At a glance
- Article 5 of the UK GDPR sets out seven key data protection principles. Two of these principles – purpose limitation and storage limitation – contain special provisions for research-related processing.
- The purpose limitation principle says you can reuse existing personal data for research-related purposes, as long as you have appropriate safeguards in place.
- The principle of storage limitation says that you can keep personal data indefinitely, if you are processing it for research-related purposes, as long as you have appropriate safeguards in place.
- There is no specific lawful basis for research. Depending on your status and context, you are likely to rely on either legitimate interests or public task for this type of processing.
- There is a specific condition allowing the use of special category data or criminal offence data for research purposes, if this is in the public interest and you have appropriate safeguards in place.
In detail
- What do the data protection principles say about research?
- What does the purpose limitation principle say about research?
- Do we need a new lawful basis?
- What if our original processing was based on consent?
- What does the storage limitation principle say about research?
- What lawful basis should we use when processing personal data for research related purposes?
- What about consent?
- What is the research condition for processing special category data?
- What is the research condition for processing criminal offence data?
- What does ‘necessary’ mean?
- When is research related processing ‘in the public interest’?
What do the data protection principles say about research?
Article 5 of the UK GDPR sets out seven key data protection principles.
These principles lie at the heart of the general data protection regime. They don’t give hard and fast rules, but rather embody the spirit of the general data protection regime. As such, there are very limited exceptions.
However two of these principles – purpose limitation and storage limitation – contain within them special provisions for research-related processing.
What does the purpose limitation principle say about research?
Article 5(1)(b) states that personal data shall be:
“collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes.”
This simply means that processing data for research-related purposes is compatible with the original purpose.
This applies as long as your intended further processing:
- meets the criteria for one of the research-related purposes;
- is necessary for one of the research-related purposes;
- is fair and lawful; and
- has appropriate safeguards in place.
If you meet these conditions, then your research purposes are compatible with your original purpose. You do not need to undertake a specific compatibility test.
Do we need a new lawful basis?
All processing must be lawful, so you do need a lawful basis. Your original basis to collect the data may not always be appropriate for your research-related processing.
In most cases, your lawful basis for your research-related processing is either:
- public task – the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law; or
- legitimate interests – the processing is necessary for your legitimate interests, or the interests of a third party, unless there is a good reason to protect the person’s personal data which overrides those legitimate interests.
Which of these is right for you often depends on the type of organisation you are. It is most likely that public authorities can rely on public task. Commercial and charity organisations are more likely to use legitimate interests.
If you want to use the legitimate interests lawful basis, you are usually advised to carry out a legitimate interests assessment (LIA) before you begin. However, carrying out research with appropriate safeguards in place, including all other ethical standards and regulatory requirements, means you are effectively addressing the issues an LIA covers. In this context, you can generally have confidence that the legitimate interest lawful basis applies. You would not need to undertake a separate LIA process.
In all instances, you need to update your privacy information to ensure that your processing is transparent.
Example
An insurance company collects personal data from people who buy their life assurance policies. The lawful basis they use to collect the data is that it is necessary for the performance of a contract – that is, the life assurance contract.
The insurance company wishes to repurpose this data for scientific research and statistical purposes. They wish to gain a deeper understanding of life expectancy and risks of mortality, to help define future pricing strategies.
This new processing for statistical purposes is compatible with the purpose for which they originally collected the data. The insurance company must identify a lawful basis for this new processing.
They are carrying out the research in a fair, lawful and transparent manner. The company has appropriate safeguards in place to protect the rights of the people whose data they are processing.
The insurance company can rely on the legitimate interests lawful basis for this processing.
What if our original processing was based on consent?
If your original lawful basis for processing personal data was consent, you need to seek fresh consent for any new processing activity, including research.
This is because consent means giving people real choice and control over how you use their data. This means that consent must always be specific and informed. People can only give valid consent when they know and understand what you are going to do with their data.
So if people provided their data and consent for you to use it for a non-research purpose, using it for a research related purpose without their knowledge or agreement unfairly undermines the informed nature of their original choice.
Remember that if data is effectively anonymised, then it is no longer considered personal data. This means data protection legislation does not apply. You can carry out research on anonymised data, even if it was originally collected on the basis of consent.
However, if you originally collected personal data on the basis of consent to carry out a particular research project, you can use that personal data for another research project. Although generally people must only give consent for specific purposes, the law recognises that in a research context, it’s often not possible to fully identify the specific research purposes at the time of collection. Recital 33 states that:
“individuals should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research.”
This is sometimes known as “broad consent”. It means that if you are processing personal data on the basis of consent for scientific research, you don’t need to be as specific as for other purposes. However, you should identify the general areas of research. Where possible, you should give people granular options to only consent to certain areas of research or parts of research projects.
What does the storage limitation principle say about research?
Article 5(1)(e) requires that personal data shall be:
“…kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject…”
Storage limitation means that, even if you collect and use personal data fairly and lawfully, you cannot keep it for longer than you actually need it.
The general rule is that you cannot hold personal data indefinitely just in case you may find it useful in future. However, Article 5(1)(e) provides an exception to the principle of storage limitation for research-related processing. This means that you can keep personal data indefinitely, if you are processing it for one of the research-related purposes.
However, this must be your only purpose. If you justify indefinite retention on this basis, you cannot later use that data for another purpose. In particular, you cannot use it for any decisions affecting particular people. This does not prevent other organisations from accessing public archives, but they must ensure their own collection and use of the personal data is compliant.
If you are no longer processing the data for any purpose, including a research-related purpose, you must delete it.
You must have appropriate safeguards in place for people’s rights and freedoms.
Further reading – ICO guidance
What lawful basis should we use when processing personal data for research-related purposes?
Article 6 of the UK GDPR sets out the lawful bases for processing. You must have a lawful basis in order to process personal data.
The most appropriate lawful basis depends on your specific purposes and the context of the processing. However, in the context of research-related processing, the most appropriate lawful basis is either:
- public task – the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law; or
- legitimate interests – the processing is necessary for your legitimate interests, or the interests of a third party, unless there is a good reason to protect the person’s personal data which overrides those legitimate interests.
Which of these applies depends on the specific purposes of your processing, and what type of organisation you are. If you are a private or third sector organisation conducting research, legitimate interests is the most likely lawful basis for your processing. However, if you are a public authority, such as a university or an NHS organisation, public task is the most likely lawful basis.
Further reading – ICO guidance
What about consent?
If you are conducting a research study using personal data, such as medical research or a clinical trial, you will often need to obtain consent from participants to take part. Consent is an important ethical standard that ensures and protects the autonomy and privacy of participants in research studies.
However, it is important to note that consent to participate in a research study is distinct from consent as a UK GDPR lawful basis to process personal data. Even if you have a separate ethical or legal obligation to get consent from people participating in your research, you should not confuse this with UK GDPR consent.
Needing people’s consent to participate in your research study does not mean that consent is the most appropriate lawful basis for processing their personal data. There is no rule that says you must rely on consent to process personal data for scientific research purposes. You may well find that a different lawful basis (and a different special category data condition) is more appropriate in the circumstances. In fact, in most cases, consent is not the most appropriate lawful basis.
This is because valid consent under the UK GDPR means the person can withdraw it at any time. There is no exemption to this for scientific research. This means that if you are relying on consent as your lawful basis and someone withdraws their consent, you need to immediately stop processing their personal data, or anonymise it.
Consent is only valid if the person can withdraw it at any time. If you cannot fully action a withdrawal of consent – because it would undermine the validity of your research and effective anonymisation is not possible – then you cannot rely on consent as your lawful basis (or condition for processing special category data).
Also, consent is not an appropriate lawful basis for processing where there is a power imbalance between you and the person whose personal data you are processing. This is particularly likely if you are a public authority. If you are a research institution undertaking a study, a power imbalance may exist between you and your participants. In these cases, the participants may not freely give consent, and so it cannot be valid.
Therefore, if you are processing personal data for one of the research-related purposes, it is unlikely that consent is the correct lawful basis.
We produced a lawful basis interactive guidance tool, to give more tailored guidance on the most appropriate lawful basis for your processing activities.
Further reading – ICO guidance
What is the research condition for processing special category data?
If you are processing special category data, you need to identify both a lawful basis for processing and a special category condition for processing in compliance with Article 9.
Special category data is personal data that needs more protection because it is sensitive. It is defined as:
- personal data revealing racial or ethnic origin;
- personal data revealing political opinions;
- personal data revealing religious or philosophical beliefs;
- personal data revealing trade union membership;
- genetic data;
- biometric data (where used for identification purposes);
- data concerning health;
- data concerning a person’s sex life; or
- data concerning a person’s sexual orientation.
The presumption is that organisations need to treat this type of data with greater care. This is because collecting and using it is more likely to interfere with people’s fundamental rights.
You can only process special category data if you can meet one of the specific conditions in Article 9 of the UK GDPR. One of these conditions is that the processing is necessary for research-related purposes.
Article 9(2)(j) provides a condition for processing if it is necessary for:
- archiving purposes in the public interest,
- scientific or historical research purposes; or
- statistical purposes.
Schedule 1 paragraph 4 of the DPA 2018 sets out some additional requirements for you to rely on this condition. This states that you can process special category data for research-related purposes, if the processing is:
- necessary for that purpose – it is a reasonable and proportionate way of achieving your purpose, and you must not have more data than you need;
- subject to appropriate safeguards for people’s rights and freedoms, as set out in Article 89(1) of the UK GDPR;
- not likely to cause someone substantial damage or substantial distress;
- not used for measures or decisions about particular people, except for approved medical research; and
- in the public interest.