The ICO exists to empower you through information.

Principles and grounds for processing

Share Download options

Pages

Format

At a glance

  • Article 5 of the UK GDPR sets out seven key data protection principles. Two of these principles – purpose limitation and storage limitation – contain special provisions for research-related processing.
  • The purpose limitation principle says you can reuse existing personal data for research-related purposes, as long as you have appropriate safeguards in place.
  • The principle of storage limitation says that you can keep personal data indefinitely, if you are processing it for research-related purposes, as long as you have appropriate safeguards in place.
  • There is no specific lawful basis for research. Depending on your status and context, you are likely to rely on either legitimate interests or public task for this type of processing.
  • There is a specific condition allowing the use of special category data or criminal offence data for research purposes, if this is in the public interest and you have appropriate safeguards in place.

In detail

What do the data protection principles say about research?

Article 5 of the UK GDPR sets out seven key data protection principles.

These principles lie at the heart of the general data protection regime. They don’t give hard and fast rules, but rather embody the spirit of the general data protection regime. As such, there are very limited exceptions.

However two of these principles – purpose limitation and storage limitation – contain within them special provisions for research-related processing.

What does the purpose limitation principle say about research?

Article 5(1)(b) states that personal data shall be:

“collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes.”

This simply means that processing data for research-related purposes is compatible with the original purpose.

This applies as long as your intended further processing:

  • meets the criteria for one of the research-related purposes;
  • is necessary for one of the research-related purposes;
  • is fair and lawful; and
  • has appropriate safeguards in place.

If you meet these conditions, then your research purposes are compatible with your original purpose. You do not need to undertake a specific compatibility test.

Do we need a new lawful basis?

All processing must be lawful, so you do need a lawful basis. Your original basis to collect the data may not always be appropriate for your research-related processing.

In most cases, your lawful basis for your research-related processing is either:

  • public task – the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law; or
  • legitimate interests – the processing is necessary for your legitimate interests, or the interests of a third party, unless there is a good reason to protect the person’s personal data which overrides those legitimate interests.

Which of these is right for you often depends on the type of organisation you are. It is most likely that public authorities can rely on public task. Commercial and charity organisations are more likely to use legitimate interests.

If you want to use the legitimate interests lawful basis, you are usually advised to carry out a legitimate interests assessment (LIA) before you begin. However, carrying out research with appropriate safeguards in place, including all other ethical standards and regulatory requirements, means you are effectively addressing the issues an LIA covers. In this context, you can generally have confidence that the legitimate interest lawful basis applies. You would not need to undertake a separate LIA process.

In all instances, you need to update your privacy information to ensure that your processing is transparent.

Example

An insurance company collects personal data from people who buy their life assurance policies. The lawful basis they use to collect the data is that it is necessary for the performance of a contract – that is, the life assurance contract.

The insurance company wishes to repurpose this data for scientific research and statistical purposes. They wish to gain a deeper understanding of life expectancy and risks of mortality, to help define future pricing strategies.

This new processing for statistical purposes is compatible with the purpose for which they originally collected the data. The insurance company must identify a lawful basis for this new processing.

They are carrying out the research in a fair, lawful and transparent manner. The company has appropriate safeguards in place to protect the rights of the people whose data they are processing.

The insurance company can rely on the legitimate interests lawful basis for this processing.

What if our original processing was based on consent?

If your original lawful basis for processing personal data was consent, you need to seek fresh consent for any new processing activity, including research.

This is because consent means giving people real choice and control over how you use their data. This means that consent must always be specific and informed. People can only give valid consent when they know and understand what you are going to do with their data.

So if people provided their data and consent for you to use it for a non-research purpose, using it for a research related purpose without their knowledge or agreement unfairly undermines the informed nature of their original choice.

Remember that if data is effectively anonymised, then it is no longer considered personal data. This means data protection legislation does not apply. You can carry out research on anonymised data, even if it was originally collected on the basis of consent.

However, if you originally collected personal data on the basis of consent to carry out a particular research project, you can use that personal data for another research project. Although generally people must only give consent for specific purposes, the law recognises that in a research context, it’s often not possible to fully identify the specific research purposes at the time of collection. Recital 33 states that:

“individuals should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research.”

This is sometimes known as “broad consent”. It means that if you are processing personal data on the basis of consent for scientific research, you don’t need to be as specific as for other purposes. However, you should identify the general areas of research. Where possible, you should give people granular options to only consent to certain areas of research or parts of research projects.

What does the storage limitation principle say about research?

Article 5(1)(e) requires that personal data shall be:

“…kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject…”

Storage limitation means that, even if you collect and use personal data fairly and lawfully, you cannot keep it for longer than you actually need it.

The general rule is that you cannot hold personal data indefinitely just in case you may find it useful in future. However, Article 5(1)(e) provides an exception to the principle of storage limitation for research-related processing. This means that you can keep personal data indefinitely, if you are processing it for one of the research-related purposes.

However, this must be your only purpose. If you justify indefinite retention on this basis, you cannot later use that data for another purpose. In particular, you cannot use it for any decisions affecting particular people. This does not prevent other organisations from accessing public archives, but they must ensure their own collection and use of the personal data is compliant.

If you are no longer processing the data for any purpose, including a research-related purpose, you must delete it.

You must have appropriate safeguards in place for people’s rights and freedoms.

Further reading – ICO guidance

What lawful basis should we use when processing personal data for research-related purposes?

Article 6 of the UK GDPR sets out the lawful bases for processing. You must have a lawful basis in order to process personal data.

The most appropriate lawful basis depends on your specific purposes and the context of the processing. However, in the context of research-related processing, the most appropriate lawful basis is either:

  • public task – the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law; or
  • legitimate interests – the processing is necessary for your legitimate interests, or the interests of a third party, unless there is a good reason to protect the person’s personal data which overrides those legitimate interests.

Which of these applies depends on the specific purposes of your processing, and what type of organisation you are. If you are a private or third sector organisation conducting research, legitimate interests is the most likely lawful basis for your processing. However, if you are a public authority, such as a university or an NHS organisation, public task is the most likely lawful basis.

Further reading – ICO guidance

What about consent?

If you are conducting a research study using personal data, such as medical research or a clinical trial, you will often need to obtain consent from participants to take part. Consent is an important ethical standard that ensures and protects the autonomy and privacy of participants in research studies.

However, it is important to note that consent to participate in a research study is distinct from consent as a UK GDPR lawful basis to process personal data. Even if you have a separate ethical or legal obligation to get consent from people participating in your research, you should not confuse this with UK GDPR consent.

Needing people’s consent to participate in your research study does not mean that consent is the most appropriate lawful basis for processing their personal data. There is no rule that says you must rely on consent to process personal data for scientific research purposes. You may well find that a different lawful basis (and a different special category data condition) is more appropriate in the circumstances. In fact, in most cases, consent is not the most appropriate lawful basis.

This is because valid consent under the UK GDPR means the person can withdraw it at any time. There is no exemption to this for scientific research. This means that if you are relying on consent as your lawful basis and someone withdraws their consent, you need to immediately stop processing their personal data, or anonymise it.

Consent is only valid if the person can withdraw it at any time. If you cannot fully action a withdrawal of consent – because it would undermine the validity of your research and effective anonymisation is not possible – then you cannot rely on consent as your lawful basis (or condition for processing special category data).

Also, consent is not an appropriate lawful basis for processing where there is a power imbalance between you and the person whose personal data you are processing. This is particularly likely if you are a public authority. If you are a research institution undertaking a study, a power imbalance may exist between you and your participants. In these cases, the participants may not freely give consent, and so it cannot be valid.

Therefore, if you are processing personal data for one of the research-related purposes, it is unlikely that consent is the correct lawful basis.

We produced a lawful basis interactive guidance tool, to give more tailored guidance on the most appropriate lawful basis for your processing activities.

Further reading – ICO guidance

What is the research condition for processing special category data?

If you are processing special category data, you need to identify both a lawful basis for processing and a special category condition for processing in compliance with Article 9.

Special category data is personal data that needs more protection because it is sensitive. It is defined as:

  • personal data revealing racial or ethnic origin;
  • personal data revealing political opinions;
  • personal data revealing religious or philosophical beliefs;
  • personal data revealing trade union membership;
  • genetic data;
  • biometric data (where used for identification purposes);
  • data concerning health;
  • data concerning a person’s sex life; or
  • data concerning a person’s sexual orientation.

The presumption is that organisations need to treat this type of data with greater care. This is because collecting and using it is more likely to interfere with people’s fundamental rights.

You can only process special category data if you can meet one of the specific conditions in Article 9 of the UK GDPR. One of these conditions is that the processing is necessary for research-related purposes.

Article 9(2)(j) provides a condition for processing if it is necessary for:

  • archiving purposes in the public interest,
  • scientific or historical research purposes; or
  • statistical purposes.

Schedule 1 paragraph 4 of the DPA 2018 sets out some additional requirements for you to rely on this condition. This states that you can process special category data for research-related purposes, if the processing is:

Further reading – ICO guidance

Special category data

What is the research condition for processing criminal offence data?

The UK GDPR gives extra protection to “personal data relating to criminal convictions and offences or related security measures”. We refer to this as criminal offence data.

If you are processing criminal offence data, you need a lawful basis for processing. In addition, you can only process criminal offence data if:

  • the processing is under the control of official authority; or
  • you meet one of the conditions in Schedule 1 of the DPA 2018.

If you are processing criminal offence data for research-related purposes, Schedule 1 condition 4 of the DPA 2018 sets out the relevant condition.

This condition means that you can process criminal offence data for research-related purposes if the processing:

Further reading – ICO guidance

Criminal offence data

What does ‘necessary’ mean?

To use the research conditions for processing special category and criminal offence data, you need to demonstrate that the processing is ‘necessary’ for your purpose.

This does not mean that the processing is absolutely essential. However, it must be more than just useful or habitual. It must be a targeted and proportionate way of achieving your purpose.

The conditions do not apply if you can reasonably achieve the same purpose by less intrusive means. You should carefully consider the data minimisation principle when working with special category or criminal offence data.

It is not enough to argue that processing is necessary because it is standard practice or part of your particular business model, processes or procedures. The question is whether processing the special category or criminal offence data is a targeted and proportionate way of achieving your research purposes.

When is research-related processing ‘in the public interest’?

To rely on the research condition for processing special category or criminal offence data, the DPA 2018 states that your processing must be in the public interest.

The legislation does not define the ‘public interest’. However, you should broadly interpret public interest in the research context to include any clear and positive public benefit likely to arise from that research.

The public interest covers a wide range of values and principles about the public good, or what is in society’s best interests. In making the case that your research is in the public interest, it is not enough to point to your own private interests. Of course, you can still have a private interest – you just need to make sure that you can also point to a wider public benefit.

Some examples of the form this benefit could take are:

  • improved health and wellbeing outcomes;
  • improved financial or economic outcomes for individuals or the collective public;
  • the advancement of academic knowledge in a given field;
  • the preservation of art, culture and knowledge for the enrichment of society both now and in the future; or
  • the provision of more efficient or more effective products and services for the public.

It is your responsibility to demonstrate that the processing you are proposing to undertake is in the public interest. You may want to consider the ‘breadth and depth’ of that public benefit. For example, what proportion of the public are benefitting from your research processing, and by how much? Something that benefits a small number of people by an insignificant amount is unlikely to have a strong public interest case.

However, it is possible that processing for research which only benefits a small number of people, but benefits them significantly, can be in the public interest. Public interest may exist in something even if it does not benefit the whole of society. There may be a strong public interest in something which has an important benefit on a small section of the public, so long as it does not also harm society’s wider interests. For example, processing for the purposes of research into rare but debilitating medical conditions is likely to be in the public interest. Similarly, research processing that generated only a modest benefit, but to a significantly large number of people, could be in the public interest.

The avoidance of harm to the public will also be a key factor in determining whether or not your research is in the public interest. Clearly, if the processing causes more harm than benefit, it is unlikely to be in the public interest. Additionally, you may not make use of the research provisions if your processing is likely to cause substantial damage or distress.

Public sector bodies or private and third sector organisations can conduct public interest research. The focus is on the processing activity, not on your organisation’s status. You don’t have to be a public body or have significant public interest objectives as part of your founding organisational goals or mission statement. You just need to demonstrate that the processing itself is in the public interest.