How do the RAS provisions affect the principles and grounds for processing?

At a glance

• Article 5 of the UK GDPR sets out seven key data protection principles. Two of these principles – purpose limitation and storage limitation – include special provision for research-related processing.
• Article 8A of the UK GDPR modifies the purpose limitation principle to let you reuse existing personal information for RAS purposes. This only applies if you have appropriate safeguards in place.
• The storage limitation principle says you can keep personal information indefinitely if:
  • • you’re processing it solely for RAS purposes; and
    • you have appropriate safeguards in place.
• There’s no specific lawful basis for research-related processing. Depending on who you are and the context of your processing, you’re likely to rely on either legitimate interests, or public task.
• There’s a specific condition allowing the use of special category information or criminal offence information for research purposes if it’s in the public interest, and you have appropriate safeguards in place.

In detail

What do the data protection principles say about research?

Article 5 of the UK GDPR sets out seven key data protection principles. 

These principles are central to data protection in general. They don’t give specific rules, but they convey the overall sense of the general data protection regime. This means there are very limited exceptions.

However two of these principles – purpose limitation and storage limitation – make special provision for processing for research-related purposes.

What does the purpose limitation principle say about research?

Article 5(1)(b) states that personal information must be:

“collected (whether from the data subject or otherwise) for specified, explicit and legitimate purposes and not further processed by or on behalf of a controller in a manner that is incompatible with the purposes for which the controller collected the data (‘purpose limitation’).”

This means that if you collect personal information for one purpose and want to reuse it for another purpose, you can only do so if your new purpose is compatible with the original purpose.

Article 8A(3)(b) UK GDPR expands upon this principle, so that processing for research-related purposes is considered compatible with the original purpose. For this to count, your further processing must:

• fall within the scope of one of the research-related purposes;
• have appropriate safeguards in place, in line with article 84B of the UK GDPR; and
• be otherwise fair and lawful.

If your processing satisfies these requirements then it is compatible with your original purpose. You do not need to undertake a specific compatibility test.

The position is different if you originally collected the data on the basis of consent for a different purpose. For more detail, see What is our original processing was based on consent?

Do we need a new lawful basis?

All processing must be lawful, so you do need a lawful basis for further processing for a research-related purpose. Your original lawful basis for the collection of the personal information may not always be appropriate for your processing for research-related purposes.

In most cases, the appropriate lawful basis for processing for RAS purposes is either:

• public task – the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear legal basis; or
• legitimate interests – the processing is necessary for your legitimate interests or the interests of a third party, unless there is a good reason to protect the person’s personal information which overrides those legitimate interests.

Which of these is right for you often depends on what type of organisation you are. Public authorities can likely rely on public task. Commercial and charity organisations are more likely to use legitimate interests.   

If you want to use the legitimate interests lawful basis, you could carry out a legitimate interests assessment (LIA) before you begin. However, carrying out research with appropriate safeguards in place, including all ethical standards and regulatory requirements, effectively addresses the issues an LIA covers. In this context, you can generally be confident that the legitimate interests lawful basis applies. If so, you don’t need to do a separate LIA process.

In all instances, you must update your privacy information to ensure that your processing is transparent.

What if our original processing was based on consent?

If you want to reuse personal information for scientific or historical research purposes or statistical purposes, but you originally collected it on the basis of consent for a different purpose altogether, you must seek fresh consent for your new processing. 

This is because to rely on consent as your lawful basis you must give people real choice and control over how you use their information. This means that consent must always be specific and informed. People can only give valid consent when they know and understand what you’re going to do with their information. 

If people have consented to you using their information for a non-research purpose, using it for a research-related purpose without their knowledge or agreement unfairly undermines the informed nature of their original choice.

Remember that if information is effectively anonymised, then it’s no longer considered personal information. This means data protection legislation does not apply. You can carry out research on anonymised information, even if you originally collected it on the basis of consent.

If you originally collect personal information on the basis of consent to carry out a particular research project, you can use it for another research project. Generally you must obtain people’s consent for specific processing activities. But the law recognises that in a research context, it’s often not possible to fully identify the specific research purposes when you collect the information. Article 4 of the UK GDPR states that a person’s consent to research is valid if:

• when you ask for consent, it’s not possible to fully identify the purposes for which you plan to process their personal;
• the research is consistent with generally recognised ethical standards relevant to the area of research; and
• as far as possible, you gave the person the opportunity to consent only to processing for part of the research.

This is sometimes known as ‘broad consent to research’. It means that if you’re processing personal information on the basis of consent for scientific research, you may not always need to be as specific about the research purposes as for other processing purposes. However, you should:

• identify the general areas of research; and
• where possible, give people detailed options to only consent to certain areas of research or parts of research projects. 

The law recognises that in many cases, it is not reasonable to expect organisations carrying out archiving in the public interest to obtain fresh consent to the archiving from the people the information is about. But there will often be a public interest in allowing records of enduring value to be archived, even when the information was originally collected on the basis of consent.

For this reason, sharing information with an organisation that plans to use it for archiving in the public interest is considered compatible with the original purpose. This is true even where the information was collected on the basis of consent.

If your organisation receives a request from another organisation to share some information for archiving, you must first consider:

• whether it is reasonable to obtain the consent of the people whose information it is to share it with the archiving organisation;
• if not, whether you wish to share the information; and 
• if you wish to share the information, what new lawful basis is appropriate for doing so. 

You must identify a new lawful basis for sharing the information. In most cases, the appropriate lawful basis will be either public task or legitimate interests.

In most cases, this will be either public task, or legitimate interests.

What does the storage limitation principle say about research?

Article 5(1)(e) states that personal information must be:

“kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 84B”.

Storage limitation means that, even if you collect and use personal information fairly and lawfully, you must not keep it for longer than you need it.

Generally, the rule is that you must not hold personal information indefinitely just in case you might find it useful in future. However, article 5(1)(e) provides an exception to the principle of storage limitation for processing for research-related purposes. This means that you can keep personal information indefinitely if you are processing it for one of the research-related purposes. You must have appropriate safeguards in place for people’s rights and freedoms.

The RAS purpose must be your only purpose for keeping the information. If you justify keeping the information indefinitely on this basis, you must not:

• use that information later for another purpose;
• use it to make decisions about the people the information is about.

This doesn’t prevent organisations from accessing public archives, but they must ensure their own processing, including collection and use of the personal information, has an appropriate lawful basis and is otherwise compliant with data protection obligations.

If you’re no longer processing the information for any purpose, including a research-related purpose, you must delete it.

What lawful basis applies to processing personal information for research-related purposes?

Article 6 of the UK GDPR sets out the lawful bases for processing. You must have a lawful basis to process personal information.

The most appropriate lawful basis depends on your specific purposes and the context of the processing. However, for processing for research-related purposes, the most appropriate lawful basis is likely to be either:

• public task – the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law; or
• legitimate interests – the processing is necessary for your legitimate interests, or the interests of a third party, unless the interests or fundamental rights and freedoms of the people whose personal information you are processing override those interests.

Which of these applies depends on the specific purposes of your processing, and what type of organisation you are. If you’re a private or third sector organisation conducting research, legitimate interests is the most likely lawful basis for your processing. If you’re a public authority, such as a university or an NHS organisation, public task is the most likely lawful basis.

What about consent?

If you’re conducting a research study using personal information, such as medical research or a clinical trial, you’ll often need to obtain consent from participants to take part. Consent is an important ethical standard that ensures and protects the autonomy and privacy of research participants in research studies. 

However, consent to participate in a research study is distinct from consent as a UK GDPR lawful basis to process personal information. You may have a separate ethical or legal obligation to get consent from people participating in your research. Do not confuse this with UK GDPR consent to the processing of participants’ personal information. 

Needing people’s consent for them to take part in your research study does not mean that consent is the most appropriate lawful basis for processing their personal information. There is no rule that says you must rely on consent to process personal information for scientific research purposes. You may find that a different lawful basis (and a different special category information condition) is more appropriate. In fact, in most cases, consent is not the most appropriate lawful basis.

For consent to be valid under UK GDPR, the person must be able to withdraw it at any time. There’s no exemption to this for scientific research. If you’re relying on consent as your lawful basis and someone withdraws their consent, you must immediately stop processing their personal information, or anonymise it. 

In scientific research, you may not be able to respond properly to a withdrawal of consent. It might undermine the validity of your research, and effective anonymisation may not be possible. If this is the case, you must not rely on consent as your lawful basis (or condition for processing special category information). 

In addition, consent is not an appropriate lawful basis for processing if there’s a power imbalance between you and the person the information is about. This is particularly likely if your organisation is a public authority. If you represent a research institution undertaking a study, for example, a power imbalance may exist between you and your participants. In these cases, the participants may not have freely given consent, and so it is therefore not valid. 

Therefore, if you are processing personal information for research-related purposes, it is unlikely that consent is the correct lawful basis. This doesn’t stop you from asking for participants’ consent in the usual way. It just means that once you’ve got that consent and are going ahead with the processing, you need to identify a different lawful basis.

We’ve produced a lawful basis interactive guidance tool, to give more tailored guidance on the most appropriate lawful basis for your processing activities.

What is the research condition for processing special category information?

If you are processing special category data, you must identify:

• a lawful basis for processing; and
• a special category condition for processing in compliance with article 9 of the UK GDPR.

Special category information is personal information that needs more protection because it is sensitive. It is defined as: 

• personal information revealing racial or ethnic origin;
• personal information revealing political opinions;
• personal information revealing religious or philosophical beliefs;
• personal information revealing trade union membership;
• genetic information;
• biometric information (where used for unique identification purposes);
• information concerning physical or mental health;
• information concerning a person’s sex life; or
• information concerning a person’s sexual orientation.

Organisations need to treat this type of information with greater care. This is because collecting and using it is more likely to interfere with people’s fundamental rights and freedoms.

To process special category information, you must meet one of the specific conditions in article 9 of the UK GDPR. One of these conditions is that the processing is necessary for research-related purposes.

Article 9(2)(j) provides a condition for processing if it is necessary for: 

• archiving purposes in the public interest; 
• scientific or historical research purposes; or 
• statistical purposes.

Section 10 and schedule 1 paragraph 4 of the DPA set out some additional requirements for you to rely on this condition. They state that you can process special category information for research purposes, if the processing is:

• carried out with safeguards in place for people’s rights and freedoms; and
• in the public interest.

You must also meet the further requirements set out in article 84C of the UK GDPR:

• You must not be likely to cause substantial damage or substantial distress to the people whose information you are processing (see the section When is processing likely to cause substantial damage or substantial distress? for more information); 
• The processing must not be used for measures or decisions about the people whose information you are processing, except for approved medical research (see the section What does ‘not used for measures or decisions about the people whose information you are using’ mean? for further information); and
• You must have technical and organisational measures in place to ensure respect for the principle of data minimisation, including, for example, pseudonymisation.

What is the research condition for processing criminal offence information?

Data protection law gives extra protection to “personal data relating to criminal convictions and offences or related security measures”. We refer to this as criminal offence information.

If you’re processing criminal offence information, you must have a lawful basis for processing. In addition, you can only process criminal offence information if:

• the processing is under the control of official authority; or
• you can meet one of the conditions set out in schedule 1 or A1 of the DPA 2018.

If you’re processing for RAS purposes and don’t have official authority to process criminal offence information, you can rely on the specific condition for RAS purposes in schedule 1 condition 4 of the DPA 2018. This states that you can process criminal offence information for research purposes, if the processing is:

• necessary for that purpose – that is:
  • it is a reasonable and proportionate way of achieving your purpose; and
  • you don’t have more personal information than you need; 
• carried out with appropriate safeguards for the rights and freedoms of the people whose information is being processed; and
• in the public interest.

What does ‘necessary’ mean?

To rely on the research conditions for processing special category and criminal offence information, you must demonstrate that the processing is ‘necessary’ for your RAS purpose.

This does not mean that the processing is absolutely essential. However, necessary means more than just useful or habitual. To show that your processing is necessary, you need to show that it is a targeted and proportionate way of achieving your purpose.

If you can reasonably achieve your purpose without the proposed processing, the processing is therefore not necessary for your RAS purpose and you cannot rely on the RAS provisions. You should carefully consider the data minimisation principle when working with special category or criminal offence information.

It isn’t enough to argue that processing is necessary because it’s standard practice or part of your particular business model, processes or procedures. The question is whether processing the special category or criminal offence information is a targeted and proportionate way of achieving your research purposes.

When is research-related processing ‘in the public interest’?

To rely on the research condition for processing special category or criminal offence information, you must be able to show that your processing is in the public interest.

The legislation does not define the ‘public interest’. However in the research context, we can broadly interpret public interest to include any clear public benefit likely to arise from that research. 

The public interest covers a wide range of values and principles about the public good or what is in society’s best interests. To argue that your research is in the public interest, it isn’t enough to rely on your own private interests. You can still have a private interest – you just need to make sure that you can also demonstrate a wider public benefit.

Examples of the form this benefit could take are:

• improved health and wellbeing outcomes;
• improved financial or economic outcomes for people or the public;
• the advancement of academic knowledge in a given field; 
• the preservation of art, culture and knowledge for the enrichment of society both now and in the future; or
• the provision of more efficient or effective products and services for the public.

You are responsible for demonstrating that your proposed processing is in the public interest. You may want to consider the ‘breadth and depth’ of any public benefit. For example, what proportion of the public will benefit from your research processing, and by how much? Something that benefits a small number of people by an insignificant amount is unlikely to have a strong public interest case. 

However, something may be in the public interest even if it doesn’t benefit all of society. Processing for research which benefits only a small number of people but does so significantly may be in the public interest, as long as it doesn’t harm society’s wider interests. 

For example, processing for the purposes of research into rare but debilitating medical conditions is likely to be in the public interest. Similarly, research processing that generates only a small benefit, but does so for a significantly large number of people, could be in the public interest. 

The avoidance of harm to the public will also be a key factor in determining whether or not your research is in the public interest. Clearly, if the processing causes more harm than benefit, it is unlikely to be in the public interest. Additionally, you must not make use of the research provisions if your processing is likely to cause substantial damage or distress (See the section When is processing likely to cause substantial damage or substantial distress? for more information.)

Both public sector bodies and private and third sector organisations can conduct public interest research. In this context, public interest is about the processing activity, not on your organisation’s status. You don’t have to be a public body or have significant public interest objectives as part of your founding organisational goals or mission statement. You just need to demonstrate that the processing itself is in the public interest.