WWCSC Research Data Protection Statement
This statement is to provide awareness of standard data protection practices undertaken by What Works for Children’s Social Care (“WWCSC”, “our”, “we”, “us”) for each research project it undertakes or commissions (“project”). This is not in relation to any specific project although does act as supplementary information captured within a Research Protocol Document or Trial Protocol Document and can also act as a way to inform stakeholders and other interested parties.
Each research project differs from the last and the information in this statement may not always be representative of all activities undertaken by WWCSC for every project. Also, not all projects that are funded by WWCSC are new projects and not all projects WWCSC funds begin with WWCSC funding. Where WWCSC deviates from the information provided below, subsequent project specific information contained in further data protection documents which may or may not be confidential qualifies as the final authority on the requirements and actions taken by WWCSC to protect the personal data of data subjects.
Relationships between WWCSC and the organisations we work with is outlined below although it should be noted that the rest of this statement is not applicable where an independent controller makes use of the data collected within a project for their own purposes and outside of the purposes outlined in a Trial Protocol. Provisions for contractual accountability to Data Protection Laws are in place with independent controllers to which they confirm sole responsibility.
About this Statement
The language in this document is aimed at an academic audience and subsequently may have some technical terms requiring definitions which can be found at the end of this document. This is not a legal document and WWCSC will not take any liability for any external parties who use the information in this document for their own purposes outside the purpose with which it was designed.
This statement provisions for three (3) distinct data use categories within each project.
- The first is the use of research participant personal data within the research where this data is being analysed to answer a research question and inform a final research report. E.g. The personal data captured from surveys, interviews and other requested datasets.
- The second focuses on the logistical aspect of running a research project or evaluation. E.g. Research participant personal data is collected and used to make contact with a data subject to conduct an interview or send them a survey to complete.
- The third is the personal data such as contact details for researchers, employees and other relevant stakeholders for the delivery of a project where they will interact before research participant data is collected or used (as per points 1 & 2).
WWCSC takes data protection practises very seriously and this statement further strengthens our commitment to good data protection practises as an industry leader. If you would like to find out more about how WWCSC processes all types of personal data please see our Privacy Notice which can be found here.
Data Protection by Design/Risk Assessment
Each project is given a Data Protection Identifier (DPID) for ease of reference. The DPID can be found on each project related data protection document.
Each project is screened for the level of risk associated with data subjects and their personal data (either research participants or employees of the organisation(s) conducting the study/ evaluation/ project). Where risks have been identified a Data Protection Impact Assessment (DPIA) is conducted by WWCSC. The outcome of the screening process and any subsequent DPIA for a project is measured against the likelihood of harm against the severity of harm to produce an overall risk assessment.
Once risks have been identified we establish options to reduce or eliminate the risk. We re-evaluate the level of risk based on the options to reduce the risk. Where the options to reduce or eliminate the risk have an effect we calculate the risk level again and call this the “residual risk”.
If we discover the residual risk to be high, based on the table below we submit the DPIA to the Information Commissioner’s Office (“ICO”) for further consultation from them.
Contractual Measures for Compliance
An evaluator and possibly other organisations that will process any amount of personal data for the purpose of a project are contractually bound by WWCSC to be compliant with Data Protection Legislation within the country or countries personal data is either captured, processed, stored and/or accessed including but not limited to the UK Data Protection Act 2018 (DPA) and the UK General Data Protection Regulation (GDPR).
To carry out the projects we undertake or commission, it is often necessary to use and share personal data about data subjects. Data subjects are provided with access to a compliant Data Privacy Notice (DPN) at the point or points of collection of their data. A data subject’s data subject rights are facilitated via presentation of a compliant privacy notice. No individual outside of the project team is named in any research reports or outcome reports for the projects we undertake or commission unless permission has been granted from the data subject(s).
Any organisation that collects personal data directly from a data subject or from a third party for a project is contractually responsible, by way of signed agreement with us, for providing the data subject from whom personal data is being collected from with a data protection notice, setting out:
- All of the information required under UK GDPR Article 13 or 14 (as applicable).
- The essence of the agreement between any organisations subject to a Data Sharing Agreement relating to the processing of the personal data and any sharing of that personal data.
A list of data processing activities is continued within our record of processing activities in accordance with UK GDPR Article 30. Processing activities of personal data relevant to data subjects is also listed within one or more DPNs made available to research participants at the point of collection of their personal data.
Explanation of Lawful Bases in our research
What Works for Children’s Social Care (WWCSC) is acting upon the instructions from the Department for Education (DfE) in accordance with Annex K of the Grant Offer Letter to WWCSC, where it is stated that WWCSC acting as a Processor on behalf of the DfE as Data Controller, and the subject matter of the processing “is needed in order that the Processor [WWCSC] can effectively deliver the grant to provide a service to the Children’s Social Care sector”. WWCSC is therefore acting under the authority vested upon it by the DfE as its funder which appropriately corresponds to WWCSC conducting its research under Article 6.1(e) of the UK GDPR: “Processing is necessary for the performance of a task carried out in the public interest.”
For the purpose of archiving data into the WWCSC Data Archive, this is consistent with WWCSC providing a service to the Children’s Social Care sector as required by its funder therefore compatible with the requirements of GDPR as stated above. Data archived within the WWCSC Data Archive instance of the Office for National Statistics Secure Research Service (“ONS SRS”) for the purposes of secondary research shall be non-identifiable data and governed under the UK Digital Economy Act 2017 and the UK Statistics and Registration Service Act 2007. (Further information on the WWCSC Data Archive is available below and on our website).
WWCSC will process personal data processed under UK GDPR Article 6.1(f) “legitimate interests” as the lawful basis for activities such as, but not limited to, inviting data subjects to participate in projects, to request informed ethical consent for participation, to transcribe audio, to send a survey and to identify a data subject to be able to respond to any data subject rights requests. This is not an exhaustive list and each Data Privacy Notice clearly indicates the processing activities which are relevant to each project and the associated lawful basis for processing.
Any processing of special category personal data or protected characteristics as defined by the UK Equality Act 2010 shall be processed in accordance with UK GDPR Article 9.2(j) which states “processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes”.
There may be rare occasions when personal data is processed in accordance with UK GDPR Article 6.1(a) and/or Article 9.2(a) (“GDPR Consent”). This is not to be confused with “Informed Consent” on the basis of research ethics and research ethical requirements.
Research projects will often ask for consent from an individual to participate in a project. Unless it is clearly stated in the relevant Privacy Notice provided to individuals, in general, this will not be GDPR Consent. This means consent as a legislative data protection lawful basis as sufficient legal justification for the processing of personal data would not apply.
GDPR Consent is reliant on the ability for the individual who gave the consent to be able to withdraw their consent and for that use of their personal data to stop at that time. In most cases where research analysis had begun it would not be possible to immediately halt use of the data or remove the data until the analysis was complete. This means we could not act upon a right to withdraw request thus rendering the use of GDPR Consent as a lawful basis for processing personal data for research purposes moot.
A lot of research is dependent on gathering “informed consent” for an individual’s participation as part of ethical considerations required by either a research ethics committee who have reviewed the project proposal or to follow best practice in accordance with the Helsinki Declaration.
In most, but not all projects the processing of personal data could not be discontinued if the data was in the analysis phase of a project i.e. the personal data is embedded into the data set(s) being analysed at that current time as part of the research process. Removal of data at that point may detrimentally impact the analysis and outcome of the project and/or be too difficult to remove from the project and/or research software locations.
Where a project has gained ethics approval from an Ethics Committee it is likely that under the requirements of the Helsinki Principle in research, ethical consent for participation will be sought from data subjects. This is not the same as consent used as a lawful basis for personal data processing although they are often confused. Consent captured for participation can act as a sufficient safeguard within data protection practises.
For the avoidance of doubt, informed ethical consent shall be regarded by WWCSC as a supplemental safeguard for the processing of personal data including the capture and storage of personal data. Once analysis is being conducted, depending on the dataset in use, a data subject is unable to withdraw consent insomuch as this would detrimentally affect the analysis process intrinsic to the research being conducted.
Where ethical consent has been withdrawn by a data subject, where possible and dependent on the stage of the research process, WWCSC will discontinue the processing of the data subject’s personal data and either fully delete, partially delete, pseudonymise or anonymise all identifiers associated to the data.
Relationships of organisations
Each project varies in scope and complexity in terms of interactivity of organisations acting as agents, collaborators, funders, facilitators, evaluators, third parties, consultants, contractors, delivery partners, storage vendors, archive location partners and more. Each organisation is designated as either an Independent Controller, Joint Controller, Data Processor or Sub-processor. Each organisation is subject to relevant agreements which have been signed by all organisations working together for a project.
Typical documentation requiring signatures which contain data protection information or agreement on data protection practises are one or more of the following for each project:
- Grant Agreements
- Trial/Research Protocol
- Data Sharing Agreements
- Joint Controller Arrangements
- Data Processing Agreements, or
- Clauses, appendices and/or schedules in other contractual documents.
In most but not all cases, where WWCSC is acting as the funder for a project it will act as a Joint Controller with evaluation partners. In most, but not all cases, the delivery partners will act as an independent controller for the project because they will not be collecting any data for the research to be conducted. Both of the above suppositions will have clear clarification in data protection documentation.
Where any organisation engages a third-party processor to process personal data they commit by way of signed agreement to:
- Enter into a data processing agreement incorporating all the provisions required under Article 28 of the UK GDPR with that third party processor.
- Remain fully liable to the other organisations in the agreement for the acts and omissions of the third-party processor.
- Provide copies of data processing agreements upon request to any organisation within a signed agreement.
WWCSC works diligently to define the process flow of personal data within each project so the journey of all data is known and can be referenced where it is unclear. This includes which organisations share data with other organisations, when this happens, and the reasons for doing so.
Equality, Diversity and Inclusion (EDI)
WWCSC monitors personal information related to the Equality Act 2010, inclusive of data known as ‘Protected Characteristics’ (age, disability, gender reassignment, marriage or civil partnership (in employment only), pregnancy and maternity, race, religion or belief, sex, sexual orientation) for the purposes of adherece to the law. WWCSC also monitors personal information related to our internal equality and diversity monitoring policy which includes geographical location, organisation, socio-economic class, caring responsibilities, educational background. We have a legitimate interest in capturing and monitoring EDI related information as our organisation’s commitment to EDI and fairness in all its forms.
WWCSC commits to implementing appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk and varying likelihood and severity for the rights and freedoms of natural persons.
WWCSC ensures that its staff members are appropriately trained to process personal data and any shared personal data in accordance with Data Protection Laws and have measures in place to only allow authorised personnel directly involved in a project to be granted access to any related and relevant personal data or shared personal data.
Information collected by WWCSC is securely stored on a dedicated drive, and access is controlled by WWCSC’s secure access policy for the duration of a project. When a project has completed WWCSC revokes access to the data so the minimum access required for storage in accordance with the project’s retention period can be adhered to whilst reducing risk of subsequent use and exposure of the project data where there is no lawful basis for doing so. We always keep our security measures under review to make sure that the measures we have implemented remain appropriate.
Onward sharing of personal data to organisations other than those named in documentation and data protection agreements is strictly forbidden and such sharing would be considered a data breach. All researchers are briefed thoroughly before interviews and observations which includes briefing information on safeguarding and disclosure procedures, to make sure researchers are clear on the process to follow in the event of disclosure and/or data breach.
Where there is more than one organisation involved in the project we put signed agreements in place to ensure each organisation acknowledges their respective duties under Security and Data Protection Laws and to give each other all reasonable assistance as appropriate or necessary to enable each other to comply with those duties. We require any organisation, where possible within a project, to reduce or eliminate the identifiability of personal data and shared personal data including but not limited to the deletion, pseudonymisation and anonymisation of such data throughout any given project.
Contractual measures also require that only researchers and relevant employees in organisations working on a project are to have access to project data. These measures require individuals with any access to project personal data to have been trained in data protection practises before handling any data and the methodology for secure transfer and/or sharing of personal data is transparent to all other organisations within the project.
Defined Retention Period and Destruction
All data will be processed for the duration of a project. Where possible we will, and contractually oblige other relevant organisations to minimise and/or reduce any personal data or shared personal Data where any data category is no longer required for the project. WWCSC enters into agreement with other organisations for each organisation to give the other organisations at least 30 days’ prior written notice if it intends to delete any personal data and/or shared personal data before the defined retention period. Furthermore, each organisation is required to notify all other organisations in writing of the confirmation of destruction/deletion of personal data and shared personal data and they are able to evidence destruction/deletion to other organisations upon request at the end of a defined retention period.
The delivery of the final report as the outcome to a project is the time from which the defined retention period begins. Project time frames vary considerably from a few months to a number of years. WWCSC retains personal data captured within a project within its network for no longer than 6 years and in most cases considerably less. Where project data will be archived with the purpose of secondary use of that data within external research, the personal data will be transferred to the Office for National Statistics Secure Research Service (“WWCSC Data Archive”).
WWCSC recognises the possibility that the scheduled date of final report delivery can change. There may be a variety of reasons for this which, due to the nature of research projects, may not be apparent at the outset of a project. Should this happen it will be reflected in updates to data protection documentation including but not limited to the DPIA and any subsequent agreements or notification between organisations.
Where an organisation collaborating with us is an independent controller, it shall determine its own retention period for the data it collects in accordance with any statutory or professional retention periods applicable in that organisation’s respective country and/or industry.
The retention of the data in the WWCSC Data Archive is calculated in accordance with:
- WWCSC reviewing the storage of all data in the archive every 2 years
- An ONS policy alignment which states, “ONS will delete data if it has been unused for a period of two years”, and
- National Pupil Database data supplied by the Department for Education (“DfE”) reviewed by WWCSC and DfE as part of an annual review of a data sharing agreement resulting between WWCSC and DfE.
WWCSC Data Archive
Most projects will have data archived on behalf of WWCSC for future reference and use. This will enable WWCSC and future research teams to use the pseudonymised and/or anonymised data as part of subsequent research through the ONS Approved Researcher Scheme, including analysing long-term outcomes through the National Pupil Database (“NPD”). Further information on how data is protected and processed in the WWCSC archive can be found on the WWCSC website.
Where data is marked for archiving WWCSC will, or will request an organisation on its behalf to, bring together all relevant research data for the purpose of adding it to its Data Archive. WWCSC is the independent controller for all data uploaded to its data archive. Any organisation transferring data to the WWCSC Data Archive is doing so as a Data Processor on behalf of the WWCSC who is the data controller for the data being transferred and stored in the WWCSC Data Archive.
Linking to NPD and use of the Secure Research Service (“SRS”)
Where a project requires data from the NPD as part of the research a researcher will submit an application request form to the DfE. The DfE will review the application and if approved have ONS create a research instance within the SRS. Once the research has been completed, the data will be transferred to the WWCSC Data Archive.
There may be scenarios within a project where specific pupil data is requested from the DfE. For this to be actioned the researcher will submit an application form to the DfE for review which will contain pupil data to allow DfE to match the individual with the requested data held in the NPD. The data required for the analysis will be added to the SRS research instance yet not reveal to a researcher which line of data from the NPD matches to each specific pupil. The SRS is managed by the ONS following their ‘Five Safes’ methodology (https://blog.ons.gov.uk/2017/01/27/the-five-safes-data-privacy-at-ons/).
There are occasions where projects we undertake or commission capture children’s personal data. When we do so we capture personal data that will allow us to match the pupil with the NPD whether or not the project requires the use of NPD data. This is for the purpose of enriching the usability of the data within the WWCSC Data Archive for future research. This is a complex and nuanced process where transparency and accountability are paramount for the capturing of more data than is required for a project solely for the purpose of enhancing the original dataset from the original project for secondary use via the SRS.
We clearly communicate this to all stakeholders and relevant data subjects in the expected locations with the assurance that data subjects are not able to be identified from the data held in the WWCSC Data Archive within the stringent parameters of access that are in place. For further information on the WWCSC Data Archive and the processes described please refer to the Data Archive page on our website.
If you have any questions, or wish to exercise any of your rights, then you can contact us by writing to:
What Works for Children’s Social Care
The Evidence Quarter
Alternatively, you can email us at firstname.lastname@example.org