The ICO has launched a consultation on its draft guidance[1] (“Draft Guidance”) on the research provisions within the UK GDPR and DPA 2018 (“UK DP Legislation”). UK DP Legislation contains a number of provisions related to processing for research purposes in various places. Although these provisions are under review as part of the UK’s governments’ proposed overhaul of UK DP laws, the government believes it is necessary to issue guidance on what we have at the moment. The Draft Guidance aims to point to the relevant provisions in one place, explain how they fit together and their practical effect. The consultation ends on 22 April 2022.
Here we provide a brief overview of the key points in the Draft Guidance.
What is research under UK DP Legislation?
The Draft Guidance states there are broadly 3 types of research related purposes for processing personal data in the UK DP Legislation, these are:
- Archiving purposes in the public interest – to ensure the permanent preservation and usability of records of enduring value to the public interest;
- Scientific or historical research – broadly this includes research in traditional academic settings and the full range of academic research, including social sciences, humanities and the arts, as well as research carried out in commercial settings and technological development and demonstration; and
- Statistical purposes – processing where the main objective is to generate statistics.
The guidance emphasises that it is the aim of the processing that is key to determining whether it is covered here as ‘research’. For each of the types of research listed above, it provides non-exhaustive examples and indicative criteria to assist in determining whether a particular type of processing comes under the provisions.
Archiving in the public interest
Examples of processing that would be archiving in the public interest include enabling research and investigations, preserving personal community and corporate identities, memories and histories and securing records for future educational use. Merely storing records for a specified limited period or retaining records that have no potential or confirmed enduring value to society are not archiving in the public interest, even when done for legal or business reasons.
Scientific or historical research
The purpose of scientific or historical research is to produce new knowledge or to apply existing knowledge in novel ways. Scientific or historical research aims to:
- Advance the state of the art in a given field or provide innovative solutions to human problems;
- Generate new understanding or insights that add to the sum of human knowledge in a particular area; or
- Produce findings of general application that can be tested and replicated.
Statistical purposes
The Draft Guidance emphasises that not all processing that generates statistical results will count as processing for statistical purposes. Processing for statistical purposes may be done by public authorities and bodies with statutory obligations to produce and distribute official statistics but the guidance also notes that private and third sector organisations can also carry out this type of processing. To be covered as statistical processing the outcome of the processing should either:
- Not be used to make decisions or justify measures about individual data subjects; or
- Have been rendered anonymous and therefore no longer be personal data.
Principles and grounds for processing relevant to research
Of the data protection principles set out in Article 5 of the UK GDPR, two, namely those of purpose limitation and storage limitation, contain special provisions for research related processing.
The purpose limitation principle allows the reuse of existing personal data for research related purposes provided appropriate safeguards are in place. The original lawful basis can still apply provided this was not consent.
The principle of storage limitation states you can keep personal data indefinitely if processing for research related purposes, provided adequate safeguards are in place.
It is noted there is no specific lawful basis for research, and so the likely bases to be relied upon in this area are legitimate interests or public task (i.e. processing is necessary for you to perform a task in the public interest).
In relation to consent, the Draft Guidance notes that whilst it will be necessary to obtain consent for using personal data in a research study such as for medical research, this consent is distinct from consent as a lawful basis for processing under UK GDPR. Further, it states that just because consent is needed to participate in a research study, this does not mean consent is likely to be the most appropriate lawful basis for processing personal data as part of the study, and in fact in most cases, consent will not be the most appropriate lawful basis. This is because for consent to be valid under the UK GDPR, the individual must be able to withdraw it at any time and there is no exemption to this for scientific research. This is not likely to work in the middle of a scientific study as it could undermine its validity. Further, consent as a lawful basis is not considered appropriate where there is an imbalance between the individual and the processor. For many organisations carrying out processing for research purposes, there will be an imbalance between them and the individual.
Special categories of data
The guidance notes that there is a special condition that allows the processing of special categories of data for research related purposes in Article 9 of UK GDPR (Art 9 (2) (j). Schedule 1, para 4 of the DPA 2018 sets out some additional requirements for relying on this condition[2].
Exemptions
The Draft Guidance also explains how exemptions to the various data subject rights (such as the rights to be informed, to access, to rectify, erase, to restrict, to port and to object) apply to research based processing. It notes some of these rights contain built-in exceptions for research (e.g. the right to be forgotten in Article 17 of UK GDPR), whilst with other rights, there may be a separate research exemption available if the right would undermine the research purposes. The guidance states such exemptions should not be relied on in a blanket fashion and must be considered on a case-by-case basis. An individual’s rights should only be restricted if the exemption applies and there is a valid reason to apply it, and, if individuals’ rights can be given full effect without undermining research purposes, the exemptions cannot be used.
Appropriate safeguards
Finally, the guidance goes on to explain what ‘appropriate safeguards’ are in the context of research related processing. Article 89 of the UK GDPR provides use of research provisions is dependent on having these in place to protect the rights and freedoms of data subjects. The safeguards are technical and organisational measures to ensure data minimisation. Where possible, organisations should carry out research using anonymous information and where this is not possible, pseudonymising the data should be considered. Pseudonymised data will still be personal data. Use of the research provisions will not be permitted if processing is likely to cause substantial damage or distress to an individual or where the processing is carried out for the purposes of measures or decisions regarding particular data subjects, except if the research is approved medical research.
The ICO believes it is important to develop the current proposed guidance to support organisations using personal data for research purposes now. It also sees this as a way to identify issues needing further reform that currently are problematic in this field.
[1] research-provisions-draft-consultation-202202.pdf (ico.org.uk)
[2] See page 24 of the Draft Guidance.