Data-regulation-blog-post-650-x-300

Our consortium of six universities – Leeds, Manchester, Newcastle, Sheffield, Warwick and York – is currently embarking on a HEFCE-funded project aimed at improving progression to and success in postgraduate study among students from black, Asian and minority ethnic (BAME) backgrounds, or from neighbourhoods with low progression to higher education (POLAR quintiles 1 & 2).

During this project we will be evaluating our activities using randomised control trials, which involve complex data protection considerations. With the new General Data Protection Regulations (GDPR) due to come into force in May 2018 with stronger regulations on the collection and use of personal data, we consider whether this will present a barrier to the robust evaluation of widening participation activity.

What data is used in widening participation projects?

Widening participation projects typically involve using personal data to target and track particular groups of under-represented students. This data often includes sensitive characteristics including disabilities or (as in our case) racial or ethnic origins. Such sensitive characteristics are subject to more stringent conditions and require high levels of explicit consent for use under the new regulations. Moreover, projects like ours also involve the sharing of data between institutions to provide a larger evidence base for our research and evaluation. This requires a sensitive and joined-up approach to handling the data.

A problem for randomised control trials?

Furthermore, the new regulations emphasise the importance of direct consent, which had potential implications for the integrity of our project’s randomised control trials. Such trials are the principal method through which we are evaluating the effectiveness of our activities to support progression to postgraduate study. Students will be randomly assigned to intervention or control groups, and their rates of progression will then be compared.

Where control groups are being surveyed, there is a clear opportunity to request consent; however, some control groups are merely statistically monitored for their progression. In the latter case, if explicit consent were gathered to use the data from control groups this could affect the integrity of the trial by alerting the control group to the existence of the project and the resources being tested with the intervention group. Requiring those in the control group to opt in to the study could also lead to low levels of response that would threaten the statistical significance of any differences recorded compared to the intervention group.

In practice we’ve been advised that the new regulations do provide exemptions to enable this kind of research. It is possible to process sensitive data for the purposes of research, including for statistical purposes and where it is in the public interest.

What safeguards are needed?

The regulations do require a range of technological and organisational safeguards to be put in place. These safeguards mean we need to:

  • only collect and process data that is essential to the study
  • limit access to the data to those directly involved in the processing
  • password protect and encrypt the data.

Another key data protection measure involves pseudonymisation. Data is stripped of identifying information, such as names or dates of birth, and instead assigned a unique number that allows data to be linked throughout the project (e.g. pre- and post-activity surveys). Wherever practicable, data is stored only in this pseudonymised form. Moreover when the data from across the consortium is shared with our evaluation team, this data is anonymous, as this team do not have the key to these unique numbers. This protects the privacy of everyone in the study.

Opportunity to opt out

There is, however, still a requirement to inform people in monitored control groups about what is happening to their data and to provide an opportunity to opt out. One aspect of our project tracks the progression of offer-holders to enrolled students. Applicants consent to their data being collected, but university data statements often do not explicitly request permission to use this data for research.

Issuing a privacy notice is a mechanism by which we can inform offer-holders of the intended data processing, the aims of the research, and the privacy methods to be used. It will also give people the opportunity to opt out if they do not wish their data to be used in this way.

Our control group will need to be made aware of how their data is to be used. Yet as we only need to explain how and why their data will be processed it should be possible to limit their awareness of the resources being offered to intervention groups. Moreover, the ability to work on an opt-out rather than an opt-in basis will help to achieve sufficient numbers for a statistically significant evaluation.

A barrier to effective evaluation?

The new data protection regulations therefore do not present a barrier to widening participation projects and their robust evaluation. They do, however, require careful design and monitoring of the procedures for collecting and processing data to ensure that appropriate safeguards and notifications are in place.