METHOD:
RESEARCH ETHICS

Relevant across all the three performance measurement dimensions of a trial are issues relating to research ethics. Research ethics rules and norms are part of the TGM and have to be considered when setting up a trial. Whenever human beings are involved in the activities, data protection rules and requirements have to be followed in order to protect their privacy, and to regulate their participation. These obligations are most notably defined in the general data protection regulation (GDPR) of the EU. The GDPR is structured around a handful of privacy principles, briefly described below. Based on these principles, this guide lists key requirements and recommendations, linked to each of the three phases of a trial: preparation, execution and evaluation. With the new regulation, a company can be fined 2% for not having their records in order (GDPR article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. For carrying out a trial, the changes that came with this new regulation mainly refer to citizens’ rights. In GDPR, the rights of the data subject are detailed in chapter III. While the new rules for businesses are also relevant in the trial context, the implementation and enforcement of GDPR lie with the individual company/business/organisation taking part in the trial. In sum, this ethical guideline in (as part of the trial guidance methodology) will not be aimed at assisting businesses in adapting to the GDPR, but it will first and foremost take into account the rights of the data subjects that are potentially participating in the trial activities. 

The following guidelines reflect the most anticipated issues and concepts for organising a trial, but they are not fully exhaustive. The reason for this is that to identify precisely what ethical issues might be relevant for a trial, more information about the setup, such as the scenario and the extent of involvement of external participants such as volunteers, is needed. However, the guidelines give a good indication of what the most important issues could be, and how to solve them.

Lawfulness, fairness and transparency: The GDPR clearly states that processing of data shall be lawful only if and to the extent that at least one of several conditions applies [GDPR article 6]. These conditions are e.g. the data subject has given consent to the processing of his or her personal data for one or more specific purposes. The conditions for consent have been strengthened and consent must be provided in an intelligible and easy accessible form, using plain language.

Collection, processing and purpose limitations: The GDPR states that personal data can only be obtained for “specified, explicit and legitimate purposes” [GDPR article 5, clause 1(b)]. GDPR also states that data subjects should be able to “consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.” Article 17 supplies each data subject with the right to have his/her personal data erased when s/he withdraws consent or objects to the processing, as well as when the data are no longer needed for the purpose for which they were first collected. Under GDPR it is not necessary to submit notifications / registrations to each local DPA of data processing activities. Instead, there are internal record keeping requirements and a DPO appointment is mandatory in certain cases.

Accuracy: The GDPR states that data must be “accurate and where necessary kept up to date” [GDPR article 5, clause 1(d)].

Data minimisation & Privacy by Design: The GDPR states that data collected on a subject should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed” [GDPR article 5, clause 1(c)]. Privacy by design, a new legal requirement under GDPR, calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing.

Storage limitations/integrity and confidentiality: The GDPR states that personal data should be “kept in a form which permits identification of data subjects for no longer than necessary” [GDPR article 5, clause 1(e)]. The GDPR also states that those processing data should do that “in a manner [ensuring] appropriate security of the personal data including protection against unlawful processing or accidental loss, destruction or damage” [GDPR article 5, clause 1(f)]. Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to the original purposes for processing, or a data subject withdrawing consent.

GDPR requirements & recommendations for the preparation phase

Decide if a Data Protection Impact Assessment (DPIA) is needed [see GDPR Section 3, Article 35]. A DPIA shall in particular be required in the following cases:

• a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; 
• processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or 
• a systematic monitoring of a publicly accessible area on a large scale.
• Ensure that data is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes [GDPR article 5, clause 1(b)].
• Inform the data subject (the person which personal data is collected from) about the data controller’s identity and contact information, what kind of data will be collected and processed, how the result of their contribution will be used, and make sure that the data actually collected matches this description. Provide information about the purpose of the research, who will receive access to the data and how long the material will be stored. This information should be given in an informed consent sheet, which the data subject has to sign prior to data collection.
• Make the conduct of observation or recording very clear. Give anyone potentially affected by it the possibility to refuse from being observed or recorded.
• Always inform all participants and potential bystanders thoroughly and well ahead of the conducted research. In the event that bystanders could be affected by the activity, by e.g. being exposed to a trial scenario with a field component, as much information as possible should be given to them in advance. This can e.g. be done by putting up information posters in the vicinity of the trial area. This would be considered good practice, even though the bystanders are not “data subjects”. However, this is dependent on the situation. If there is video surveillance or tracking of bystanders by the solution providers, then they may become data subjects.

GDPR requirements & recommendations for the preparation phase continued

• If needed, consult local data protection authorities to make sure that rules and regulations ensuring data protection rights are followed. Registration with national authorities must be made where required. With GDPR, there is no longer a requirement to notify DPA about data processing. However, other responsibilities apply, which may affect the rights of the participants, such as the duty to carry out data protection impact assessment and conduct prior consultations (descriptions of when this is relevant can be found in article 35 and 36 of GDPR).
• The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her (GDPR article 22). If such processing is necessary in DRIVER+ (e.g. for the “potentially automated” performance measurement and logging using technical infrastructure in SP92), the decision must be based on the data subject’s explicit consent [GDPR article 22, clause 2(c)]. 
• Plan for practising data minimization, i.e. avoid collecting unnecessary data. 
• Plan for and ensure that personal data collected is stored in a secure way, e.g. by using the ISO/IEC 27000 family of standards or the kind of guidance provided by theNational Cyber Security Center. 
• Anonymize and encrypt personal data as a general rule. 
• Use technology for data recording only if necessary. Provide justification. 

GDPR requirements & recommendations for the execution phase

• In case servers are hacked, or if personal data is otherwise obtained by someone without permission to access it, breach notifications are now mandatory in all member states. This is true for cases where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 
• 72 hours of first having become aware of the breach.
• Ensure that personal data collected is stored in a secure way, e.g. by using the ISO/IEC 27000 family of standards or the kind of guidance provided by National Cyber Security Center in the UK. 
• Use technology for data recording only if necessary. Provide justification.
• Practice data minimisation, i.e. avoid collecting unnecessary data. Collected data, which is no longer required, should be deleted. In case of a data breach, this will lessen the amount of affected individuals.
• Refrain from processing data that is not up-to-date.
• Anonymise and encrypt personal data as a general rule.
• Be aware that under GDPR any person located in the European Union (anyone residing in the EU, not just EU citizens) can request their personal information be removed from a corporate database, or know the reason why it can’t.
• The data subject does have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her (GDPR article 22). If such processing is necessary for the execution of a trial (e.g. for the “potentially automated” performance measurement and logging using the test-bed technical infrastructure), the decision must be based on the data subject’s explicit consent [GDPR article 22, clause 2(c)].
• Ensure that data is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes [GDPR article 5, clause 1(b)].

GDPR requirements & recommendations for the evaluation phase

• In case the servers are hacked, or if personal data is otherwise obtained by someone without permission to access it, breach notifications are now mandatory in all member states. This is true for cases where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. 
• Do not re-use data without written agreement. An updated signed informed consent from should be obtained from the data subject when a controller intends to process data for a further purpose.
• Refrain from processing data that is not up-to-date.
• Collected data which is no longer required should be deleted. In case of a data breach, this will lessen the amount of affected individuals.
• Anonymise and encrypt personal data as a general rule. Personal data should be “kept in a form which permits identification of data subjects for no longer than necessary” [GDPR article 5, clause 1(e)]. 
• Those processing/analysing personal data should do that “in a manner [ensuring] appropriate security of the personal data including protection against unlawful processing or accidental loss, destruction or damage”[GDPR article 5, clause 1(f)].
• Be aware that under the GDPR any person located in the European Union (anyone residing in the EU, not just EU citizens) can request their personal information be removed from a corporate database, or know the reason why it can’t.
• If personal data is contained in the description of trial results which is stored in the PoS, this should be justified.
• In addition to ensuring that personal data is collected for specified, explicit and legitimate purposes, make sure that the data is not further processed in a manner that is incompatible with those purposes [GDPR article 5, clause 1(b)].