There seems to be two defining issues: data protection and inclusion/vetting.
Data Protection:
The UK General Data Protection Regulation (GDPR) applies to anyone - individuals, organisations, companies - that holds personal data. In the case of individuals there's a "domestic purposes" exemption which means that our everyday lists of contacts, friends, family work etc isn't subject to the GDPR, however an individual holding a detailed list of other people's data for a non domestic purpose would be covered by the GDPR and the list holder would be subject to all the legal requirements of the GDPR for the purposes of the list. So the list doesn't have to be held by an organisation.
That said, there remain questions of trust - who 'owns' the list ? how is the list managed ? what happens in the event that the list holder is unable to maintain the list ? etc For these purposes it would seem that the most practicable solution is for the list to be held by a legally constituted organisation with an established GDPR policy. It's important to recognise that this isn't simply a list of names - implicit in inclusion on the list is the health status of the individual, with all that comes with that.
Inclusion/vetting:
The potential difficulties with this are somewhat dependent upon how the list is to be operated. In turn that depends upon the trust relations that are explicit/implicit in operating the list. There are three orders of potential trust relationships - a) between list holder and listee, b) between list holder and researcher c) between listee and researcher.
How these relationships are approached/managed will define how the list is operated. For example, is the list holder acting as a disinterested introduction agency - simply passing on researcher details to list members and offering no guarantees to researchers as to the competence, capacity etc of any respondent from the list, and in reverse offering no guarantee of a usefulness of any contact made with a researcher ? This might all seem superfluous but it goes to the heart of the validity of having the list - if listee and researcher have prior expectations that are not met the whole process quickly fails.
If the list holder is to act as more than just an introduction agency, then what level of vetting and/or requirement of listee details would be required ? Would the list holder be empowered to limit the number of 'introductions' to avoid the same individuals monopolising opportunities ? Or to even exclude individuals from the list entirely ? How would such decisions avoid claims of discrimination ?
The way I think this might work is:
a) the list to be managed by an established organisation.
b) inclusion on the list would be limited to current members of organisations that are themselves members of the ForwardME group.*
c) researchers would simply be offered the opportunity to have their project advertised to the list membership, no guarantees would be made that any contact may result or that those contacts would be suitable for the project's purposes.
d) the list holder would undertake to verify that any advertised project was part of a legitimate UK based research organisation.
e) the listees would be informed that the list holder makes no guarantees about how any response a listee may make to an advertised project will be received , other than that the project is legitimate.
* I know this may not be welcome but the list holder needs to have some means to verify the real world identity of the list members, and establishing an affiliation with a known organisation is a short cut to this. Beyond this I don't see any possibility that 'vetting' could not fall foul of a variety of discrimination issues.
