Research Provisions in the GDPR

Like the current Data Protection Act 1998, the General Data Protection Regulation (GDPR) will apply to any research involving data about identifiable living individuals. Also like the Act, the Regulation provides for adaptation in a couple of areas where this is needed to make such research possible.

All processing of personal data needs a legal basis. Six are listed in the GDPR Article 6: three seem most likely to be suitable for research:

  • Under the GDPR consent needs to be freely-given, informed, opt-in and capable of being withdrawn at any time. For research the requirement to inform is relaxed so the researcher only needs to describe the “areas of research” (Recital 33), rather than giving specific detail. But consent must still be free, withdrawable and indicated by a specific positive action by the data subject;
  • For research where GDPR-compliant consent is not feasible, either legitimate interests or public interest may be a better fit. The boundary between the two is still unclear – the Information Commissioner has recently confirmed that public interest is unlikely to apply to all of a university’s activities – but both require the benefits of research to be balanced against the risks caused to individuals. This needs to be done by the researcher for legitimate interest or the legislator for public interest. It may be safer for researchers to incorporate the balancing test in any case, as if it is later ruled that public interest does not apply then the research may become unlawful if this has not been done. With both bases, individuals have the right to object to processing;
  • GDPR Article 9(2)(i) requires research using special category data (health, race, religion, etc.) to be authorised by EU or national laws that set appropriate conditions and safeguards. For the UK, this will be done by the Data Protection Bill currently being debated in Parliament (see Schedule 1).

It’s worth noting that whereas the law does not normally allow a change of basis for ongoing processing, the Information Commissioner has recognised that the introduction of the GDPR is an occasion when such a change may be permitted. That offer is likely to be open for only a limited period of time, so it is worth double-checking that your current legal basis will still be the appropriate one under the GDPR’s new conditions or if a different one would be preferable.

Whereas the research adaptation for legal basis is set across Europe by the GDPR itself, the adaptations in the area of data subject rights are left (by Article 89) for individual member states to decide. The Regulation permits research activities to be exempted from some rights, but only if those rights would “render impossible or seriously impair” the research process. Member states must specify which rights (at most Subject Access, Rectification, Objection and Restriction,  i.e. suspending processing while performing a rectification or objection) may be refused, as well as specifying safeguards that must be applied to research before it can qualify for any exemption. Under section 33 of the 1998 Data Protection Act, those safeguards include that the processing of data must not lead to decisions or measures with respect to individuals and there must be no substantial risk of damage or distress arising out of the research. The Data Protection Bill, currently being debated in Parliament, has similar requirements in Schedule 2, but also includes a proposal to allow results of approved medical research to be used to treat the individual research subjects.

Finally, GDPR Article 85 for the first time gives research publications a similar status to journalism so, while it should still be unusual to identify individuals in a publication, it may be possible to claim that the public interest justifies doing this in some cases. Further legal guidance will be needed on this permission – newspapers frequently have to defend their publication choices in court – but it may, for example, help those studying the history of recent events where it is impossible to avoid identifying the (still-living) individuals involved.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *