Skip to main content

Contents

At a glance

  • People have specific rights over their data – including rights to be informed, to access, to rectify (correct), to erase, to restrict, to port (move) and to object.
  • Some of these rights contain built-in exceptions for research.
  • For other rights, you could rely on a separate research exemption, if fully complying with the right would undermine your research purposes.
  • You shouldn’t rely on exceptions or exemptions in a blanket manner. You must consider them case by case.
  • You should only restrict someone’s rights if the exemption applies and there is a valid reason to apply it.
  • If you can fully comply with people’s rights without undermining your research purposes, you cannot use the exemptions.

In detail

What should we take into account when applying these exemptions?

Articles 13 to 21 of the UK GDPR set out the rights that people have over how organisations use their data.

Most of these rights have exemptions available when processing data for research-related purposes. These exemptions may apply to the following rights, which are:

  • the right to be informed;
  • the right of access;
  • the right to rectification;
  • the right to erasure;
  • the right to restrict processing;
  • the right to data portability; and
  • the right to object.

For some of these rights, there is a built-in exception for research. For others, Schedule 2 of the DPA 2018 sets out a separate exemption.

You should only restrict someone’s rights if the exemption applies and there is a valid reason to apply it. You should demonstrate a causal link between complying with the right and the potential prejudicial effect that you identified.

You should not apply the research-related exemptions in a blanket fashion. You should only apply them to the extent that the application of the specific right would cause the identified prejudicial effect. Therefore, the application of the exemptions must be necessary and proportionate. You must consider the application of the exemptions on a case-by-case basis.

You should document your reasons for relying on an exemption. You must make this reasoning available to the ICO if required.

You must inform the person without undue delay and within one month of receipt of the request about:

  • the reasons why you are refusing the request;
  • their right to make a complaint to the ICO; and
  • their ability to seek to enforce this right through the courts.

The following sections explain how the research-related exemptions affect each of these rights.

What is the exception to the right to be informed?

The right to be informed covers some of the key transparency requirements of the UK GDPR. It is about providing people with clear and concise information about what you do with their personal data.

Articles 13 and 14 of the UK GDPR specify what people have the right to be informed about. We call this ‘privacy information’.

However, the UK GDPR recognises that you may have difficulty providing this information when processing data you obtained from another organisation, rather than directly from the person.

Article 14(5)(b) provides an exception from your obligations under the right to be informed when receiving personal data from a source other than the individual, if providing this information:

  • proves impossible or would involve disproportionate effort; or
  • would likely render impossible or seriously impair the processing’s objectives

The UK GDPR recognises that the first of these issues is especially likely to arise in a research context. This is because you may sometimes carry out processing for one of the research-related purposes, using data originally obtained a long time ago by a different organisation.

However, even in this situation, you do not have an automatic exception from the requirement to provide privacy information. You must consider whether the provision of privacy information would involve disproportionate effort. To do this, you must balance the effort and impact required to provide privacy information against the potential effect of your use of data on the person.

When assessing disproportionate effort, you should consider:

If you determine that providing privacy information to people does involve disproportionate effort, you must still:

  • publish the privacy information (eg on your website); and
  • carry out a data protection impact assessment (DPIA).

This exception also removes the obligation to provide privacy information, if doing so would render impossible or seriously impair the objectives of your processing.

It is important to note that this exception does not apply if you are using data for research purposes collected directly from the person.

Further reading – ICO guidance

Right to be informed

What is the exemption from the right of access?

Under Article 15 of the UK GDPR, people have the right to obtain a copy of their personal data, as well as other supplementary information. This is the right of access, or subject access.

However, there are exemptions from the right of access if you are processing for research-related purposes. These are listed in separate paragraphs of the DPA 2018:

  • Schedule 2 Paragraph 27 provides an exemption if you are processing personal data for scientific or historical research purposes or statistical purposes.
  • Schedule 2 Paragraph 28 provides an exemption if you are processing for archiving purposes in the public interest.

The exemptions only apply:

Schedule 2 paragraph 27 sets out a further condition on the exemption for scientific or historical research or statistics. It requires anonymisation of research results or any resulting statistics. This condition does not apply to archiving in the public interest.

You must show that complying with the right of access would prevent or seriously impair your ability to achieve your research purposes.

You should not apply the exemptions in a blanket fashion. You should only apply them to the extent that the application of the specific right would cause the identified prejudicial effect. Therefore, you must apply the exemptions in a necessary and proportionate way. You must also consider the application of the exemptions on a case-by-case basis.

Example

Someone becomes aware that an organisation has received their health data. They are processing it for scientific research purposes. The person makes a request to the organisation for a copy of all the data the organisation holds about them.

The person’s data is part of a relatively small data set. Disclosure of the data would not prevent or seriously impair the research project. As such, the use of the exemption from the right of access is not necessary.

In these circumstances the exemption does not apply and the organisation should not use it. They should therefore disclose the information they hold.

Further reading – ICO guidance

Right of access

What is the exemption from the right to rectification?

Under Article 16 of the UK GDPR, people have the right to have inaccurate personal data rectified. When someone makes a request for rectification, you should normally take reasonable steps to satisfy yourself that the data is accurate and to rectify the data if necessary. You should take into account the person’s arguments and evidence they provide.

However, there are exemptions from the right to rectification if you are processing for research-related processing. These are listed in separate paragraphs of the DPA 2018:

  • Schedule 2 Paragraph 27 provides an exemption if you are processing personal data for scientific or historical research purposes or statistical purposes.
  • Schedule 2 Paragraph 28 provides an exemption if you are processing for archiving purposes in the public interest.

The exemptions only apply:

You must show that complying with the right to rectification would prevent or seriously impair your ability to achieve your research-related purposes. For example, archived records of enduring value are not, generally speaking, altered after the archiving organisation receives them.

You should not apply the exemptions in a blanket fashion. You should only apply them to the extent that the application of the right to rectification would cause the identified prejudicial effect. Therefore, you must apply the exemptions in a necessary and proportionate way. You must also consider the application of the exemptions on a case-by-case basis.

Further reading – ICO guidance

Right to rectification

What is the exception to the right to erasure?

Under Article 17 of the UK GDPR, people have the right to have their personal data erased. This is also known as the ‘right to be forgotten’. However, there is a built-in exception for research.

Article 17(3)(d) states that, if you are processing data for research-related purposes, the right to erasure does not apply in so far as complying with the right is likely to render impossible or seriously impair the achievement of your research-related purposes.

Further reading – ICO guidance

Right to erasure

Example

A pharmaceutical company is testing a new drug. They hope to use it in future to treat patients with a rare form of cancer. To test the drug, the company needs to process the personal data of people who take part in drug trials. This includes their health data.

Participants in the drug trial proactively agree to take part in the trial. However, the organisation processes their personal data on the basis of legitimate interests.

During the trial, a participant chooses to withdraw from further tests. The person makes a request to the company to erase all of the personal data they hold about them. This includes their health data generated during the trial.

Complying with this request would undermine the integrity of the company’s data set. It would risk skewing the results of the study. It would thus render impossible or seriously impair the achievement of the company’s research objectives.

In these circumstances, the exception from the right to erasure would apply. The company is justified in refusing the request to erase the person’s personal data.

 

What is the exemption from the right to restrict processing?

Under Article 18 of the UK GDPR, people have the right to restrict the processing of their personal data in certain circumstances. This means that someone can limit the way that an organisation uses their data. This is an alternative to requesting the erasure of their data.

However, there are exemptions from the right to restrict processing if you are processing for research-related purposes. These are listed in separate paragraphs of the DPA 2018:

  • Schedule 2 Paragraph 27 provides an exemption if you are processing personal data for scientific or historical research purposes or statistical purposes.
  • Schedule 2 Paragraph 28 provides an exemption if you are processing for archiving purposes in the public interest.

The exemptions only apply:

You must show that complying with the right to restrict processing would prevent or seriously impair your ability to achieve your research purposes.

You should not apply the exemptions in a blanket fashion. You should only apply them to the extent that the application of the right to rectification would cause the identified prejudicial effect. Therefore, you must apply the exemption in a necessary and proportionate way. You must also consider the application of the exemption on a case-by-case basis.

Further reading – ICO guidance

Right to be restrict processing

What is the archiving exemption from the right to data portability?

Under Article 20 of the UK GDPR, people have the right to receive personal data they provided to a controller in a structured, commonly used and machine-readable format. It also gives them the right to request that a controller transfers this data directly to another controller.

The right to data portability only applies when:

  • your lawful basis for processing this information is consent or for the performance of a contract; and
  • you are carrying out the processing by automated means (ie excluding paper files).

In practice, this right is usually relevant to organisations who are providing a service to a customer. It allows that customer to easily port their own data to other service providers. It’s much less likely to apply in the context of research.

Because the right is unlikely to apply in a research context, there is no general exemption for research purposes.

However, Schedule 2 Paragraph 28 of the DPA 2018 provides an exemption from the right to data portability if you are processing for archiving purposes in the public interest.

The exemption only applies:

There is no equivalent exemption from the right to data portability if you are processing for scientific or historical research or statistics. However, this is unlikely to have significance. For most research-related processing, the right to data portability does not apply.

Further reading – ICO guidance

Right to restrict processing

What is the exemption from the right to object?

Under Article 21 of the UK GDPR, people have the right to object to the processing of their personal data at any time. This right allows people to ask you to stop processing their personal data, or requires you to justify why you need to do so.

For more information on this right, see our guidance on the right to object.

Where you are processing personal data for scientific or historical research or statistical purposes, the right to object is more restricted.

Article 21(6) states:

Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her personal situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Effectively, this means that if you are processing data for scientific or historical research or for statistical purposes, and have appropriate safeguards in place, someone only has a right to object if your lawful basis for processing is:

  • public task – on the basis that it is necessary for the exercise of official authority vested in you; or
  • legitimate interests.

It is important to note that someone does not have a right to object if your lawful basis for processing is public task because it is necessary for the performance of a task you are carrying out in the public interest.

Article 21(6) therefore differentiates between the two parts of the public task lawful basis (performance of a task you are carrying out in the public interest or in the exercise of official authority vested in you).

This may cause problems if you are relying on the public task lawful basis for processing. You may find it difficult to decide if you are carrying out the processing solely as a task in the public interest, or in the exercise of official authority.

If you are carrying out research-related processing solely for the performance of a task you are carrying out in the public interest, this should be made clear in your privacy notice.

If someone objects to you processing their personal data, you must consider their objection and the reasons they give.

However, you can still continue with the processing, if you can demonstrate compelling legitimate grounds for the processing. They must override the person’s interests (including any specific circumstances they raise in their objection).

We would expect that, in most cases, the legitimate interests in compliant research would override someone’s objection. This means that, in most cases, you won’t actually need to rely on the exemption. You can give full effect to the person’s right to object by considering the objection. You can then explain to them why your legitimate interests in the research override their objection in the specific circumstances.

However, if you believe that even considering the objection would prevent or seriously impair the achievement of your research objectives, you may use the research-related exemptions. These are listed in separate paragraphs in the DPA 2018:

  • Schedule 2 Paragraph 27 provides an exemption if you are processing personal data for scientific or historical research purposes or statistical purposes.
  • Schedule 2 Paragraph 28 provides an exemption, if you are processing for archiving purposes in the public interest.

The exemptions only apply:

The onus is on you to demonstrate why even considering the objection would prevent or seriously impair your research objectives. You may find this difficult to do, given that you should not apply the exemptions in a blanket fashion. In most situations, considering whether or not to apply the exemption in a particular case has the same practical effect as simply considering the objection.

However it is feasible that, in some contexts, the act of considering objections might prevent or seriously impair your research objectives. For example, the volume of objections you receive means that considering them all would divert limited resources away from your main functions. In this context, you still should not apply the exemptions in a blanket fashion. However, you may choose to have a general policy that you do not consider objections. In specific circumstances, you could then deviate from the policy in any particular case.

Given that this situation is unlikely to occur, we consider that in most cases, you do not need to apply the exemption from the right to object. We would prefer you to consider the objection, and then explain to the person why your legitimate interests in pursuing the research override the circumstances of their objection.

Further reading – ICO guidance

Right to object