legislation. Usually, the DPIA process within research is embedded in the EthOS application (‘High Risk Data Protection Applications’). However, there are instances when a separate Research DPIA is required, which sits outside of the EthOS application. This procedure describes when a separate Research DPIA is required, and when the assessment is incorporated into the EthOS application. It also sets out the roles and responsibilities of Manchester Metropolitan staff and students in respect of these assessments.

This procedure is primarily intended for undergraduate, postgraduate taught, post graduate research students, and research staff. Other individuals will also take interest, in particular those listed in the Ownership section of this procedure.

A DPIA is a mandatory process for research projects that are likely to result in a high-risk to the rights and freedoms of the research participants or any other individual. The assessment is designed to identify, minimise and document data protection risks associated with any form of processing.

A DPIA will address the nature, scope, context and purpose(s) behind the collection and use of personal information. Importantly, it helps us to consider any risk to individuals that is associated with the processing and how to mitigate those risks. Risk should be considered in terms of likelihood and severity of any impact on the individuals.

Manchester Metropolitan University is the Controller for all personal information processed by its researchers. However, this responsibility is delegated to other stakeholders across the University who act to ensure that this personal data is processed in a compliant manner. These stakeholders include:

1. The Data Custodian, Chief Investigator for external projects, or appropriate delegated individual: Primary ownership, responsible for completing data protection relevant sections within EthOS, or compiling separate Research DPIAs where required, and has overall responsibility for the research data.
2. Academic Supervisor: Responsible for overseeing the project at design stage and raising any concerns to other stakeholders.
3. Data protection subject matter expert (Legal Services): All separate Research DPIAs and High Risk Data Protection Applications in EthOS to be reviewed by the data protection subject matter expert, who will provide support for the DPIA process and comment on the assessment or application conducted. The data protection subject matter expert is also responsible for escalating any high-risk activities that cannot be mitigated, and facilitating reporting these to the Information Commissioner’s Office.
4. Faculty Heads of Research Ethics & Governance, or Deputy Faculty Heads of Research, Ethics & Governance: Responsible for signing off any projects that involve residual low risk processing (as identified in step 6 of the template).
5. Faculty Pro-Vice Chancellor, or Director of RKE for NHS research applications: Information Asset Owner responsible for signing off any projects that involve residual high or medium risk processing that cannot be mitigated (as identified in step 6 of the template).
6. Any other relevant stakeholders, depending on the nature of the project: such as IT security, legal and insurance.

The Data Custodian, Chief Investigator, or appropriate delegated individual will seek the advice of any relevant stakeholders listed above in the creation of the Research DPIA or High Risk Data Protection Applications in EthOS.

Projects meeting the threshold for conducting a Research DPIA, or completing an EthOS High Risk Data Protection Application must not commence until the assessment or application has been completed, and all appropriate stakeholders have signed-off on the assessment.

The process is defined as follows:

Projects where sections A-L of the EthOS application are completed

All questions within the EthOS application are to be answered fully. The application contains a DPIA screening question, which details several indicators which suggest that the proposed processing is high risk (i.e. a High Risk Data Protection Application). Researchers completing the EthOS form must ensure they read all guidance notes and seek guidance from [email protected] if there is any doubt about these questions, and whether any indicators are met.

1. Where an indicator is met, further questions are presented. In particular, two questions relating to any risks and mitigations to those risks. The Data Custodian, Chief Investigator for external projects, or appropriate delegated individual should answer this question as thoroughly as possible, clearly setting out the risks and relevant mitigations, including the perceived level of residual risk. This section will be reviewed in detail by the data protection subject matter expert. It is therefore important that the researcher provides as much detail as possible at an early stage.
2. If the Data protection subject matter expert considers that after mitigation, any residual risks are ‘medium’ under University procedure, the project may be referred to the Faculty PVC for their information, comment and sign-off. If the residual risk is considered ‘high’, the proposal must also be referred to the Information Commissioner’s Office for review (the external data protection regulator). Although ownership of the DPIA rests with the Data Custodian, Chief Investigator for external projects, or appropriate delegated individual, the data protection subject matter expert will work with the individual make these referrals, which may require additional documentation to be completed. Please note that response from the ICO can take between 8 and 14 weeks. 
3. Projects that meet a high-risk indicator are prompted to contact [email protected] (in addition, ‘Full Applications’ that meet a high risk indicator are formally referred to data protection by the relevant RKE reviewer after submission). The project must not commence until the data protection subject matter expert has reviewed the assessment. If further detail is required, the data protection subject matter expert will request clarification and further detail prior to authorising the application. This may involve working with the researcher to complete a separate Research DPIA, separate to EthOS (for example, because your project may contain complex data protection considerations which require further documentation).

Projects where the following statements are selected to question A11: 1) ‘You want Manchester Metropolitan University to certificate an existing approval you hold from a recognised body’ OR; 2) ‘You need to apply for ethical approval from a particular recognised approving body or are in the process of being reviewed for ethical approval by such a body’

1. The DPIA screening question appears when one of the above 2 options is selected from question A11. If one or more of the high-risk indicators is applicable, a separate Research DPIA must be completed. If no high-risk indicators apply there are no further requirements under this process.
2. Where one or more high-risk indicators from the screening evaluation apply, the individual completing the application must go on to complete a Research DPIA. The template contains guidance notes on how to do this. When complete, the Research DPIA should be sent to [email protected]. Please note: if the external organisation are conducting a DPIA with your support, you may not be required to complete the University template. Please contact [email protected] in these instances.
3. Step 5 and 6 of the Research DPIA extracts any potential risks and mitigations to those risks. If step 6 (mitigations) documents any residual risks of ‘low, the assessment must be signed off by the Faculty Head of Research Ethics and Governance, or their deputy. Where residual risks of ‘medium’ are documented, the assessment must be referred to and signed off by the Faculty PVC. If the residual risk is ‘high’ the assessment must be signed off by the Faculty PVC, and it must also be referred to the Information Commissioner’s Office for review (the external data protection regulator). Although ownership of the DPIA rests with the PI, the data protection subject matter expert will help to make these referrals and update the individual about its progress. Please note that response from the ICO can take between 8 and 14 weeks. 
4. The Data Custodian, Chief Investigator for external projects, or appropriate delegated individual must ensure that the findings of the DPIA and advice provided by stakeholders are incorporated into the project plan.