REDCap for GDPR Regulated Research 

Summary

University of Alberta researchers who are using REDCap to collect data from study participants residing in the European Union, European Economic Area (EEA) or the United Kingdom are required to comply with the General Data Protection Regulation (GDPR). GDPR gives your study participants certain rights with regard to their data, which are covered later in this document. These rights must be explained in a Web Privacy Statement.

While GDPR applies across the EEA, each country retains its own data protection legislation. It is important to be aware of the national laws for the countries where you are collecting data. (e.g. France has a specific ban on the collection of date of birth).

GDPR requests made by study participants should ALWAYS be directed to the applicable REB or privacy office. For multi-site clinical trials this includes offices relating to the clinical trial site.

The study team must inform a REDCap administrator if GDPR applies to their project.

Publicly facing web pages, for example your REDCap surveys, must contain a link to the system’s GDPR web privacy statement.

Does the GDPR apply to your research? 

The GDPR may apply to your research if: 

• Your research involves the personal data of persons physically present in the EEA or the UK; 

• You want to re-use personal data you previously collected from persons in the EEA or the UK (e.g., for a new research project).

• You want to obtain existing personal data about persons in the EEA or the UK from other persons or units at the University of Alberta (e.g., admissions data) to use in your research.

•  A person or entity physically present in the EEA or the UK is providing you with the personal data of research subjects located anywhere in the world.

• You intend to conduct data scraping involving the accounts or websites of persons or entities physically present in the EEA or the UK.

• You are collaborating with researchers or entities physically present in the EEA or the UK. 

Special Categories of Personal Data 

The GDPR limits processing of special categories of personal data, which includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, health data, and data concerning a person’s sex life or sexual orientation.

Research participants must give explicit consent before this personal data can be collected and processed as part of your research. Data Controllers need to provide a “lawful basis” on which to specifically gain this consent. Check with your REB to see if they have wording developed for this purpose.

Web Privacy Notice 

To ensure persons visiting Institutional websites understand applicable privacy policies and the impact of the GDPR, publicly available web pages, for example REDCap’s survey pages, must have a link to a Web Privacy Notice. If you are collecting data that is subject to GDPR, you should add this to survey footers in REDCap.

There is a REDCap specific privacy notice at https://help.redcap.ualberta.ca/privacy-policy which includes a section relating to GDPR.

Anonymization and Pseudonymization

Fully anonymized data does not fall within the scope of GDPR.

Stored data should be pseudonymized (for example by maintaining a separate log of names and record IDs) so that data cannot be attributed to a specific subject without additional information. Thus, identifiers (either direct or indirect) should not be stored within the REDCap project unless they are essential to the project. Where essential, and with REB approval, identifiers may be stored in REDCap.

Pseudonymized personal data is still subject to the GDPR.

Upon data export, use one of the many data export options, such as date shifting, that will remove identifiers, or export a limited amount of data without identifiers. 

Participant Rights

Participants are granted specific rights under GDPR and they may make requests of the study team based on these rights. However, GDPR includes some specific exemptions to these rights in the case of scientific research. If you receive a GDPR request from a study participant it is important that you contact the privacy office and the REDCap team for advice on how to proceed.

Right to be informed

Participants have the right to be informed about the collection and use of their personal data. This normally takes the form of “informed consent”. The consent process may vary from study to study based on REB and specific study requirements.

Certain rights normally conveyed under GDPR may be superseded by other regulations. For example, clinical trials participants may not have the right to erasure. Where this applies it should be clearly documented in the informed consent.

Study teams and individual clinical trial sites must work with their REBs to include GDPR appropriate wording in consent documents.

Right to Access

Participants have the right to view and request copies of their personal data.

Data must be provided in an appropriately secure manner. In a multi-site clinical trial the study team must collaborate with study sites in order to establish the identity of the participant and satisfy the request.

Right to Rectification

Participants have the right to request inaccurate or outdated personal information to be updated or corrected. Be aware that just because someone REQUESTS rectification, that doesn’t mean a study team is obliged to change the information if the data are supplied from a verified source.

Right for Data Portability

Participants have the right to ask for their data to be transferred to another controller or provided to them. The data must be provided in a machine-readable electronic format.

Right to Restrict Processing

Participants have the right to request the restriction or suppression of their personal data.

In academic research it may be appropriate to handle this as a withdrawal of consent. Consult your REB for advice on how to proceed and future use of existing data, as this may be based on the language contained in the consent documents.

Right to object

Participants have the right to object to the processing of their personal data.

Right to object to automated processing

Participants have the right to object to decisions being made with their data solely based on automated decision-making or profiling.

Right to withdraw consent

Participants have the right to withdraw previously given consent to collect and process their personal data. In the case of scientific research, data collected prior to withdrawal may usually be retained.

Right of Erasure

Participants have the right to request their personal information to be deleted. However, this right is subject to additional conditions and is negated by other legislation such as the Food & Drugs Act of Canada which requires data to be retained for 15 years.

The right of erasure allows a participant to request the erasure of their personal data. However, it does not apply to clinical trials that have to comply with ICH GCP or in cases where erasure is “likely to render impossible or seriously impair the achievement of the [research] objectives” (Article 17(3)(d)).

As a general guideline, if a participant requests erasure of their data, it should be considered as a withdrawal of consent. Data collected before withdrawal may be retained for analysis and, potentially, secondary use.

If erasure is required it should be noted that REDCap’s logging information is retained even if a record is deleted. However, REDCap administrators can apply project settings that will delete logging information for a record that is to be deleted under GDPR. These settings may be applied for the duration of the project or can be set temporarily before deletion of an individual record. For this reason the study team must inform a REDCap administrator if GDPR applies to their project.

REDCap Project Settings

Logging

A REDCap administrator can modify the following project setting, if required:

• Delete a record's logging activity when deleting the record?

  • Set to “Yes” prior to deleting records under GDPR’s right to erasure.

Survey Pages

For GDPR compliance project survey pages should contain a link to the REDCap system’s privacy statement at https://help.redcap.ualberta.ca/privacy-policy. This can be included in the survey as html in a descriptive text field or a better solution is to edit the survey’s footer. This must be done by a REDCap administrator.

• Project settings -> Custom footer text for survey pages.