Establishing Grounds For Processing Personal Data.
Data protection frameworks worldwide increasingly require that individuals and organisations establish clear and compelling grounds before collecting and/or processing personal data. These requirements apply to researchers. Even in jurisdictions where no legal requirements exist, researchers have a responsibility to respect the privacy and rights of data subjects. This requires that they establish some basis for collecting and/or processing any personal data.
Implicit in this requirement is the need to identify the owner of the data to be processed and to secure permission to process the data. Researchers must not access or scrape personal data from websites or other online sources without the consent of the data owner (see section 9, Responsibilities to data owners).
Before accessing any secondary data source containing personal data, researchers must first determine the provenance of individual data sets, i.e., the origins of data and its subsequent processing, in as much detail as possible (see section 8). This can be difficult when using a database constructed from multiple sources, where a number of merging, linking up, transforming or aggregating steps may already have been performed. The difficulty will vary depending on whether the data is first, second or third party. For example, when dealing with first and second party data, the data owner is often easy to identify and the circumstances of collection determined. When working with third party data, which generally is multi-sourced, even establishing provenance can be a major undertaking. Data brokers, for example, typically build profiles of individual consumers from dozens of sources, making it difficult to verify what data subjects were told at the time of collection and what limitations may have been placed on its use.
One relatively straightforward method for doing so is to acquire and review for each data source the Terms of Use (ToU), privacy notice, or other similar document provided to data subjects at the time of collection. Researchers must only use secondary data sources containing or constituting personal data that are adequately supported by information that specifies how the data was collected, under what terms, and for what purpose. Above all else, researchers must verify that the personal data was collected legally and transparently, which is essential when determining whether the data can be processed for a research purpose.
While the requirement to establish ethical or legal grounds for processing personal data is increasingly common worldwide, there are often significant differences across jurisdictions in terms of available grounds, how to qualify, and what specific data collection and/or processing activities are permitted. Therefore, researchers must fully understand the requirements within all jurisdictions applicable to the personal data being processed and ensure that they comply with the relevant law.
When engaged in primary data collection, researchers have generally relied on consent from data subjects before collecting and processing any form of personal data. This includes being transparent about the information they plan to collect, the purpose for which it will be collected, how it will be protected, with whom it might be shared and in what form.
When dealing with secondary data, the rigour of consent practices as expressed in the terms of Use (ToU) varies widely. Some may have many of the same elements as the classic research consent process, while others may miss important elements. In addition, data subjects may have agreed to ToU without careful reading prior to indicating their agreement, making any consent-based thereon questionable.
If a researcher intends to rely on consent as the ground for processing there must be sufficient information to determine that:
- The data was legally and transparently collected without deception or in ways not obvious or reasonably discernible and anticipated by the data
- The data subject was required to opt-in to sharing personal
- The purpose or purposes to which the data would be put was clearly
- Use of the data for research was not specifically excluded in either the ToU or privacy notice provided at the time of
- Any requests from individual data subjects that their data not be used for purposes other than those described at the time of collection. Failing to meet any one of these five conditions requires that researchers consider other grounds.
(Excerpt from ESOMAR, Guideline on Processing Secondary Data for Research)