What are the exemptions for research?

We are currently consulting on this draft guidance - our consultation is open until 05 May 2026.

Contents

Latest updates - 27 February 2026

27 February 2026 - this draft guidance was published.

At a glance

People have specific rights over their personal information – including rights to:
- - be informed about its use;
  - access it;
  - rectify (correct) it;
  - erase it;
  - restrict your processing of it;
  - port (move) it; and to object.
Some of these rights contain built-in exceptions for research.
For other rights, you may rely on a separate research exemption if fully complying with the right would undermine your research purposes.
You must not rely on exceptions or exemptions in a blanket approach. You must consider them case-by-case.
You must only restrict someone’s rights if:
- - the exemption applies; and
  - there is a valid reason to apply it.
If you can fully comply with people’s rights without undermining your research purposes, you must not use the exemptions.

In detail

What should we take into account when applying these exemptions?

Articles 13 to 21 of the UK GDPR set out people’s rights over how organisations use their personal information.

Most of these rights have exemptions available for processing done for research-related purposes. Exemptions may apply to the following rights:

the right to be informed;
the right of access;
the right to rectification;
the right to erasure;
the right to restrict processing;
the right to data portability; and
the right to object.

For some of these rights, there is a built-in exception for research. For others, schedule 2 paragraphs 27 and 28 of the DPA 2018 set out a separate exemption.

You must only restrict someone’s rights if the exemption applies and there is a valid reason to apply it. You should demonstrate that complying with the right would have the potential impact on your RAS purposes necessarily for the exemption to apply.

You must not apply the RAS exemptions in a blanket approach. You must only apply them where the application of the specific right would cause the identified prejudicial effect. Therefore, you must apply the exemptions must in a way that is necessary and proportionate. You must consider the application of the exemptions on a case-by-case basis.

You must document your reasons for relying on an exemption. You must make this reasoning available to us if required.

If a person whose information you’re processing contacts you to enforce a right you’re restricting, you must inform them without undue delay and within one month of receipt of the request about:

the reasons why you are applying the exemption;
their ability to complain to you;
their right to make a complaint to us; and
their ability to seek to enforce this right through the courts.

The following sections explain how the RAS exemptions affect each of these rights.

Relevant provisions in the legislation

See UK GDPR articles 12, 12A 13, 14(1)-(4), 15(1)-(3), 16, 18(1) and 21 (1) (external link) and DPA 2018 schedule 2, part 6, paragraph 27 (external link)

What is the exception to the right to be informed?

The right to be informed covers some of the key transparency requirements of UK data protection law. It’s about informing people clearly and concisely about what you do with their personal information.

Articles 13 and 14 of the UK GDPR specify what people have the right to be informed about. We call this ‘privacy information’.

However, the law recognises that you may sometimes have difficulty providing this information. This is particularly likely when you want to process personal information collected for one purpose for a new RAS purpose.

Some research uses personal information you have collected directly from the people the information is about. Other research uses personal information collected from a different source, such as another organisation. The exception works slightly differently in these two cases.

If you are collecting personal information for a RAS purpose directly from the people it’s about, there is no exception from the right to be informed. You must provide people with privacy information at the time you collect their personal information.

If you originally collected personal information for a different purpose, and now want to reuse if for a new, RAS purpose, article 13 of the UK GDPR provides an exception from the requirement to provide privacy information. This exception applies only if providing the privacy information would be impossible or would involve disproportionate effort.

If you are carrying out research using personal information you have collected from a different source, and not directly from the people it is about, article 14 of the UK GDPR provides an exception from the requirement to provide privacy information. This exception applies only if providing the privacy information would:

be impossible or would involve disproportionate effort; or
likely make impossible or seriously impair the achievement of the processing’s objectives.

To determine whether providing privacy information would involve disproportionate effort, you should balance the effort required against the potential impact on people of your use of their information.

When assessing disproportionate effort, you should consider factors such as:

the number of people affected;
the age of the information; and
any appropriate safeguards you adopted.

If you determine that providing privacy information does involve disproportionate effort, you should still:

publish the privacy information (eg on your website); and
do a data protection impact assessment (DPIA).

If you obtained the personal information from a source other than directly from the person it relates to, this exception also removes the obligation to provide privacy information, if doing so would make impossible or seriously impair the objectives of your processing.

Further reading – ICO guidance

The right to be informed

What is the exemption from the right of access?

Under article 15 of the UK GDPR, people have the right to obtain a copy of their personal information, as well as other supplementary information. This is known as the right of access or subject access.

However, there are exemptions from the right of access if you’re processing information for research-related purposes. These are listed in separate paragraphs of the DPA 2018:

Schedule 2 paragraph 27 provides an exemption if you’re processing personal information for scientific or historical research purposes or statistical purposes.
Schedule 2 paragraph 28 provides an exemption if you’re processing personal information for archiving purposes in the public interest.

The exemptions only apply:

when providing people with access to their information would prevent or seriously impair the achievement of the purposes for processing;
if you’re doing the processing with appropriate safeguards in place for people’s rights and freedoms;
if the processing isn’t likely to cause anyone substantial damage or distress; and
if you’re not using the processing to inform measures or decisions about the people whose information it is, except in approved medical research.

Schedule 2 paragraph 27 sets out a further condition on the exemption for scientific or historical research or statistics. It requires anonymisation of research results or any resulting statistics. This means you can only use this exemption if the published results are anonymised. If your published results include identifiable personal information, then you cannot rely on this exemption to the right of access. You must provide the information in response to the request, even if doing so would impair your RAS purposes. This condition does not apply to archiving in the public interest.

You must show that complying with the right of access would prevent or seriously impair your ability to achieve your research purposes.

You must not apply the exemptions in a blanket fashion. You must only apply them when the application of the specific right would cause an identified prejudicial effect. Therefore you must:

apply the exemptions in a necessary and proportionate way; and
consider their application on a case-by-case basis.

Example

Someone becomes aware that an organisation has received their health information. The organisation is processing it for scientific research purposes. The person makes a request to the organisation for a copy of all the information the organisation holds about them.

The person’s information is part of a relatively small data set. Disclosing it wouldn’t prevent or seriously impair the research project. Therefore, the use of the exemption from the right of access is not necessary.

In these circumstances the exemption does not apply and the organisation should not use it. It should therefore disclose the information it holds.

Further reading – ICO guidance

The right of access

What is the exemption from the right to rectification?

Under article 16 of the UK GDPR, people have the right to have inaccurate personal information rectified (corrected). When someone makes a request for rectification, you must take reasonable steps to:

satisfy yourself that the information is accurate; and
rectify the information if necessary.

You must take into account the person’s arguments and any evidence they provide.

However, there are exemptions from the right to rectification if you’re processing for research-related purposes. These are listed in separate paragraphs of the DPA 2018:

Schedule 2 paragraph 27 provides an exemption if you’re processing personal information for scientific or historical research purposes or statistical purposes.
Schedule 2 paragraph 28 provides an exemption if you’re processing for archiving purposes in the public interest.

The exemptions only apply:

when rectifying the information would prevent or seriously impair the achievement of the purposes for processing;
if you’re doing the processing with appropriate safeguards in place for people’s rights and freedoms;
if the processing isn’t likely to cause someone substantial damage or substantial distress; and
if you’re not using the processing to inform measures or decisions about the people whose information it is, except in approved medical research.

You must show that complying with the right to rectification would prevent or seriously impair your ability to achieve your research-related purposes. For example, archived records of lasting value are generally not altered after the archiving organisation receives them.

You must not apply the exemptions in a blanket approach. You must only apply them to the extent that the application of the right to rectification would cause the identified prejudicial effect. Therefore, you must apply the exemptions in a necessary and proportionate way. You must also consider the application of the exemptions on a case-by-case basis.

Further reading – ICO guidance

Right to rectification

What is the exception from the right to erasure?

Under Article 17 of the UK GDPR, people have the right to have their personal information erased. This is also known as the ‘right to be forgotten’. However, there is a built-in exception for research.

Article 17(3)(d) states that, if you’re processing information for research-related purposes, the right to erasure doesn’t apply if complying with that right is likely to make impossible or seriously impair the achievement of your research purposes.

Further reading – ICO guidance

Right to erasure

Example

A pharmaceutical company is testing a new drug. It hopes to use it in future to treat patients with a rare form of cancer. To test the drug, the company needs to process the personal information of people who take part in drug trials. This includes their health information.

Participants in the drug trial proactively agree to take part in the trial. However, the organisation processes their personal information on the basis of legitimate interests.

During the trial, a participant chooses to withdraw from further tests. This person makes a request to the company to erase all of the personal information it holds about them. This includes their health information generated during the trial.

Complying with this request would undermine the integrity of the company’s data set. It would risk skewing the results of the study. It would therefore make impossible or seriously impair the achievement of the company’s research objectives.

In these circumstances, the exception from the right to erasure applies. The company is justified in refusing the request to erase the person’s personal information.

What is the exemption from the right to restrict processing?

Under article 18 of the UK GDPR, people have the right to restrict the processing of their personal information in certain circumstances. This means people can limit how an organisation uses their information. This is an alternative to requesting the erasure of their information.

However, there are exemptions from the right to restrict processing if you’re processing for research-related purposes. These are listed in separate paragraphs of the DPA 2018:

Schedule 2 paragraph 27 provides an exemption if you are processing personal information for scientific or historical research purposes or statistical purposes.
Schedule 2 paragraph 28 provides an exemption if you are processing personal information for archiving purposes in the public interest.

The exemptions only apply:

when rectifying the information would prevent or seriously impair the achievement of the purposes for processing;
if you’re doing the processing with appropriate safeguards in place for people’s rights and freedoms;
if the processing isn’t likely to cause someone substantial damage or substantial distress; and
if you’re not using the processing to inform measures or decisions about the people whose information it is, except in approved medical research.

You must show that complying with the right to restrict processing would prevent or seriously impair your ability to achieve your research purposes.

You must not apply the exemptions in a blanket approach. You must only apply them where the application of the right to restrict processing would cause an identified prejudicial effect. Therefore, you must apply the exemption in a necessary and proportionate way. You must also consider how you apply the exemption on a case-by-case basis.

Further reading – ICO guidance

Right to restrict processing

What is the archiving exemption from the right to data portability?

Under article 20 of the UK GDPR, people have the right to receive personal information they provided to an organisation in a format that’s

structured;
commonly used; and
machine-readable.

They also have the right to request that the organisation transfers this information directly to another organisation.

The right to data portability only applies when:

your lawful basis for processing the relevant information is consent or for the performance of a contract; and
you’re carrying out the processing by automated means (ie excluding paper files).

In practice, this right is usually relevant to organisations providing a service to a customer. It allows that customer to easily port their own information to other service providers. It’s much less likely to apply in the context of research.

Because the right is unlikely to apply in a research context, there’s no general exemption for research purposes.

However, schedule 2 paragraph 28 of the DPA 2018 provides an exemption from the right to data portability if you’re processing information for archiving purposes in the public interest.
The exemption only applies:

when upholding the right to data portability would prevent or seriously impair the achievement of the purposes for processing;
if you’re doing the processing with appropriate safeguards in place for people’s rights and freedoms;
if the processing isn’t likely to cause someone substantial damage or substantial distress; and
if you’re not using the processing to inform measures or decisions about the people whose information it is, except in approved medical research.

There is no equivalent exemption from the right to data portability if you’re processing for scientific or historical research or statistics. However, this is unlikely to matter. For most research-related processing, the right to data portability does not apply.

Further reading – ICO guidance

Right to data portability

What is the exemption from the right to object?

Under article 21 of the UK GDPR, people have the right to object to the processing of their personal information at any time. This right:

allows people to ask you to stop processing their personal information, and;
requires you to justify any refusal to do so.

Where you’re processing personal information for scientific or historical research or statistical purposes, the right to object is more restricted.

Article 21(6) states:

“Where personal data are processed for scientific or historical research purposes or statistical purposes, the data subject, on grounds relating to his or her personal situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.”

Effectively, this means that if you’re processing personal information for scientific or historical research or for statistical purposes, and have appropriate safeguards in place, someone only has a right to object if your lawful basis for processing is:

public task – on the basis that it’s necessary for the exercise of official authority vested in you; or
legitimate interests.

It is important to note that they don’t have a right to object if your lawful basis for processing is that the processing is necessary for performing a task you’re carrying out in the public interest.
Article 21(6) therefore differentiates between the two parts of the public task lawful basis:

the performance of a task you’re carrying out in the public interest; and;
the exercise of official authority vested in you).

This may cause problems if you’re relying on the public task lawful basis for processing. You may find it difficult to decide whether you’re carrying out the processing solely as a task in the public interest or in the exercise of official authority.

If you’re carrying out research-related processing solely for the performance of a task you’re carrying out in the public interest, you should make this clear in your privacy notice.

If someone objects to you processing their personal information, you must consider their objection and the reasons they give.

However, you can still continue with the processing, if you can demonstrate compelling legitimate grounds for it. You must show that these override the person’s interests (including any specific circumstances they raise in their objection).

We expect that, in most cases, the legitimate interests in compliant research would override a person’s objection. This means that, in most cases, you’ll be able to rely on the restriction built into the right. If so, you won’t need to rely on the exemption for processing for RAS purposes.

You can comply with the person’s right to object by considering the objection. You can then explain to them why your legitimate interests in the research override their objection in the specific circumstances.

However, if you’re concerned that the restriction built into the right may not be available to you, and that considering the objection would prevent or seriously impair the achievement of your research objectives, you could use the research-related exemptions. These are listed in separate paragraphs in the DPA 2018:

Schedule 2 paragraph 27 provides an exemption if you’re processing personal information for scientific or historical research purposes or statistical purposes.
Schedule 2 paragraph 28 provides an exemption, if you’re processing personal information for archiving purposes in the public interest.

The exemptions only apply:

when rectifying the information would prevent or seriously impair the achievement of the purposes for processing;
if you’re doing the processing with appropriate safeguards in place for people’s rights and freedoms;
if the processing isn’t likely to cause someone substantial damage or substantial distress; and
if you’re not using the processing to inform measures or decisions about the people whose information it is, except in approved medical research.

You’re responsible for demonstrating why even considering the objection would prevent or seriously impair your research objectives. You may find this difficult to do, given that you must not apply the exemptions in a blanket approach. In most situations, considering whether to apply the exemption in a particular case has the same impact as simply considering the objection.

However, in some contexts, the act of considering objections might prevent or seriously impair the achievement of your research objectives. For example, this may be the case if the volume of objections you receive means that considering them all would divert limited resources away from your main functions. In this context, you still must not apply the exemptions in a blanket approach. However, you could choose to have a general policy that you do not consider objections. You could then deviate from the policy in any particular case.

As this situation is unlikely to occur, in most cases, you don’t need to apply the exemption from the right to object. We prefer you to:

consider the objection; and
explain to the person why your legitimate interests in pursuing the research override the circumstances of their objection.