Experiencing a global pandemic has provided us with many examples of the importance of scientific research to our lives. Meanwhile, a sometimes popular (mis)conception is that data protection laws – and particularly the notorious GDPR – are a barrier to the effective use of personal data for research. Consequently, new guidance from the UK’s Information Commissioner’s Office (ICO) – which is open for public consultation until 22 April 2022 – is timely, and should be on the radar of both private and public sector organisations who use personal data for research. This article explores the key points of the new guidance.
Whilst the substance of the new guidance is not ground-breaking, it does serve as a helpful exposition of the often poorly understood ‘research provisions’ which exist within the (UK) GDPR and Data Protection Act 2018. It also comes at a time when many organisations are eagerly anticipating the long-awaited guidelines from the European Data Protection Board on the topic of scientific research, which were promised in a shorter piece of guidance published at the height of the pandemic. It’s clear that scientific research is something of a hot topic in data protection circles!
What are the ‘research provisions’?
By ‘research provisions’, the ICO means the network of exemptions, special conditions and dispensations that are scattered throughout data protection law, and which operate to make it possible to use personal data for research purposes in a wide variety of contexts. Choosing this moment in time to provide the public with a clear roadmap to the research provisions may be seen as a direct response to the UK Government’s recent consultation on reforming UK data protection laws (Data: A New Direction), which explicitly noted that provisions for research were “complex” and “dispersed”. The implication was that data controllers did not fully understand, and therefore were not effectively making use of, the research provisions.
In summary, the research provisions create a ‘special regime’ for personal data processed for scientific research purposes (and archiving and statistical purposes) in the following areas:
- purpose limitation;
- storage limitation;
- lawful bases for processing; and
- data subject rights, including transparency.
What is scientific research?
The guidance provides a welcome exploration of the scope of ‘scientific research’ for the purposes of data protection law. In general, it posits a definition which should be “understood broadly” and which explicitly applies in commercial, as well as academic, contexts. However, it does also note that research should aim to produce new knowledge or apply existing knowledge in novel ways and that it should often (albeit not always) aim to provide a public interest benefit.
Helpfully, the guidance goes on to provide a (non-exhaustive) list of criteria that are indicative of scientific research, and which can operate as a form of checklist for gauging the applicability of the research provisions to a given processing activity.
Re-use of personal data for research
The guidance reminds controllers of the powerful exemption from the purpose limitation principle that exists for personal data that is re-used for scientific research purposes. Provided the applicable safeguards are in place (see below) personal data collected for one purpose can – as an exception to the normal rule - be re-purposed for scientific research, without needing to obtain the data subject’s consent.
Informed consent is at the heart of scientific research, and informed consent forms are a vital component of many research studies, including clinical trials.
However, a common misconception is that the ethical requirement for informed consent to participate in research equates to a requirement for obtaining consent as the lawful basis for processing under data protection law (Articles 6 and 9 GDPR).
From an EU perspective, this misconception was challenged in the EDPB’s Opinion 3/2019, which recommended that, in most cases, it would be more appropriate for controllers to rely on legitimate interests (Art. 6(1)(f)) and, in respect of special category data, the scientific research basis (Art. 9(2)(j)). This position is confirmed in the ICO’s guidance, which categorically states that “in most cases, consent will not be the most appropriate lawful basis”, and also supports the use of legitimate interests (or public task, for research conducted by public authorities).
Research organisations frequently rely on being able to re-use personal data obtained from third party sources. For example, ‘future use’ research in which one research organisation donates data to a second research organisation to support a new research study. It is also not unusual for some time may have elapsed between the initial collection of the data, and the point at which it is re-used for the new research project.
In these contexts, the starting assumption under Article 14 of the GDPR is that the new research organisation will provide direct notice to the underlying data subjects, giving them the information about the processing of their personal data prescribed by Article 14. However, from a practical perspective this may be particularly difficult. Consequently, the exemption under Article 14(5)(b) – which absolves a controller from having to provide this notice where doing so would provide impossible or involve disproportionate effort – is important. The guidance emphasises that, as provided for by the GDPR, this exemption is particularly relevant in research contexts. However, the ICO also reminds controllers not to apply the exemption in a blanket fashion, but to instead take into account the effort and impact required to provide privacy information, and balance this against the potential effect on the individual that your use of their data will have on them. Further, as this constitutes ‘invisible processing’, a Data Protection Impact Assessment (DPIA) is likely to be required.
Applicable safeguards - the section 19 conditions
Data practitioners working in the research field will be familiar with the conditions set out in section 19 of the Data Protection Act 2018 (“DPA 2018”). These are the UK’s ‘appropriate safeguards’ - i.e., the conditions which need to be satisfied when processing personal data in order to benefit from the research framework. They build on the baseline requirements under Article 89 of the GDPR, which call for data minimisation and, where possible, pseudonymisation or de-identification.
Under section 19, controllers must ensure that their processing is not:
- likely to cause substantial damage or distress; and
- used for measures or decisions about particular individuals, except (importantly) where it is approved medical research.
The DPA 2018 does not define these concepts and, until now, we have not had any guidance on what they mean. It is to be welcomed that the ICO sets a high bar for ‘substantial damage or distress’, referring to concepts such as “financial loss, economic or social disadvantage, physical harm, damage to reputation, loss of confidentiality, or deprivation of rights” which are very unlikely to be caused by most genuine research studies.
With respect to the second condition, the ICO explains that this creates a prohibition on benefitting from the research conditions where your research is used “to make specific decisions about the data subjects involved, or to inform the services you provide to them them”. Importantly, however, the ICO also reminds us of the carve-out for ‘approved medical research’, which means medical research that has been approved by a research committee recognised or established by the Health Research Authority – and therefore covers approved clinical trials taking place in the UK.