26 September 2022
September - The UK's Data Protection and Digital Information Bill – 2 of 6 Insights
One of the UK government's stated purposes for reforming data protection law was to "strengthen [the UK's] position as a science superpower, simplifying data use by researchers and developers of AI and other cutting-edge technologies" (Data: A New Direction consultation).
The reforms proposed in the 'Data: A New Direction' consultation were designed to make innovation easier for UK organisations involved in research. It is unsurprising then that there are specific proposals in the draft Data Protection and Digital Information Bill concerning research. However, in many respects the proposed reforms do not significantly change the status quo.
While certain provisions are designed to clarify the law, other changes are likely to make the data protection framework more flexible for researchers. So, clause 1 provides a sharper definition of personal data, clause 2 provides a definition of scientific research and clause 3 provides detail on consent in the context of scientific research. Additionally, there are changes around transparency, there are new provisions on further processing in the context of research, and a new chapter on safeguards for processing for research, archiving or statistical purposes.
To begin with, clause 1 of the Bill includes further precision on when information is processed relating to an identifiable living individual by introducing a new Clause 3A into the Data Protection Act 2018 and amendments to Article 4 of the UK GDPR. The new provisions refer to there being only two cases where information relates to an identifiable living individual (and therefore when the data is personal data).
The first case is where the living individual is identifiable by the controller or processor by reasonable means at the time of the processing. Identifiability is defined by a new subsection which refers to direct and indirect identifiability. Direct identifiability is fairly straightforward. If you know someone's name, they are directly identifiable. Indirect identifiability is where an individual can be identified only with the use of additional information. Indirect identifiability is akin to the concept of pseudonymisation, a point underlined by the amendment to the definition of 'pseudonymisation' proposed ie "processing of personal data in such a manner that it becomes information relating to a living individual who is only indirectly identifiable" (to be included in Article 4). Additional information is not in the hands of the controller or processor so that the individual cannot be identified directly by either without the additional information.
The second case is where the controller or processor knows or ought reasonably to know that another person is likely to obtain the information as a result of the processing and that a living individual is likely to be identifiable (either directly or indirectly) by that other person by reasonable means at the time of the processing. The provision goes on to explain what is meant by 'reasonable means'. To understand what is reasonable requires consideration of any means that the person is reasonably likely to use taking into account factors such as time, effort and costs, plus technology and other resources available to the other person (it’s important to note that the factors that can be taken into account are not exhaustive).
This second case, therefore, will be relevant in circumstances where an organisation wishes to argue that data being used for research purposes is anonymous. If an organisation can argue that any person it discloses research data to is not likely to be able to indirectly identify a living individual by reasonable means (because, for instance, the costs involved in linking two sets of records to reveal identifiability would be too high), then they can argue that the data is anonymous. However, any organisation seeking to do this should consider how they will demonstrate this assessment (ie that the researcher is not likely to identify a living individual by reasonable means at the time of processing) and be able to defend it if need be.
On the one hand, much of this new drafting reflects language already found in Recital 26 of the EU GDPR. On the other hand, it appears that this drafting could give more leeway to researchers to interpret data as anonymous whereas in fact the data is pseudonymous. It will all come down to whether a strong case can be made that the person who receives the data is not likely to identify a living individual by reasonable means at the time of processing. It's worth remembering the impact of this – where data is anonymous, data protection law doesn't apply at all so all UK GDPR obligations fall away. Therefore, there may be considerable interest from those in the research community in being able to argue that the data they disclose or receive is not identifiable by reasonable means.
Recital 159 of the EU GDPR includes an explanation of how scientific research should be interpreted under the EU GDPR. It indicates that the interpretation should be broad and provides a non-exhaustive list of types of research. However, there is no definition of scientific research in Article 4 of the EU GDPR. The new UK Bill takes the substance of the interpretation found in Recital 159 and includes it in a new definition of "scientific research" in the UK GDPR. A difference in the Bill's definition is that it includes the phrase that processing of personal data for the purposes of scientific research is processing for the purposes of "any research that can reasonably be described as scientific". It's possible that this definition could be considered overly broad in certain contexts.
Whereas in the EU GDPR it is the recitals that indicate what is meant by statistical and historical research, the Bill now proposes including these provisions in the definitions section of the UK GDPR. It's important to note that aspects of the existing UK law concerning processing personal data for research purposes remain. For instance, if you wish to rely on the research basis to process special category data under paragraph 4 Schedule 1, Data Protection Act 2018 (DPA 18), the processing must still be in the public interest.
Recital 33 of the EU GDPR indicates that individuals are able to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Clause 3 of the UK Bill includes this concept as a definition in Article 4 UK GDPR. The government's explanation for elevating this concept from a recital into a definition is to ensure it's not overlooked. Certainly organisations should be reminded that there is this more flexible option for relying on consent under the UK GDPR. However, moving it from a recital to an operative provision does not substantially change what the law already stated.
The current position under the UK and EU GDPRs is that if a controller collects personal data directly from an individual, the controller must provide that individual with a privacy notice explaining to them how their personal data will be used (Article 13). It is only where a controller collects personal data indirectly about an individual (ie collects from a third party) that the GDPR provides exceptional circumstances where a controller is not required to provide a privacy notice (Article 14). Among those exceptions is where the provision of the privacy notice would involve a disproportionate effort or where provision of the privacy notice is likely to render impossible or seriously impair the purpose of the processing.
The new Bill intends to change the position for controllers who collect data directly from an individual and especially for controllers in the research sector. So the Bill will amend Article 13 of the UK GDPR to give a controller the ability to rely on an exception from the requirement to provide a privacy notice if the controller intends to further process personal data for research purposes, in accordance with Article 84B (see below), and where providing the privacy notice is impossible or involves a disproportionate effort. The types of scenarios implicated here would include research studies where personal data has been directly collected from individuals but an organisation wishes to use the data for another research purpose and has no reasonable means of contacting those individuals.
As set out in more detail here, the Bill also includes provisions amending the rules on the further processing of personal data (new Article 8A). The substance of the compatibility test reflects what is already set out in Article 6(4) so there is no significant change there. Processing personal data for research purposes and in accordance with Article 84B is automatically treated as compatible processing. The drafting does though present a problem. If personal data was collected by the controller based on consent, then processing for a new research purpose appears to require a new consent (since the automatic compatibility for research purposes does not appear to be available under Article 8A(4)).
Currently, Article 89 of the UK GDPR reflects the EU GDPR in setting out the framework for when personal data is processed for scientific research purposes. Certain safeguards should be put in place when personal data is used for these purposes and Member States may specify derogations from a number of the rights under the EU GDPR. Clause 22 of the UK Bill omits Article 89 from the UK GDPR and instead inserts new Articles 84A–84D in a section which is titled "safeguards for processing for research, archiving or statistical purposes".
While this looks radical, in fact most of new Articles 84A – 84D repeats concepts from Article 89 EU GDPR and from the provisions in the current DPA 18. For instance, the appropriate safeguards in Article 84C mirror the provisions in s9 DPA 18 which require that processing for scientific research purposes must not be likely to cause substantial damage or distress to individuals or be used for the purposes of measures or decisions impacting a particular individual. The emphasis on data minimisation and pseudonymisation from Article 89 is arguably picked up in new Article 84B which sets out that the default position is that processing of personal data for research purposes should be carried out in a manner that does not identify individuals.
It is revealing that the UK government decided not to introduce a new lawful basis under Article 6 to permit processing of personal data for research purposes. In the consultation, the signs were that this was being seriously considered, but it was clearly concluded that this would be a step too far. A number of the changes proposed around research processing simply formalise aspects of the GDPR that are in the recitals. Other aspects are designed to make the legal framework easier for researchers to operate in. However, certain changes appear to inject a layer of complexity which regrettably makes understanding what the law requires less straightforward.Having said that, the second reading of the Bill was recently postponed following the change of Prime Minister, to allow "ministers to further consider this legislation", so we may see further changes to the draft provisions on using personal data for research.
Elaine Fletcher looks at the key elements of the UK's Data Protection and Digital Information Bill.
26 September 2022
Victoria Hordern examines whether the UK's proposed reforms to the use of personal data for research purposes make material changes, and whether they are helpful to researchers.
26 September 2022
Jo Joyce looks at legitimate interests and purpose limitation provisions in the Data Protection and Digital Information Bill.
26 September 2022
by Jo Joyce
Debbie Heywood looks at the proposed changes to the UK's rules on exporting personal data to third countries under the Data Protection and Digital Information Bill.
26 September 2022
Megan Lukins looks at the proposed changes to PECR under the UK's Data Protection and Digital Information Bill.
26 September 2022
by Megan Lukins