A. THE IMPORTANCE OF DATA PROTECTION
Note: All text largely adapted from external sources will have links to the source given below the headers. The below text was written by BLIP Lab staff unless otherwise indicated.
1. Ethical Duty
When participants agree to take part in a study, they have implicit expectations that the researchers have policies in place to protect their identity and personal data.
Researchers thus have a duty to protect the privacy and confidentiality of people who participate in their research. In practice, this means:
- Protecting access to individuals, their identities and their personal information
- Ensuring that the individual participant (and their legal guardians) have the right to authorise access to their personal information
- Not sharing collected information in any identifiable way, unless explicit permission has been given by the participant or their legal guardian in a ‘release’ document.
What could happen if a participant’s data is not protected?
- Participants’ data could be vulnerable to malicious actors.
- A data leak could potentially cause serious personal cost to participants.
- The lab would be vulnerable to reputational damage which may, for example, impact the number of people in Singapore who trust us enough to participate in our studies
- The lab would be vulnerable to the administrative burden of institutional investigation.
Types of data that must be protected
Deeply confidential things may be revealed during the course of a long-stretch recording. These include, but are not limited to:
- Protected information about participants’ personal information (e.g., identity, address)
- Sensitive information about people in the recording, or people mentioned in the recording (e.g., sexual orientation, relationship status, criminal behavior, religious beliefs)
- Confidential medical information (e.g., a recent diagnosis)
- Confidential information pertaining to participants’ work lives (e.g., confidential client information, HR related matters, matters that may be commercial-in-confidence)
Note that if an audio recording contains information of this type, do not transcribe the sensitive/confidential portion until you have discussed this matter with your supervisor. You may use the following code to mark the potentially protected stretch of audio: “:PROTECTION-CHECK”. There will be weekly team meetings to discuss the contents of these protected sections.
The only exceptions to this rule are information pertaining to the Mandatory Reporting Policy, detailed in section E above.
2. Introduction to Personal Data Protection Act (PDPA)
(Largely adapted from PDPA Guidelines for Student Organisations (NTU))
The PDPA governs the collection, use, disclosure and care of personal data in Singapore by organizations. It recognizes both the rights of individuals to protect their personal data, including rights of access and correction, and the needs of organizations to collect, use or disclose personal data for legitimate and reasonable purposes. Every university organization, as data user who controls the collection, holding, processing, disclosure, transfer or use of personal data, must observe the personal data privacy rights of an individual.
NOTE: At BLIP Lab it isn’t always aligned with the data integrity of our research to ‘correct’ data after a person has completed their participation in a study. For example, we should not alter a test score after the test has concluded, and we should not edit the text of a transcription to suit a participants’ recall of events. That said, there may be cases where a parent provides valuable contextual information that can be incorporated (e.g., the name of a pet), or a missing data (e.g., a missing page from a paper survey). Participants can always request that some portion of their data be removed from a study after the fact. However, once anonymized data have been archived in a public repository, it will not be possible to identify which participant is which.
2.1 What is Personal Data?
Personal data refers to data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organization has or is likely to have access. The term “personal data” should be interpreted broadly and covers all types of data from which an individual can be identified.
Examples: Full Name, Residential Address, Mobile Number, NRIC/Passport Number, Matriculation Number, Bank Account Details, Personal Image etc.
2.2 Consequences of Breaching PDPA
If the PDPC finds that an organization is in breach of any of the data protection provisions in the PDPA, it may give the organization such directions that it thinks appropriate to ensure compliance. These directions may include requiring the organization to:
- Stop collecting, using or disclosing personal data in contravention of the Act;
- Destroy personal data collected in contravention of the Act;
- Provide access to or correct the personal data; and/or
- Pay a financial penalty of an amount not exceeding $1 million.
There are certain situations where the breach is considered serious enough that the PDPA office of Singapore is legally obligated to be immediately notified.
For more about the PDPA: https://www.pdpc.gov.sg/Overview-of-PDPA/The-Legislation/Personal-Data-Protection-Act
3. Important Aspects of Data Security
(Largely adapted from University of Leicester- Data Management Support for Researchers https://www2.le.ac.uk/services/research-data)
3.1 Security
Whatever research data you have, whether or not it is legally defined as sensitive or confidential (with associated legal requirements over its management), you need to keep it secure and control access to it.
Security encompasses the following points:
- Both electronic and physical security.
- Security of both electronic and physical resources (it is wasted effort to enforce appropriate electronic security but leave physical copies of data open for others to access).
- Prevention of accidental or malicious damage or modification to data.
- Theft of data.
- Appropriate access control to data resources – establishing boundaries around your data, defining who can and can’t access, what they can do with it.
- Compliance with confidentiality, privacy and consent agreement and legislation.
- Release of data before assurance of accuracy and authenticity, and the potential to void intellectual property claims.
- What devices are used to store data in the short, medium and long-term.
- How data is transferred between devices e.g. interviews captured on digital recorders in the field being transferred to University research data storage.
- The use and security of storage devices, particularly mobile devices e.g. external hard drives and laptops, and use of appropriate encryption.
3.2 Confidentiality
Confidentiality can be defined in terms of “that which is intended to be kept secret”. Dealing with its implications and ethical and legal obligations is an integral part of research.
Storage of data that are considered confidential or sensitive may need to be addressed during consent procedures, to inform the people to whom the data belong how and why the data will be stored. The risks of identification of personal information are typically maintained through the anonymisation of data and the regulation of access through a dedicated rights management framework.
3.2.1 How should I store confidential data?
It is important to be aware of the risks of storing personal data. Legally, data containing personal information must be treated with more care than non-identifiable data. From mid-2008 financial penalties can be enforced for the wilful circulation of personal data. Personal information can be removed from data files and stored separately under more stringent security measures. Signed consent forms or other non-digital records may contain identifying information and should be stored separately from data files, although an anonymous ID system can help link the two sets of materials together if required (e.g. for re-contacting purposes).”
The main consideration when thinking of a good storage medium are:
- Will the data be securely stored over time – will integrity be preserved?
- Is its storage reliable - will data be lost?
- Can the data be accessed to be used and reused?
- Is it appropriate for both immediate and long-term needs?
- Does storage meet relevant standards and requirements of the university, my funder, and legislation?
- What is appropriate storage for sensitive, identifiable, pseudonymised and anonymised data
With consideration to the above points, portable storage media such as CDs, DVDs and memory sticks (also known as USB sticks, flash drives, thumb drives, memory keys) present a high level of risk when being used to store research data. They are not backed up centrally and are vulnerable to loss and damage. Portable media are also particularly vulnerable to loss, damage and degradation over time.
NOTE: Therefore, in this lab, portable media devices are only for sharing of data within the lab. After sharing is completed, all data will be deleted from the portable media device.
B. RESOURCES
NOTE: All of the following links contain important information regarding university policy on Data Protection. Consequences occurring as a result of failure to read and comply with these requirements will be shouldered by the research assistant in question (a.k.a you).
- Personal Data Protection Act: https://sso.agc.gov.sg/Act/PDPA2012
- NTU Research Data Policies: https://www.ntu.edu.sg/research/ntu-research-data-policy
- Singapore PDPA Guidelines: https://www.pdpc.gov.sg/Overview-of-PDPA/The-Legislation/Personal-Data-Protection-Act
- NTU Research Data Management Portal: https://libguides.ntu.edu.sg/rdm
- PDPA Guide to Data Sharing: https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Other-Guides/Guide-to-Data-Sharing-revised-26-Feb-2018.pdf
- University of Leicester- Data Management Support for Researchers: https://www2.le.ac.uk/services/research-data