2. Description of Data Subjects
Summary: The aim of this description is to describe who the data subjects involved in the project are, how they are invited or otherwise targeted to be part of the project, how many people are needed to be involved and why, and whether there is a relationship between data subjects and controllers that may preclude the data subject’s freedom to refuse their consent (if applicable). From this description, it will be clear that only a necessary, justified, minimum number of people is involved. If the project involves more than one activity (i.e., interviews and observations) be sure that each one is properly described.
Once the processing activities have been described in Step 1, Step 2 describes the data subjects that are involved in the processing activities. From this description, it will be clear that only a necessary, justified, minimum number of people is involved.
Keep in mind that, If more than one group of people is involved, each one of those must be clearly described, and properly linked to their respective processing activity from Step 1.
Definition:
This description documents who the data subjects are. From this description, it will be clear that it is indeed necessary to involve the described individuals in order to reach the goals of the project.
Data subjects are thus defined by the needs of the project: if the project is a survey on employment satisfaction to Geosciences employees, data subject are thus defined as UU employees working at the Faculty of Geosciences who agree to complete the survey. The data subject definition of a mailing list project would basically be anyone interested in participating, while the definition of data subjects of a project about medical imaging and AI would be all stakeholders from the field of medical imaging and AI – patient representatives, radiologists, researchers, hospital administrators, people from industry, who are willing to participate in the project.
When relevant, indicate if there are any relevant characteristics of data subjects that may restrict their ability to freely consent or object to the processing of their personal data, or to understand its implications by having diminished decision capacity. For example, if data subjects may include children or young people, elderly or otherwise people with certain disabilities who may be less able to understand how their data is being used, anticipate how this might affect them, or are able to protect themselves against any unwanted consequences.
Keep in mind that what is also asked here is a justification for why the project needs to collect personal data from these individuals. A children’s education project will necessarily need to collect data from children. The measures that explain how the rights and freedoms of these individuals are protected will be explained elsewhere in the Privacy Scan, so there is no need to describe these measures in here.
Targeting:
Once data subjects are defined, it is now necessary to explain how the project plans to reach out, recruit, or otherwise get in contact with these individuals – the targeting strategy. For projects where the data subjects are not known to controllers, this description is meant to explain how data subjects are going to be recruited – what is the strategy that will ensure data subjects are able to receive an invitation to be part of the project? If data subject’s contact details are already known to the controller, this description will only need to state how and why this contact information is already available to controllers.
Cold-calling using publicly available contact information: Often, controllers do not have a direct relationship with the targeted data subjects, but it is possible to gather contact information for public sources, and use it to directly get in touch with potential data subjects – “cold calling”. The legitimacy of this approach depends on a ‘balancing of interests’: Is the topic of the project and the personal or professional interests of the individual sufficiently aligned, so that the contacting would not be perceived as intrusive or unwarranted by the data subject? Contacting experts with questions related to their expertise can be considered as a reasonable approach. Sending mass invitations with little or no regards whether targeted individuals would be reasonably interested in the invitation is not likely to be legitimate.
Snowball sampling: Another common strategy in research projects, when there is no previous relationship between controllers and potential data subjects, is to apply snowball sampling. Snowball sampling is a recruitment technique in which research participants are asked to assist researchers in identifying other potential subjects. Contact with additional research subjects may be initiated by researchers (“cold calling”) using information provided by current research participants. Alternatively, contact may be initiated by research subjects – researchers may ask current research subjects to pass information about the study to other potential subjects, so that they can contact the researcher if they are interested.
Researcher-led contacting is often a more effective recruitment approach, but it also takes away individuals’ control of the process – they may have no control nor awareness over the sharing of their contact info with researchers, nor the decision to be approached by them. Data subject-led contacting does give appropriate control of the process to potential participants, but it may be less effective, as people cannot always be depended upon to initiate contact (even with good intentions, they may forget to make contact, become busy, etc.).
Which approach to use depends on the specific context, the reasonable expectations of people to be cold called, and the sensitivity of the topic of the project. Are there any potential risks involved? Is the topic sensitive or difficult for them? Would they be expected to agree to participate, because the project’s outcome is of interest to them, or may bring them benefits individually or as a group? What are their expectations, would they be surprised when they get contacted?
In general, researcher-led contacting is only appropriate when there is a reasonable expectation that data subjects are likely to agree to participate, due to their personal or professional interests, and when any potential risks are reasonably low. Otherwise, it is preferred to rely on data subject-led contacting.
Number:
It is now necessary to document how many individuals are involved in the processing activity, and describe why this amount is necessary to reach the goals of the project – It should be clear that the project is targeting the minimum amount of data subjects, and that there is a reasonable explanation that support the decision to include the stated number of individuals.
This number can be an estimate, as it is often not possible to anticipate the number of data subjects that will complete a survey, for example. Still, it would be necessary to explain what would be the minimum/maximum number of survey responses that would ensure that the survey goals are met.
Likewise, for some processing activities like observations where data subjects are not being actively targeted, it is still necessary to provide a reasonable estimate of the number of individuals that could potentially be involved, as this is necessary to estimate the scope of the impact – a processing activity that can potentially involves thousands of individuals, like observations in sports stadiums, is more impactful than one that could involve tens of individuals, like observations in a residential playground.
Nature of the relationship between data subjects and controllers:
It is necessary to describe whether there is any relationship between data subjects and controllers, that may interfere with data subject’s capacity to object, or to freely give or refuse their consent. The most common reason for this interference is when a potential imbalance of power exists in the context of this relationship.
A power imbalance arises when the controller is in a (real or perceived) position of power over the data subject. An imbalance of power is critical in determining if consent can be legitimately used as a lawful basis for the processing – because if individuals might feel they have to give their consent, their consent will not be considered as freely given. This is often the case when both data subjects and controllers are members of the same organization, belong to the same group, or where there is a dependency relationship.
If there is no relationship between controllers and data subjects prior to the start of the processing activity, then it is unlikely that an imbalance of power to materialise. In those cases, it is reasonably to state in the Privacy Scan that “A potential imbalance of power between controllers and data subjects is not reasonably expected“.
On the other hand, If both controllers and data subjects belong to the same organization (both are UU employees and/or students, for example), a potential imbalance of power must be presumed. In those cases, it is reasonably to state in the Privacy Scan, after the nature of the relationship has been explained, that “A potential imbalance of power between controllers and data subjects is reasonably expected”.
Keep in mind that what is also asked here is a description of the nature of the relationship, and whether an imbalance of power can be reasonably expected. The measures that explain how this potential power imbalance is addressed will be explained elsewhere in the Privacy Scan, so there is no need to describe these measures in here.
Previous: Description of the Project’s Purpose | Next: Description of the Categories and Purposes of Personal Data
- Description of the Project’s Purpose
- Description of Data Subjects
- Description of the Categories and Purposes of Personal Data
- Description of the Processing of Personal Data
- Description of Information Provided to Data Subjects
- Description of How Data Subjects Can Exercise Their Data Subject Rights
- Description of Lawful Basis for Processing
- Description of Measures to Ensure Compliance By Processors and/or Joint Controllers
- Description of Planned Transfers of Personal Data to Other Countries Outside the EU
- Obtaining, Consulting, and Dealing with Data Subjects’ Views of the Processing
- Preliminary Risk Assessment