As data protection regulators keep reminding us, the research and data protection communities mean different things when they talk about “consent”. A couple of recent conversations have made me wonder whether that terminology clash may have another effect: are those putting research into practice missing out on existing guidance that could help with that transition?
In the research world it seems that once you’ve obtained consent, or decided it is not applicable, the only other guidance available is from the field of “ethics” as it applies to the particular research domain. Hence it may also seem natural when reading data protection law to look at the section marked “consent” and then try to resolve all remaining questions using “ethics”. In fact, the rest of the General Data Protection Regulation (GDPR) provides much more concrete guidance on how to do the research-to-practice transition.
First is the way that research is explicitly allowed (subject to appropriate safeguards) to take a broader focus than services: for example contrast “consent to certain areas of scientific research” in Recital 33 with “consent … for one or more specific purposes” in Article 6(1)(a); or the recognition of research as a broad “compatible purpose” in Article 5(1)(b). This indicates that we should expect to narrow our focus, and set more specific requirements, as we move from research to implementation. Indeed one of the outcomes of research should be precisely to discover which practical activities are likely to be beneficial.
Similarly with data, there should be a narrowing of focus from data that might be needed for research down to the data that the research concludes are actually required to achieve a specific result. If that result is the delivery of a service, then the GDPR’s principles of data and storage minimisation are particularly relevant. These appear in many ethics codes but the GDPR provides better guidance. In particular, the GDPR concept of processing “necessary for …” provides a clear test to distinguish information that is essential to service delivery from optional information that we could use if the user chooses to provide it.
Where research results are used to improve how an organisation conducts its activities then two other legal bases are informative, whichever may formally apply. The “public interest” basis helps to explore the requirement, common to most ethics codes, for “lawfulness, fairness and transparency”. The “legitimate interest” basis requires – and provides guidance on – consideration of “fundamental rights and freedoms”, as well as the principles of “purpose limitation”, “accuracy”, “integrity and confidentiality”.
Finally, the principle of “accountability” requires that we not only do this thinking, but that we be able to demonstrate that we have done it.
As I’ve written elsewhere, this takes us a long way into what has traditionally been solely a matter for “ethics”. Once we have actually exhausted the guidance that is available through the GDPR, the remaining questions that really do need to be dealt with by ethics may seem less daunting.
