EU GDPR

  1. Macquarie University
  2. About
  3. About the University
  4. Structure and governance
  5. Privacy
  6. EU GDPR

Guiding Macquarie University's European reach

How the EU General Data Protection Regulation (GDPR) impacts and guides Macquarie University and our research.

The EU General Data Protection Regulation (GDPR) commenced on 25 May 2018. Although a European law it is designed to have extra-territorial reach.

What is the EU GDPR?

The GDPR guides any organisation offering goods or services to individuals living in the EU. This includes universities offering educational packages to EU students or conducting research involving EU residents.

While the language used in the GDPR is different, the core requirements under the GDPR are similar to those found in the privacy laws already regulating the University.

Some additional provisions do apply — detailed below — most of which expand individuals’ rights over their personal data.

Data portability

Access rights are strengthened with the right to request one’s personal data be transmitted to another party in a 'structured, commonly used machine-readable format' in certain circumstances.

Automated decision-making

There is a right to not be subject to a decision (with legal effect) based solely on automated processing or profiling; ie individuals must be able to seek human review of automated decisions.

Right to object
  • to direct marketing
  • to research/statistics: the individual can object to their data being processed for research or statistical purposes, unless an overriding public interest is proven
  • to other processing: the individual can object to their data being processed for ‘public interest’ or ‘legitimate interest’ purposes, unless an overriding public interest, or the legitimate interest of the controller, is proven.
Right to restrict processing

Individuals can require organisations to cease (or at least pause) processing data about them in certain circumstances, such as where the accuracy of the data is under review, or the individual has objected to processing and a final decision has not yet been made.

How will GDPR impact my research?

GDPR aligns with many of the new provisions of the National Statement on Ethical Conduct in Human Research and mirrors good practise in research data management. The greatest importance in both is the emphasis on transparency, primarily, that the information provided to participants should be concise, easy to understand, accurately reflect what will happen with their data and what their rights are as participants.

In conjunction with the National Statement, compliance can be achieved in part by:

1. Developing a data management plan

A data management plan should be developed prior to commencing your research. It includes clearly articulating that intentions related to the generation, collection, access, use, analysis, disclosure, storage, retention, disposal, sharing and re-use of data and information, the risks associated with these activities and any strategies for minimising those risks.

2. Informing participants

Ensuring participants have an adequate understanding of the potential risks and benefits of their information being used for research, including their rights over their information, and that this information is presented to the participants in a format suitable to the participant with the aim of establishing mutual understanding between researchers and participants.

Consent must then be obtained for the research to proceed (exemptions may be given in certain circumstances as determined by the Human Research Ethics Committee).

3. Clear consent

Consent for research should not be bundled with other consents. The participant must be clear what they are consenting to and have the option of selecting which uses and disclosures they agree to.

4. Relevance

Regularly revisiting both the data management plan and the consent obtained to ensure they remain relevant and reflect actual practices. Where changes are intended to be made or the data used for a purpose that was not initially articulated, participants may need to be consulted and consent re-obtained.

Further guidance is available from the NSW Information Privacy Commissioner, or you can read the full GDPR text. For additional assistance please contact the Privacy Officer at privacyofficer@mq.edu.au who can assist in ensuring you are well informed on how to manage your obligations arising from GDPR.