 Hi, everyone. Welcome to the UK data service workshop on data management basics. It is the second session. The first one was about or data management and my colleague and has done that. You can access the slides on that on our website under the events page and to the YouTube recording on our YouTube channel. So this session is about ethical and legal issues in data sharing. My name is Hina and I work as a senior research data officer. We are based at the University of Essex. My colleague Gail is also here today facilitating with the session. So this session includes presentation and you will get the slides after the session. As I said, I'll be using Mentimeter throughout the session which can be accessed on this link or using the QR code. You can use the Mentimeter on your mobile as well. So before I begin, please just a few couple of questions on Mentimeter. So just a couple of questions related to your background on Mentimeter. So you can see that people from diverse backgrounds, which is fantastic. There are some responses that that's great. And then another question. Is there any specific aspect of ethics and legal compliance that you are particularly interested in? So this question will help me to design this workshop for the next time if I miss something. Animal subjects, general overview. How can we share data, how to protect data, copyright and AI? Copyright and AI is an interesting one. And I think the most important topic these days. So that's good. I'm also interested in reading something about copyright and AI. So if someone all new to this, NHS data, how to best advise researchers who are new to compliance, consent, anonymization. So I will try to cover some of the information in today's workshop. But I'm running a complete workshop on consent in data sharing on 30th of November. You can find the link to register on our events page. And my colleague, I think they are running it. Running a workshop on anonymization, qualitative and quantitative both in the coming weeks. And you can check it on again on our events page. I'm running a workshop on copyright issues in secondary data use. It's in somewhere in November. And my colleague, Hannah, she's running a workshop on copyright and publishing. It's again in November. And there are many more workshops coming up in our autumn training series and all the links to register on our events page. You can check and register there. Yeah. So thank you for your responses, a lot of content that you are interested in. Thank you for your responses on the mentee. Overall aim of this session is to show you the key considerations in primary and secondary data sharing. The first section focuses on the key principles of ethical research set out by the ESRC. And it is then followed by the next section on legal frameworks that govern research data. We will also be covering the role of consent in research when it comes to data sharing. And finally, I will talk you through to the key considerations in secondary data use. And as I said, I will answer your questions in the end. So I know it is a lot of content to take in, but hopefully by the end of today's session you will be able to identify key principles for ethical research. And I'm sure you know these already, but just as a refresher, some people are new to this area. So that that would be helpful for them. However, I do hope that you will understand the legal frameworks that govern research data and understand the role of consent in research beyond asking participants for research participation and specifically in the context of data sharing for future use. And you will also understand the key considerations when using secondary data, especially in the context of copyright, but not I haven't covered the AI and copyright in this workshop. So as you may be aware that research data is of two types, primary data and secondary data. Primary data is data that is collected by a researcher directly from the original source through experiments, surveys, interviews, observations of focus groups. On the other hand, secondary data is an existing data gathered from studies. Surveys or experiments that have been run by other people or for other research, such as existing data sets that archives, essays, reviews or social media. So in the first section, which is related to primary data, I will briefly discuss the key principles of research ethics. And I'll also talk you through to some of the ethical considerations and best practices in data sharing, including some research ethic self assessment resources. So ethic issues are most likely to arise around privacy, equality, diversity and health and safety. And research ethics govern the standards of conduct for scientific researchers. So it is important to work to ethical principles in order to protect the dignity rights and welfare of research participants. So ESRC has set out key principles for ethical research. And according to these principles, researchers should ensure that their research is beneficial to participants. And they should be realistic about the benefits that it is likely to deliver. And research should be designed and conducted in a way that respects the rights, interest, values, dignity and autonomy if possible of participants, groups or communities. And researchers should inform participants that they have a right to refuse to participate and it should be free of consequences. And they can withdraw from the research for any reason. Integrity demands that there is a clear fit between what researchers say they will do and how they will conduct their research. And transparency means being clear about the nature of the research and communicating this to those involved. Researchers must exercise self critical responsibility in the planning and conduct of their research. And research ethics committees and research organizations have a responsibility to guide and support researchers, especially when the research involves difficult ethical decisions. And researchers should maintain the independence of their research and their conflict of interest cannot be avoided. It should be made explicit. And independence of research is founded on academic credentials, professional standards, expertise and experience. And it should always be free from personal, organizational and political bias dishonesty and considerations of being should be provided at all times. So these are some of the ethical principles and I'm sure that everyone is aware of this. So it is important that researchers do not just consider what can be done with the data method expertise and technology available to them. It is equally important that researchers consider what should be done. So National statisticians data ethics advisory committee provide a framework to help all researchers to think about the ethics of their research at an early stage and give them confidence that their plans address ethical principles and practices. So they have designed a very useful ethics self assessment tool to review the ethics of the project to be undertaken. And this tool enables researchers to identify and mitigate any ethical issues. So it is based on six main principles you're asked to assess your project against 22 items group against these six ethical principles on a scale. And it is beyond the scope of this session to go into further details of this tool. But I have added a link on the slide for you to have a look into your own time. And I found it very, very helpful. So that's quite a useful tool. Then there is another useful resource called data ethics framework by the UK government. I have added a link on the slide. This is a very nice framework. It provides guidance on the appropriate and responsible data using government and the wider public sector. And it helps to understand ethical considerations, address these considerations within the projects. I want to show you this tool. And so I'll add it the link in the chat at the end, or we can go through this tool at the end at the moment. I just, but it is a very, you can Google it. It's called data ethics framework. And it is, I think it has some overarching principles like transparency, accountability, and it outlines specific actions that covers the entire process of a project. And each section includes questions that will guide you through ethical considerations for your project. And it is very, very useful. So I'll go through it in the end if we have time. Otherwise you can just Google and you can find that out that that's quite useful. So some of the best practices are that that ethical obligations should be considered throughout the research life cycle from panning and research design stage to the data collection stage and all the way to the future uses. That includes publications, archiving, sharing and linking of data. And it is essential to have a knowledge about the standards and requirements of the relevant research organization. So always comply with these relevant laws, avoid social and personal harm. And you can always check with data centers such as us as we facilitate ethical and legal reuse of the research data, including the protection of participants and safeguarding of personal data. So the second section is all about legal frameworks that govern research data. But before we start on this, just a quick question on mentee about what type of data you are familiar with and tend to use or are using. So health data, quantitative, qualitative, administrative. Again, a very diverse types of data you are working with. That's interesting. Radiology reports, primary data, anyone working with secondary data? I see a response just okay. Education, migrant, migrant data would be interesting. Animal data as well. DNA sequencing. So very interesting types of data you all are working. I could see the tab on my laptop regarding that framework I was just talking about. Let me just click and show you. Can you see? Okay. I think you can. Yeah. Yeah. So this is the framework I was telling you about. This is a guide. I have added it on the slide. So some basic information, what is it for? Who is it for? How to use it in the structure of this framework? Then they addresses these three overarching principles, transparency, accountability and fairness and what specific actions you need to take. That addresses these principles. Then one by one they describe what transparency is and how to score that accountability, how to score that fairness. Then all these principles, again, what specific actions you need to take. And yeah, it is a very nice one. How do you understand what public benefit is? So how to score that? What specific actions you need to take? So yeah, I found it very, very useful. So you can have a look in your spare time. So thank you for your responses coming back to the legal frameworks. In the context of data sharing, I think it would be easier to talk you through about the legal frameworks governing research data. If I take a broader classification of research data by health research authority, it's easier to explain in that way. Although it is by health research authority, but I think it's applicable to all types of data. So according to the HRA, health research authority, data or information is broadly classified into three main categories. Information that relates to identified or identifiable individuals. Information that no longer relates to identified or identifiable individuals with some referred to as anonymous data and synthetic data. I go through each of these briefly and the legal frameworks governing. So the first type is health and care information that relates to identified or identifiable individuals. But before that, just a quick intro to the personal information or data. You can identify an individual through personal information about that person and people can be directly identified or indirectly identified. Examples of direct identifiers are name, address, postcode, telephone number, voice, picture. And some of the examples of indirect identifiers are occupation, geography, unique or exceptional values which we in data terms we call outliers, which when combined can identify a person. So personal data also includes special category data that needs more protection because it is sensitive. As I said, the UK GDPR defines special category data as personal data revealing racial or ethnic origin, political opinion, religious or philosophical beliefs, trade union memberships or genetic data, biometric data, data concerning health and sexual orientation. And most health researchers use special categories of personal data, which includes biometric data, genetic data and so on. And if personal information about people is collected or used in research data, protection regulation applies. So there are two main legal frameworks governing the use of research data or health data that relates to identified or identifiable individuals. And these two frameworks are the common law or duty of government. And these two frameworks are the common law or duty of government. In the UK, there is a duty of confidentiality that is based in common law. And that occurs where confidential information comes to the knowledge of a person in circumventing the use of research data or health data that relates to identified or identifiable individuals. In these two frameworks are the common law or duty of confidentiality and data protection legislation. So there are two factors where confidential information comes to the knowledge of a person in circumstances where it would be unfair if it were then to be disclosed to others. There are some exceptions when you can disclose information. For example, if participant consents to onward sharing of their personal data, then sharing does not breach duty of confidentiality. And under this common law, you will need to obtain an explicit consent if confidential information is used for a research project. And this explicit consent is a very clear and specific statement. It can be given in writing verbally or through another form of communication, such as sign language. And sometimes public interest can override duty of confidentiality. And occasionally there are instances when you may need to give up data such as on a court order. So the best practice is to avoid very specific promises in consents. As researchers, we must adhere to data protection requirements when managing or sharing personal data. So if personal information about people is collected or used in research, then the data protection regulation applies. Data protection legislations that are most widely applicable to the research are Data Protection Act and GDPR, which is EU GDPR, which is now called the UK GDPR. EU GDPR is the EU White Data Protection Regulation that was introduced in 2018, and it replaced the UK Data Protection Act at that time, which was being used until then. However, since the UK left EU, it is now called the UK GDPR. Currently, UK GDPR and EU GDPR, they both are aligned. They place the same legal obligations on researchers, but in the future they may diverge. It will therefore be important for researchers to ensure that they gain local support from their university DPO when their research project will span across the EU. So basically, if the researchers based in the UK collects personal data about people anywhere in the world or a researcher outside the UK collects personal data on UK citizens, then Data Protection Act and the UK GDPR applies. However, if the researchers are undertaking research projects which span across the EU, then EU GDPR also to be considered. So this is the basic rule at the moment. UK GDPR specifies the rights a data subject has when their personal data are processed. That's why it's very important to consider UK GDPR if you are to collect personal information for your projects. And according to this, individuals have the right to be informed about the collection and use of their personal data. They have a right to access the information you hold and they can request a change in the information. Ask for a ratio object or ask to restrict processing. They can also object in terms of data portability or transfers to outside the UK and any sort of decision making. They can do that. And which of these rights will be relevant to processing personal data for your research project will depend on the nature of the project. And the chosen processing ground in which country the research is taking place is another important aspect to consider. But GDPR has given these rights to the participants. And everyone responsible for using personal data has to follow certain strict rules called data protection principles. And the researchers must make sure the information is used fairly, lawfully and transparently. And it should always be used for specified explicit purposes. It should be used in a way that is adequate, relevant and limited to only what is necessary. And information should be accurate and where necessary, kept up to date and not kept longer than it is necessary. So most of all, it should be handled in a way that ensures appropriate security, including protection against unlawful or unauthorized processing, access, laws, destruction or any sort of damage. So these are the principles that the researchers should ensure they are there for the week. Under the UK GDPR, there are six possible in crowns for processing personal data and one of these must be present. And if you are to process personal data, these are consent, public interest, legitimate interest, protection of vital interest, legal obligation or a performance of a contract. But in the context of research, the first three crowns which are consent, public task or legitimate interest are the most applicable crowns for the processing of personal data. I'm not sure whether any one of you are familiar with these crowns or what crowns you are using for your products. So I just thought to add a question on a mentee, just a quick question if you can let me know which legal basis you are using. Either you are using or you are from, you know that in the UK, which legal basis advisability to use as an academic consent. That's interesting. So I think it depends the type of data you are working with. If you are working with the health data, I will go through this in the coming slides. Yeah, if it is health data, then yes, consent and public task. So majority of you have that consent so far. So some responses in the chat as well, consent. When I was doing my PhD, I also thought my PhD was on health research. Yeah, so I considered that consent is the only base that we need to use to collect personal data. So, okay, thank you. Let's go back. So, yeah, some of you might surprise if you are not from health research background. Those who have asked for consent as a legal base, which is advisable to use in the UK and they are from health, that's fine. Otherwise, Information Commissioner's Office advised that for almost all research conducted in the UK organizations should rely on either public tasks. For public bodies such as NHS, universities, UKRI or legitimate interest for non-public bodies such as charities and commercial companies. So they advised to use public task for public bodies and legitimate interest base for non-public bodies and you see that it's not consent. So that might be surprising for some of you. However, those holding and using health information, which is a special category of personal data in the GDPR, and it also require a further condition in addition to the public task. So, in academia, this is usually to support scientific and historical research. We use it as an additional basis in academia, which is called scientific and historical research. But in the health research, you can, you have to use an explicit consent. So for health researchers is consent plus public task and for academia, public task plus scientific and historical research. So these are the two basis or mainly ICO recommendation is to use public task. And most, almost all the universities in the UK, they use public task as the legal base to process personal data. So, but for the health research, you also need to complete a data protection impact assessment for any type of processing, which is likely to be high risk. So you must therefore be aware of the risk of processing the special category data. So there, there is a misconception that data protection laws such as GDPR prohibits data sharing, however, it does not prevent data sharing as long as you approach it in a sensible and appropriate way. GDPR is useful for research because it legalizes much of the current good practice in search placing people at the center. It offers enhanced rights to individuals whose data is being processed. And in the context of research, GDPR has the potential to further benefit research and archiving, helping to improve trust and confidence between the public and universities and between researchers and their participants. So this section until now was about the data that can be identified or identifiable. So the second type that I spoke earlier was about the data that no longer relates to identified or identifiable individuals. So this is a data that has been anonymized or pseudonymized. Personal data that has undergone effective anonymization is not, however, regarded as personal data. And therefore it is not subject to the UK GDPR. This is because the data has been modified and transferred or otherwise made available to another organizations that such that it no longer relates to an identified or identifiable individual. So there are several anonymization techniques that can be used to do that. For example, aggregating, suppression, rounding, reduction, addition of oil and so on. But it is beyond the scope of today's session to talk. However, I have added links at the bottom of the slide for you to have a look later. And as I said, my colleague will be running a workshop on anonymization in the coming week. So you can join that if you need more information. So data that is treated in this way is no longer considered confidential. And generally speaking, does not fall within data protection laws. It is important to note that even when health data is anonymized, it may still be possible to find ways of identifying your individual personal information when combined, how combined different pieces of information. So however, it would likely require special circumstances or efforts. And this effort may involve using other sources of information to narrow down the number of individuals that the data may be relating to. But there is some debate about this. On the other hand, pseudonymization is a security enhancing process that replaces or removes information in a data set that directly identifies an individual. And it is typically applied before information is shared with a third party. For example, it could involve replacing an NHS number, a name or an address with a unique number or code. With the effect that identifying an individual directly from that data is not possible by the recipient without additional information such as a key that would enable matching the pseudonym to direct identifiers in the data set or any other means to re-identify the data. So personal data that has undergone pseudonymization but could still be attributed to an identifier individual by the use of the data alone or in combination with the other data likely to be available is legally presumed to remain personal data under the UK GDPR. While personal data that has undergone pseudonymization, but that is no longer attributable to an identified individual is not considered personal data. For example, if an organization pseudonymizes data and holds the key, that data remains personal data to that organization. If the same organization shares the pseudonymized data with another organization such as us, they deposit the data with us, but they does not share the key with us. It should not be assumed that the data is personal to us. So GDPR doesn't apply on that. For them it is under GDPR for us without the key it is not. So the determining factor is not whether or not the data is pseudonymized, but whether or not it can be used on its own or in conjunction with other available data using reasonable means to identify an individual. So the third type I mentioned earlier was the synthetic data. It is the information that is artificially created rather than generated by real world events. It can simulate synthetic populations that resemble the characteristics as well as diversity of actual people. And it can also be generated to be statistically consistent with the real data set, which it may then replace or augment. So as synthetic data is neither personal nor confidential, it is not subject to data protection legislation or common law or duty of confidentiality. So the third section is about control of consent in research. I'm sure you are all familiar with what informed consent is. However, when it comes to data sharing, then consent is used for two purposes to fulfill ethical obligations and to be legally compliant. We all are familiar with what consent is when which is used for research participation. And it is considered as one of the founding principles of research ethics where it is sought before participation in any research activity and for all participants. And it usually involves providing information regarding study purpose, risk, benefits, voluntary participation, how they can withdraw and so on. However, as stated earlier, consent can be used as one of the legal basis of processing personal data under the UK GDPR. If a researcher collects, manages and shares personal data, then consent of the data subject can be used as a legal base. As I said, to process this personal information. But as we see that in the UK, it is rarely used as a legal base, but around the world, there are many countries that use it as a legal base. So, but even though it is not mandatory under the UK GDPR, but you need to obtain an explicit consent under common law or duty of confidentiality when you have to disclose or share confidential information for research purposes. For example, under Human Dissue Act and for clinical trial purposes, you have to obtain that. And ethically, you should obtain consent informing the participants if you are to share this data for future use, not legally, but ethically you should. So, therefore, consent plays a vital role to be ethically or legally if you are using it as a legal base to obtain it when it comes to being transparent, fair and maintaining confidentiality. Consent can be gained in written or ordered form and the format of the consent depends on the kind of search, however, it is important that whatever format is used, written or verbal, it should be documented. And you need to document how it has been gained, what information has been provided and what they have, what the participants have agreed to, what information they agreed to at that moment. So, consent form plays a vital role in data sharing when you are to archive it or deposit it for future use. And it is very important that you design the consent form keeping in mind these three important sections. If you can to share your data, the first section should be about taking part in the study and it includes some basics such as participants have read and understood the information. They have been given the opportunity to ask questions, they understand that they can withdraw anytime. And the second section is all about how the information that is being collected will be used. For example, how the data will be stored for how long, how the confidentiality will be maintained. And the final section should be around providing information about future uses of the data such as publications, archiving data and so on. And this final section in the consent form is really important if you plan to share your data for future use by other researchers. As I said earlier, I'm running a full workshop on consent issues in data sharing on 30th of November, I think. So you can have more information in that workshop. And we have a model consent form on our website. I think I have added it on the last resource slide as well. You can see that how you divide the consent form in three key areas and what each area should include in the consent form. So that's quite useful. So when you start a research project that involves collecting information from people, for example, via survey or interview, focus group or whatever way, then these questions can help you to comply with data protection legislation in practice. The first consideration should be whether the project needs to collect information that would be defined as personal data. If not, then do not collect it. If the research does not collect personal data, then data protection legislation will not apply. If personal data are being collected, the researcher needs to identify who will be the data controller for the collection, storage and handling of the data. This is unlikely to be the researcher themselves. And in most instances will be the researchers, universities or institutes where they are working. So if the research involved collaborations of different partners, it will be important to identify whether they will be joint controllers of the data or data processors. It will be crucial to ensure data sharing agreements are in place and where necessarily a processing or processor controller agreement should also be in place. The data controller is the person who determines the purpose for which and the way in which personal data is processed. By contrast, a data processor is anyone who processes personal data on behalf of the data controller. For example, if you deposit data with us, you are the controller and we are the processor who process data on your behalf. So an assessment will need to be made about the most appropriate processing ground to use for each research projects. And you are familiar by now that there are three grounds that appear most applicable for research, consent, public task or legitimate interest. And if you are using consent as the processing ground, it is crucial that this is distinguished from consent for other ethical and legal purposes. And that participants can withdraw their consent for processing personal data. This is different from the right to withdraw from the research. So you need to make it explicit in your forms. So if public task is used as the processing ground, you must ensure that your university or institute is classified as a public authority. So that's another important point. In the UK, universities are the public authorities. So I'm talking about outside the UK. So and also that research will be in the public interest. So if you are using legitimate interest as a processing ground, a legitimate interest assessment should be undertaken. This will need to identify the legitimate interest being pursued, demonstrating that personal data processed is necessary to achieve this. And this is being balanced with the rights and freedoms of the participants. So the information that needs communicating will be influenced by which processing ground is chosen. Broadly, participants should be informed about how any personal data collected about them will be used, stored, processed, transferred. The data controller is and their contact details, the legal ground and purpose of the processing, any recipients of the personal data, period of retention and their rights and so on. So remember, despite all the info I have gone through, bear in mind that much research data, even sensitive data, can be shared ethically and legally if researchers employ certain strategies. For example, offering protection of identities through anonymization or a de-identification using processing ground for personal data and finally regulating access where needed. So you can deposit any data by using strategies. The last one I said was you can regulate access to the data if it is sensitive. So I have added on this slide what I meant by regulating access. By regulating access, I meant that facilitating data sharing especially when it is not possible to anonymize data or to obtain consent for data sharing. So in that case, you can restrict user access. For example, here at the UKDS, we facilitated three levels of access for data. Open access for data that contain no personal information, safeguarded access for data that contain no personal information, but the data owner considers a risk of disclosure resulting from the linkage to other data or by combining several pieces of information. So it is available under end user license and users need to register to access data. Users also need to agree to certain conditions such as not to disclose any identifying information and while the third one controlled access is for the data that may be disclosive. Control data are only available to users who have been trained and accredited and their data usage has been approved by the relevant data access committee and access to this data is through a virtual or physical secure environment. So this is the final section which is about what needs to be considered if you are planning to use secondary data sources. Most important issues are the rights inherent in secondary data. So two most relevant types of rights applicable to the secondary data sources are copyrights and database rights. I'll talk you through to the copyright which is the most common one due to time constraint and I have added a link at the bottom for other rights for you to have a look. So copyright or IP rights are assigned automatically to the creator or the researcher who owns the data. When data are shared or archived the original owner retains the right data archive cannot archive data unless all right holders are identified and give permission for their data to be shared. So copyright applies as soon as the data is created you are the copyright owner of the data that you share for the future use by other researchers. And in the context of primary data if you plan to share it for future use you need to consider how you want your data to be used be used by other researchers or students you can specify this by licensing the data to match the intended uses. Various types of licenses for sharing data have been developed by the data archives. As I showed you earlier the licenses we use a data service. You can get a service open access they've got it and controlled ones and and use the license. In the UK copyright arises automatically once a work is created and to enjoy copyright protection the work must be original. That is to say it must be your own book not copied from someone else there is no copyright in ideas or facts only in the way those ideas are expressed such as diagrams and tables. More information if you need more information and are interested in copyright and data use as I said I will be running a workshop next month. And if you're interested in copyright in publishing then there is another workshop in November by my colleague. So if you are using secondary sources then best practices to assess who the copyright holder of the data set is are you allowed to use them. And in what way are you allowed to archive and publish the data in a data repository. Most of the time we encounter problems when researchers are allowed to use data as the data is under open license or they register to use it. But what they do not realize is that it is accessible to them for their personal use but they need permission from the data owner for sharing it or archiving it. So you may need to seek further permission to distribute material you do not own. If permission is not granted you need to remove copyright variables or material before publishing or sharing it. So to be here on this slide I have added a link to our web pages on copyright. I have also added a useful template variable information log for data sets being deposited that includes secondary data sources. Researchers are advised to prepare a variable information log describing these resources. This log not only allows others to understand and use data correctly but also ensures that respositories can check the appropriate terms and conditions applicable to the onward sharing. So you can see here that I'm not sure whether it's clear or not but it include the variable name source how it was collected brief description and any restriction noted on its further use. So it's useful for the secondary data users. So best practices to always investigate which laws apply to your data including cross country collaborative working as early as possible almost at the designing stage of your project. Do not collect or keep personal or sensitive data if not essential to your research but can always seek advice from the research office or data centers like us and make sure that your participants know how this data will be used. All research data are personal data. Just remember that research data is not personal data and GDPR does not apply if it is anonymized data. Not all research data is personal. I'm not sure whether we have enough time for you quick questions or not. Yeah, I think so. On the Mentimeter. Quick quiz if you are. What do you think just it will just recap of what you have heard. I know it's a lot of content but just quick quiz. What do you think pseudonymized data is not subject to the UK GDPR. Is it true or it depends. Majority of states are false. Some say it depends. And someone says it's true. Yeah, I think it's them. It depends as well as you can say that it's false as long as the key to identify the data is held by someone else. Then it's not so don't personal data. Then it's not under GDPR. For example, some organization deposited a pseudonymized data with us and we do not hold that key that helps us to identify the individual. Then it is not under the UK GDPR. But for that organization who holds the pseudonymized data as well as the key with the information. To identify that can help to identify the individuals and for that organization. Same did pseudonymized data is subject to the UK GDPR. So it depends whether you hold the key to identification or not. And what do you think with this effectively anonymized data is not subject to the UK GDPR. Yeah, that's correct. If you think you are 100% sure that the data is effectively anonymized and there is no chance of any identification or there isn't any disclosure risk, then that's right. It's not subject to the UK GDPR. A very simple one. Ethical applications should be considered throughout the research. That's that's true. Thank you for your responses. And what do you think if the researcher based in the UK collects data outside the UK UK GDPR does not apply. I think it's false because if you are based in the UK you need to abide by the UK GDPR. And if you are collecting personal data, then the UK GDPR does apply. So it's a false statement. Anywhere in the world it doesn't matter, but if you are based in the UK and you collect personal data, even if it is outside the UK UK GDPR does apply. I think that's the simple one. If there is no personal information in the data, then the data protection legislation does not apply. And then there is another one. If the researcher based in the UK collects personal data from the EU, which of the following applies. Yep, that's correct. EU GDPR and UK GDPR both applies. And this question is about the EU, but if you are collecting data anywhere in the world from the UK, then the current law in that country plus the UK GDPR both applies. So that's that's correct EU as well as the UK. And what do you think? Yeah, I think it it depends is the safe answer. It depends whether you have taken that preventive measures, whether it is ethically and legally possible to share the data or not. So it depends on number of factors what legal ground you are using what information has been provided to the participants in the consent form, whether they have agreed to share the data, whether it is possible to anonymize it, whether it is possible to put it in a controlled access environment. So that confidentiality is not compromised and people are ready to it in number of number of reasons. So it always depends, but it is possible. So what do you think informing participants about the future users of data is an ethical obligation, a legal obligation, or you're not sure. I think it's more of an ethical obligation. Yeah, there is a note. There isn't any specific law that states that if you are collecting personal information and GDPR applies, then yes, it's a legal obligation. But if you are not collecting personal information, or you are anonymizing that data. So anonymized data does not fall under the UK or EU GDPR, then it's an ethical obligation. You should inform them. So it could be, it depends on the project. So it could be an ethical, it could be a legal or it could be both. So this is a statement we encounter every now and then from the data that researchers deposited with us in the consent forms. I think, is this appropriate? If you plan to share that data, or is it, it's a funder requirement to share that data for future users. Yeah, that's false. That's not an appropriate statements because it precludes data sharing. So researchers who plan to use, who plan to deposit data in archives so that other researchers can use it. They should avoid such statements in their consent. Then there is another statement that should be avoided. It also precludes data sharing. So when people come with the data and this sort of consent form statements, the only option they have to go back to the participants ask for retrospective consent, which is not feasible at all most of the time. So, yeah, so these are very, very problematic statements if their funders require them to deposit data for future use. I'll go through these ones in my consent issues workshop. These ones and some more and then the example consent forms as well. So, another statement that we came across is all research data will be destroyed after so and so years appropriate. So, this should be, it depends if you should inform the participants what you are going to do with their information that you have collected. So this should explicitly state if you are informing them about personal data, all the research data in this statement it says all research data. So if you have this sort of statement, you cannot archive it for future use. So if you need to be explicit that some universities, they have a policy of if you are not depositing personal data, it will be kept for five years, ten years. It all depends on the organization or institute's policy and it will be destroyed. So that is fine. You separate the personal data from the research data. So always consider before using such statements and if you are planning to share your data, such statements are very problematic. So we will go through these statements in my consent workshop. I'm not sure why. Again, Steph, can you see my screen, the slides? Yeah. Yeah. All right. Yeah. So these are some of the resources I have mentioned here with the links that are useful to you, including the consent form, example consent forms, information sheet and rights when using secondary data, regulating information and so on. And these are the links to our upcoming training events page, past training events and recordings. And yeah, thank you for attending today's session.