Research data in the context of Element Human is data that has been collected by the business for the sole purpose of being used in validating original research. The data is segregated from other sources of data within the business by logical separation.
To qualify as research data the data has to have been collected through the platform under our research organisation. All data collected under the research organisation shall be backed up to long term storage for research use. Personally identifiable data collected outside of our research organisation is never retained for greater than 30 days.
Collection guidelines
We prohibit collection of GDPR special categories data at this time as we do not have the appropriate policies setup for management and collection. This excludes the following:
-
personal data revealing racial or ethnic origin;
-
personal data revealing political opinions;
-
personal data revealing religious or philosophical beliefs;
-
personal data revealing trade union membership;
-
genetic data;
-
biometric data (where used for identification purposes);
-
data concerning health;
-
data concerning a person’s sex life; and
-
data concerning a person’s sexual orientation.
This is taken straight from the ICO guidelines on special categories.
Retention guidelines
Different types of data have different storage and retention guidelines
Type of data |
Retention Period |
Examples |
PII |
7 years |
Webcam videos, voice recordings, still images of subjects or detailed survey data that could be used to identify a person. |
Respondent Data (non PII) |
Indefinite |
Survey answers or respondent metadata |
Derived data |
Indefinite |
Biometric model outputs. |
When data is no longer useful and stops providing value it should be deleted even if it’s inside of the retention period outlined. Storing data comes at a cost in both management time and raw storage costs.
Access guidelines
Access should be limited to those that require access. Generally two groups will have implicit access to research data
-
IT operations and support staff.
-
Research staff conducting the research.
Other staff usage should be recorded on a study level and limited to that study.
Usage guidelines
Although data collected for our own research purposes we still have all of the same responsibilities around keeping this data secure and private. With this in mind we request.
-
Private data is not copied down from Google Cloud Platform (GCP) onto local devices outside of authorized reasons from the senior team (publication, presentation, etc). Work should be done on terminals within GCP to keep the data within GCP.
-
Access should be audited through a recorded means. Tools that are developed with access to PII should record access and persist this data.
Data subjects rights
Even though we’ve collected this data ourselves rather than on behalf of a client, respondents will still maintain their basic rights enshrined in GDPR. This includes the following:
-
Right of access; subject access requests require us to provide all data collected from the user in an accessible manner. For us that includes any biometric video (or audio) recordings along with the full text of the survey output to a CSV. This is then zipped and provided to the respondent in a secure manner.
-
Right of erasure; right to erasure in the context of research data is a manual process. The respondent IDs will have to be found within the archival bucket and manually deleted. We do not have to delete the survey responses as there is nothing to identify back to an individual at this point.
Normal tooling developed for the rest of Element Human can be used for managing either of these purposes.
Comments
0 comments
Please sign in to leave a comment.