What are the appropriate safeguards?

At a glance

In order to use the research provisions, you need to have appropriate safeguards in place. These protect the rights and freedoms of the people whose personal data you are processing.
These safeguards take the form of technical and organisational measures to ensure respect for the principle of data minimisation.
Where possible, you should carry out your research using anonymous information. This information is not personal data and data protection law does not apply.
Where it is not possible to use anonymised data, you should consider whether it is possible to pseudonymise the data. Pseudonymous data is still personal data and data protection law applies.
You are not allowed to use the research provisions if the processing is likely to cause someone substantial damage or substantial distress.
You are not allowed to use the research provisions if you are carrying out the processing for the purposes of measures or decisions with respect to particular people, unless the research is approved medical research.

In detail

What does the law say?
What is data minimisation?
What is pseudonymisation?
When is processing likely to cause substantial damage or substantial distress?
What does ‘not used for measures or decisions about particular individuals’ mean?
What other safeguards do we need to have in place?

What does the law say?

Article 89 of the UK GDPR says that use of the research provisions is dependent on you having appropriate safeguards in place. These protect the rights and freedoms of the people whose personal data you are processing.

These safeguards take the form of technical and organisational measures. Article 89 specifically mentions measures to ensure respect for the principle of data minimisation. This may involve, where possible, anonymising or pseudonymising data.

Section 19 of the DPA 2018 adds to these safeguards by stating that research-related processing does not satisfy Article 89 if the processing:

is likely to cause people substantial damage or substantial distress; or
is carried out for the purposes of measures or decisions about particular people, except for approved medical research.

What is data minimisation?

Article 5(1)(c) of the UK GDPR says that personal data should be:

“…adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation).”

This means that you should identify the minimum amount of personal data you need to fulfil your purpose. You should hold that much information, but no more.

You should first consider whether it is possible to conduct your research without using personal data. If you could carry out your research using anonymised data, then you do not need to process personal data. Therefore, you cannot rely on the research provisions.

Anonymous information is not personal data. Data protection law does not apply.

Anonymisation refers to the techniques and approaches that aim to ensure the data:

is not about an identified or identifiable person; or
is made anonymous in such a way that people are not (or are no longer) identifiable.

However, anonymised data may not fulfil your research purposes. For example, if you are tracking people in a longitudinal study, then aggregated or anonymous data would make the research impossible.

What is pseudonymisation?

Where you cannot use anonymised data, you should consider whether you could pseudonymise the data.

Pseudonymisation refers to techniques that replace or remove identifiable information. Pseudonymisation means that people are not identifiable from the dataset itself. However, they are still identifiable by referring to other, separately held information.

Pseudonymous data is still personal data and data protection law applies.

You should ensure that you do anonymisation or pseudonymisation at the earliest possible opportunity, ideally prior to using the data for research purposes.

The ICO is currently working on new guidance on anonymisation, pseudonymisation and privacy enhancing technologies. We are going to add links to this guidance here when we publish it.

When is processing likely to cause substantial damage or substantial distress?

Section 19(2) of the DPA 2018 says that you are not allowed to use the research provisions if the processing is likely to cause someone substantial damage or substantial distress.

The legislation does not define what it means by substantial damage or substantial distress.

However, in most cases, substantial damage would include both material and non-material harms, such as:

financial loss;
economic or social disadvantage;
physical harm;
damage to reputation;
loss of confidentiality; or
deprivation of rights.

Substantial distress would include upset, emotional or mental pain. It goes beyond annoyance, irritation, or strong dislike.

What does ‘not used for measures or decisions about particular individuals’ mean?

Most research has some influence on how organisations take future measures and decisions. This is by generating new insights that inform policy-making or producing new techniques and processes that change how organisations offer services. These are legitimate objectives for research to pursue. Processing which aims to change how organisations take future measures and decisions can often rely on the research provisions.

However, Section 19(3) of the DPA 2018 says that you are not allowed to use the research provisions if you are carrying out processing for the purposes of measures or decisions with respect to particular people, unless the research is approved medical research. This means you cannot rely on the research provisions if you are intending to use that data, and the results of your research, to make specific decisions about the people involved, or to inform the services you provide to them.

It also means that after relying on the research provisions to justify retaining data past your normal operational retention periods, you can’t later decide to reuse that data to make decisions about the people involved. You can only use the data for research.

This does not mean that you cannot undertake research where the principle aim is to change the way organisations make future decisions. Many research projects have practical application, or aim to influence how to treat people. What it means is that you cannot use the findings of your research to provide specific, individualised services or decisions to any subject of your research.

The only exception to this is approved medical research. Approved medical research means medical research approved by a research committee recognised or established by the Health Research Authority. It also includes recognition or establishment by another body for the purpose of assessing the ethics of research involving people, appointed by any of the following:

the Secretary of State, the Scottish Ministers, the Welsh Ministers or a Northern Ireland Department;
in England, an NHS trust or NHS foundation trust;
in Wales, an NHS trust or Local Health Board;
in Scotland, a Health Board, Special Health Board or the Common Services Agency for the Scottish Health Service;
in Northern Ireland, a Health and Care social body as defined by Section 1(5) paragraphs (a) to (e) of the Health and Social Care (Reform) Act (Northern Ireland) 2009;
United Kingdom Research and Innovation or one of the Research Councils; or
a research institution as defined by Chapter 4A of Part 7 of the Income Tax (Earnings and Pensions) Act 2003.

What other safeguards do we need to have in place?

Measures to respect data minimisation, including anonymisation and pseudonymisation, are explicitly mentioned by Article 89 as appropriate safeguards. You must have these in place when you are processing personal data for research-related purposes. However, these are not the only safeguards you need to consider.

‘Appropriate’ measures depends on the purposes of your processing. For example, you may find data minimisation and anonymisation are inappropriate measures when processing for archiving purposes in the public interest. This is because such measures risk compromising the integrity and authenticity of the records. You should ensure you adopt the appropriate technical and organisational measures for your context and purposes.

There are a range of technical and organisational measures you can use. These may include:

taking a ‘data protection by design and default’ approach to your processing activities;
implementing appropriate security measures;
carrying out DPIAs, where necessary;
appointing a data protection officer, where necessary;
providing appropriate levels of staff training;
using privacy enhancing technologies eg trusted research environments; and
using accountability frameworks such as the Five Safes Framework.

Further reading – ICO guidance

Data minimisation
Security
Data protection by design and default
Data Protection Impact Assessments
Accountability framework
The ICO is currently working on new guidance on anonymisation, pseudonymisation and privacy enhancing technologies. We will add links to this guidance here when we publish it.