In February 2022, we launched a public consultation. We were seeking views on draft detailed guidance on the research provisions in the UK GDPR and the DPA 2018.
The consultation ran until April 2022. This document summarises the key themes emerging from the responses.
We received 62 responses to the public consultation. We thank everyone who took the time to comment and share their views.
About the consultation
We received responses from a range of organisations across the public, private and third sectors. The breakdown of responses according to sector is as follows:
| Sector | Number of responses |
| Higher education | 10 |
| Government or civil service | 8 |
| Public sector health bodies | 7 |
| Market research | 5 |
| Commercial or third sector health | 5 |
| Financial services | 4 |
| Professional body or trade association | 3 |
| Third sector or charity | 2 |
| Civil society | 2 |
| Tech | 2 |
| Media | 1 |
| Think tank | 1 |
| Anonymous or unspecified | 12 |
In general, the responses were positive. Most respondents said that the guidance is clear and easy to understand. They also said it would help them comply with their data protection obligations. Many respondents commented that the guidance is much needed. They said it helps to explain a very complex and technical area of regulatory compliance.
In analysing these responses, we saw several key themes emerge. We summarised these themes below, as well as setting out how we are responding to people’s feedback.
Key themes
Research-related processing is processing organisations carry out for:
- archiving purposes in the public interest;
- scientific or historical research purposes; or
- statistical purposes.
For ease of reference we refer to these as ‘research-related purposes’.
The legislation does not define any of these terms. However, the UK GDPR’s recitals do give some additional detail.
Early engagement with relevant organisations told us that those processing for research purposes want more certainty about:
- key definitions in the research provisions;
- how the provisions work; and
- when they can use the provisions.
As a result, we identified a need to produce detailed guidance which:
- clarifies key definitions;
- explains the effects of the various research provisions;
- clarifies how they fit together; and
- has broad applicability for the full range of organisations engaged in research-related processing.
Our approach to the key definitions
The guidance explains what kind of activities fall within the definitions of research-related purposes.
To understand if an organisation is processing for a research-related purpose, the goals and purposes of an organisation’s activities are key. How they are carrying them out is less crucial (although still important).
There are a broad range of activities that may fall within the terms of research-related purposes. All types of organisations operating in the private, public and third sectors can carry out these activities.
We developed indicative criteria of the types of aims and purposes for each type of research-related processing.
These criteria help organisations identify which activities they can define as for research purposes. They can then make use of the research provisions for these activities.
There was broad support for this approach. Most agreed that it strikes the right balance between certainty and flexibility. People also thought it met the Recital 159 requirement to interpret scientific research broadly.
However, some felt that this approach did not provide enough certainty. These respondents suggested that the guidance should clearly state what kinds of activities count as research related-processing. For example, they wanted the guidance to set out exactly how many criteria organisations must meet, or the relative weighting or importance of each criteria.
Some suggested that we:
- add further activities or standards to the tables of indicative criteria;
- align the definition of scientific research more closely with, and explicitly draw upon, the OECD’s Frascati Manual; and
- add more detail about the meaning of terms in Recital 159, such as “fundamental research” and “applied research”.
Some also suggested that we should produce separate guidance for archiving in the public interest. They pointed out that:
- archiving has a broader purpose than scientific or historical research;
- appropriate safeguards for archiving are very different from those appropriate for the other research-related purposes; and
- by including them together, it may create confusion about the measures necessary to protect people.
Finally, some respondents asked for clarification about whether processing for AI and machine learning operations count as processing for statistical purposes.
Our response
We believe that our approach to the definitions strikes the right balance between being prescriptive and interpreting research processing broadly. The law intends the definitions to be flexible and broad, and applicable to a wide range of organisations. The onus is on organisations to demonstrate that their processing falls under the definitions of one of the three types of research-related purposes.
We included additional content to the tables of criteria, and more detail on how we understand the terms in Recital 159. We consider that our definition of scientific research is already consistent with that in the Frascati Manual. However, we’ve added some additional content on this point.
Considering the comments about archiving, we:
- added additional content where the requirements for those organisations archiving in the public interest is different from those of the other types of research-related processing; and
- linked to guidance from The National Archives.
Finally, on the question on AI and machine learning, we are currently giving this issue further consideration and expect to address it in future guidance.
Complexity of research projects
Several respondents noted that research projects are often large scale and highly complex. This brings a number of challenges, which they believe the draft guidance does not address in sufficient depth.
Regulatory complexity
Many research projects take place in a complex regulatory landscape. Data protection requirements are just one of many of their legal obligations. Some commented that the draft guidance does not refer to these other obligations, limiting its practical applicability.
Collaboration and joint controllership
Some commented that the draft guidance does not reflect the complex collaborative relationships that are common in research projects. In particular, they noted that many research projects involve partnerships between public, private and third sector organisations. Others noted that collaboration often takes place between organisations based in different jurisdictions.
Our response
We drafted this guidance as foundational. It clarifies key terms and definitions, explains the effects of the various provisions and clarifies how they fit together. Given the broad scope and applicability of the research provisions, we designed it for cross sectoral applicability. We want as many people as possible to find it useful. Its purpose is not to act as a complete data protection toolkit for researchers. It is also not designed to explore the regulatory requirements that vary widely from sector to sector.
However, we are planning to carry out further work in this area. We see this as the start of our work, not the end.
Reuse of data and lawful bases
Several respondents raised concerns about our position that when conducting research using data originally collected for a different purpose, organisations can simply rely on their original lawful basis. Although acknowledging that this simplifies things, respondents pointed out that this poses issues with transparency. The new processing for research-related purposes, although compatible with the original purpose, may not be consistent with the original lawful basis.
An example of this is personal data originally collected on the basis that it is necessary for the performance of a contract. Whilst further processing of that data for research-related purposes is compatible with the original purposes, it is difficult to argue that the research processing is necessary for the performance of the contract.
Our response
We’ve amended the guidance to reflect the concerns raised in this feedback.
Our position is now that you are required to identify a lawful basis for the research-related processing, but that it is likely to be either public task or legitimate interests (depending on the nature of your organisation).
Consent
Respondents welcomed our statements about the importance of understanding the difference between ethical consent to participate in a research study and consent as a lawful basis for processing personal data. Many respondents said that this remains an area of uncertainty and confusion. They were glad to see a clear statement that consent is often an inappropriate lawful basis.
Some respondents from the market and social research sector pointed out that some research is correctly carried out in that sector on the basis of consent.
Some respondents expressed concern about not relying on research being a compatible purpose when using data originally collected using consent. They noted that, prior to the UK GDPR, many research projects did rely on consent for processing personal data. Some commented that researchers could not use this data for research-related purposes, without obtaining fresh consent.
Our response
Where personal data was originally collected on the basis of consent for a non-research related purpose, it would unfairly undermine that consent to process the data for research purposes that were not specifically consented to at the time the data was collected.
However, we’ve amended the guidance to clarify that the notion of ‘broad consent’ means that data that was originally collected on the basis of consent for a particular research project can be used for another research project.
The guidance does not say that consent is never an appropriate lawful basis. However, there is a difference between ethical consent to participate in research and consent as a lawful basis for processing. The guidance emphasises that just because an organisation obtained consent for a research study, it should not use consent as its lawful basis for processing.
Need for more examples and detailed case studies
Respondents commented that:
- The majority of the examples in the draft are of public sector research. This is a weakness because private sector organisations undertake a lot of research, either alone or in collaboration with public sector bodies.
- Some of the examples are unrealistic of the types of processing that take place in the sector they are supposed to be illustrating.
- Other examples are overly simplistic. They don’t take into account the complex regulatory landscape most research-related processing is operating in. In some cases, we removed these examples.
In addition, respondents from a variety of sectors asked for detailed, complex case studies addressing a number of specific issues, including:
- public and private partnerships;
- cross border research;
- medical and clinical research; and
- processing for statistical purposes.
Our response
We removed some of the examples and, where possible, replaced them with examples that respondents to the consultation provided.
It is evident from the feedback that there is a great demand for more detailed examples and fully worked case studies, from all sectors and covering many different types of research-related processing.
As noted above, we are planning to carry out further work on this topic. This includes producing case studies and additional examples to complement this guidance.
Need for more detail about the appropriate safeguards
Respondents commented that they thought we needed more on appropriate safeguards. They believed that the draft guidance was overly focused on data minimisation and pseudonymisation.
In particular, respondents wanted more detail about:
- privacy-enhancing technologies such as trusted research environments (TREs);
- accountability frameworks such as the ICO’s, or the five safes framework;
- security;
- data protection by design and default;
- data protection impact assessments; and
- data sharing agreements.
Our response
We referred to these and provided links to other guidance that exists. However, we do not go into extensive detail as ICO guidance on all of these topics exists elsewhere. In the case of guidance on privacy enhancing technologies, we are currently producing this. Including more detail in this guidance would make it excessively long, and would repeat material that exists elsewhere. For this reason, we prefer to link to this guidance for those who wish to consult it, rather than reproduce it in this particular guidance.
Clarity and presentation
Most respondents agreed that the guidance is clear and easy to understand.
However, some queried who the target audience for this guidance is. They noted that it is too complex and technical to be useful to most researchers, or to the general public.
Our response
The guidance is not primarily intended for researchers. We aimed it at DPOs and others with data protection responsibilities working in organisations that are carrying out processing for research-related purposes. We included additional content at the start of the guidance explaining this.
As noted above, we are also planning to carry out further work on this topic.