The UK’s data protection regulator, the Information Commissioner’s Office (‘ICO’), has released draft guidance on the research provisions within the UK’s General Data Protection Regulation (‘UK GDPR’) and Data Protection Act (‘DPA’). The guidance is out for public consultation until 22 April 2022.
The UK GDPR and DPA contain a number of provisions for processing personal data for ‘research related purposes’ (this is how the ICO phrases it in the guidance). There are three types of research related purposes:
- archiving purposes in the public interest – an example of this would be creating a museum archive of interviews with individuals who emigrated to the UK in the 1950s and 1960s;
- scientific or historical research purposes – an example of scientific research would be a study carried out by a wearables manufacturer into whether or not there is a correlation between the number of hours in the day a user wears their wearable, and the number of steps achieved by the wearer; and
- statistical purposes – an example would be a health authority collecting data about positive cases of COVID-19 in order to deduce the reinfection rate.
The guidance provides a useful list of criteria that can be used to identify whether a purpose for processing personal data is likely to be considered a research related purpose.
The UK GDPR and DPA provisions that refer to such research related purposes are: (i) the purpose limitation principle; (ii) the storage limitation principle; (iii) the conditions for processing special category data; and (iv) the exemptions.
Research related purposes as they relate to the principles
The purpose limitation principle only allows you to process personal data for specified, explicit and legitimate purposes. Any further processing by you (‘secondary use’) must be compatible with the original processing unless it is for a research related purpose. This means that, so long as the lawful basis for your original processing was not consent, you can process the data for a research related purpose as a secondary use in reliance on the original lawful basis. However, if your original purpose was a research related purpose, then you will still need a lawful basis. And, if you collect personal data from a third party, which you subsequently use for a research related purpose, you cannot rely on the third party’s original lawful basis (unless you are a processor and you are within the CNIL’s jurisdiction – see below).
The storage limitation principle only allows you to keep personal data in an identifiable form for as long as you require it to achieve the purpose for which it was collected. The exception to this is if you are processing the data for a research related purpose, in which case you can keep it for longer (and arguably, indefinitely, if you can justify it!).
Conditions for processing special category data
Article 9(1) UK GDPR creates a prohibition on processing special category data (e.g. race, ethnicity, health, genetic and biometric data) unless a condition applies. One of these conditions is that the processing is necessary for a research related purpose. The DPA sets some requirements on relying on this condition; that the processing is necessary, is subject to the safeguards set out in Article 89(1) UK GDPR, is not likely to cause substantial damage or distress, is not used to measure or make decisions about individuals and is in the public interest.
In respect of the first and final requirement, the ICO provides some helpful commentary on its understanding of these requirements. Most interestingly, the ICO’s view is that what amounts to public interest should be interpreted broadly and can include any clear and positive benefit to the public.
The UK GDPR and DPA contain a number of exemptions to complying with a data subject rights request. Such requests can include the right of access, erasure, rectification, portability, restriction and objection. For some of these rights, an exemption is available if you are processing the data for a research related purpose. However, you are only permitted to rely on this exemption if complying with the request would prevent or seriously impair achieving the purpose for processing, and the processing is subject to the safeguards set out in Article 89(1) UK GDPR, is not likely to cause substantial damage or distress and is not used to measure or make decisions about individuals.
CNIL’s guidance on secondary use of data
The ICO’s guidance has some overlap with recent guidance published by the CNIL about the secondary use of data by processors (i.e. uses of data that would be considered compatible with the original purpose). Based on the CNIL’s guidance, if a processor wants to use data for a research related purpose, it would need the written consent of the controller. In such cases, the controller must inform the data subject and the processor then becomes responsible for the further processing.
If you are using personal data for a research related purpose, the first thing you should always consider is whether you can achieve the same purpose by anonymising the data. If not, the ICO’s guidance will be helpful in navigating the various compliance hoops you have to jump through in order to rely on the flexibility provided in the UK GDPR and DPA for processing data for research related purposes.