ICO publishes draft guidance on research provisions in the UK GDPR and DPA 18

What's the issue?

Data used for scientific research is often personal data.  As such, its use in the UK is governed by the UK GDPR and Data Protection Act 2018.  Where the data is special category data (such as health data), it attracts additional protection. 

While there are limited exemptions to obligations available when personal data is used for research, the UK government is concerned that the UK GDPR, inherited from the EU GDPR, presents a number of barriers to research and therefore to innovation. These are identified in the DCMS consultation on data protection reform - 'Data, a new direction', covered in more detail here.

What's the development?

The ICO responded to the government consultation in October 2021, but has now published draft guidance on research provisions in the UK GDPR and DPA 18 for consultation, acknowledging that the government is looking to make changes in this area but saying guidance is needed now to give clarity on research provisions. 

The ICO's draft research guidance covers all the research exemptions (for scientific, historical research, archiving in the public interest and statistical purposes), but for the purposes of this article we focus on scientific research. The ICO looks at issues around the definition of scientific research, lawful basis, purpose compatibility, data minimisation, storage limitation and what constitutes public interest. 

What does this mean for you?

Any changes to the research provisions in the UK GDPR are some way off.  The ICO's draft guidance provides a helpful consolidation of research provisions, requirements and safeguards in the UK GDPR and DPA 18, as well as tackling some of the thornier issues associated with processing personal data for research – in some cases consolidating existing relevant guidance. 

Assuming the guidance does not change significantly before being finalised, controllers should find it helpful, particularly on the subject of lawful basis and purpose compatibility.

Read more

What is scientific research?

There is no denying that there is no definition of scientific research in the body of the UK GDPR.  The ICO suggests the term should be understood broadly (with the help of Recital 159) to cover the traditional full range of academic research, as well as research carried out in commercial settings and technological development and demonstration. 

In order to make use of the research provisions, the research must produce new knowledge or apply existing knowledge in novel ways, often with the aim of benefiting the public interest.  The ICO says that scientific research aims to:

• advance the state of the art in a given field or provide innovative solutions to human problems
• generate new understandings or insights that add to the sum of human knowledge in a particular area, or
• produce findings of general application that can be tested and replicated.

The ICO goes on to produce an indicative list of criteria which will help demonstrate that the purpose of processing is scientific research.  The ICO says more than one of these should be met and the more criteria can be satisfied, the more likely it is that the processing in question is for scientific research.

The ICO arguably places less emphasis on the difference between public and private sector research than the European Data Protection Supervisor does in the Preliminary Opinion on data protection and scientific research.  While the EDPS does not preclude commercial purposes from constituting scientific research, he says that the special regime for scientific research will only apply where the following criteria are met:

• personal data is processed
• relevant sectoral standards of methodology and ethics apply, including the notion of informed consent, accountability and oversight
• the research is carried out with the aim of growing society's collective knowledge and wellbeing as opposed to serving primarily one or several private interests.

Lawful basis

Controllers processing health data for research need to establish a lawful basis for processing under Article 6 UK GDPR, and then, potentially be able to rely on an Article 9 exemption from the general prohibition on processing special category data. You can read more about the complexities of establishing lawful bases here, but there are difficulties associated with the most likely Article 6 bases (consent and legitimate interests) and with the Article 9 exemptions (consent again, purposes connected with healthcare diagnosis, supply and treatment, and processing necessary for reasons of public interest in the area of public health).

The ICO says public organisations (universities, NHS organisations, the Research Council and other public authorities) should rely on the task being in the public interest.  Commercial companies and research organisations on the other hand, should rely on legitimate interests when processing personal data for research (subject to being able to meet the balancing test against the rights and freedoms of the relevant individuals).  This is in line with earlier Guidance published by the Health Research Authority. 

Consent and re-use of data for further purposes

The ICO, like the HRA, says in most cases consent will not be the most appropriate lawful basis for scientific or health research.  This is because there is likely to be an imbalance of power which will preclude valid consent, and because consent must be capable of being withdrawn, which could invalidate the research. 

If, however, consent is the chosen lawful basis, the ICO says consent to process personal data for scientific research does not need to be as specific as for other purposes.  However, the general areas of research should be identified, and where possible, people should be given granular options, for example to consent only to parts of a research project. 

This is taken from the Recital 33 rather than from an operative provision of the UK GDPR but the ICO appears to give more weight to the Recitals than the government which is considering moving this element into the Articles of the legislation. 

Consent may have to be used where data is being re-used and the original basis for collection was consent for a non-research purpose. When discussing consent in this context, the ICO reiterates that consent must be specific and informed so the guidance does not fully deal with the ambiguity around a potential 'lesser' level of consent for scientific research as indicated in Recital 33.  In its response to the consultation on changes to the UK GDPR, the ICO expressed a preference for simplifying the issue but introducing a new lawful basis for processing personal data for scientific research, subject to suitable safeguards.

Special category data

Where personal health data is used for research, it will be special category data and an Article 9 condition must be met. This is likely to be Article 9(2)(j) – the processing is necessary for scientific research.  If this condition is relied on, the conditions of Schedule 1 Paragraph 4 of the DPA 18 must be met.  This means the processing must be:

• necessary for that purpose – it must be a reasonable and proportionate way of archiving the purpose without using more data than needed
• subject to appropriate safeguards as set out in Article 89(1) UK GDPR
• not likely to cause substantial damage or distress to an individual
• not used for measures or decisions about particular individuals
• in the public interest.

When is processing 'necessary'?

The ICO says the necessity requirement does not mean that the processing is absolutely essential for scientific research but it must be more than just useful or habitual.  It must be targeted and proportionate.  The conditions do not apply if the purpose can reasonably be achieved by some other, less intrusive means. Being necessary for a particular business model or procedure is also not sufficient to meet the necessity requirement.

When is something in the public interest?

The ICO says public interest in the context of research should be interpreted broadly to include any clear and positive benefit to the public likely to arise from that research.  This does not preclude a private interest and is not limited to the public sector. Something that benefits a small number of people by an insignificant amount is unlikely to be sufficient but a significant benefit to a small number of people can be public interest, provided it does not harm society's wider interest. 

Examples of the form public interest benefit can take include:

• improved health and wellbeing outcomes
• improved financial or economic outcomes for individuals or the collective public
• the advancement of academic knowledge in a particular field
• the provision of more efficient or more effective products and services for the public.

Avoidance of harm to the public is also a key factor, and research provisions cannot be used if they cause substantial damage or distress.  Crucially, controllers must be able to demonstrate the public interest.

Storage limitation

The storage limitation principle requires that personal data should not be kept for longer than it is needed.  However, the data can be stored for longer periods where processed solely for scientific research purposes.  The ICO says the data can be kept indefinitely on this basis provided it is only used for scientific research.  The data cannot later be used for another purpose and must be deleted once it is no longer processed for research purposes.

Purpose compatibility – re-use of data for scientific research

The purpose limitation principle (Article 5 UK GDPR) states that personal data collected for a particular purpose cannot be further processed in a manner incompatible with that purpose.  However, further processing for scientific research is automatically considered to be compatible with the original purpose provided appropriate safeguards are in place in accordance with Article 89.

This means there is no requirement to identify a further lawful basis for further processing for scientific research unless the original lawful basis was consent.  The ICO says the processing must still be generally fair and lawful, and privacy information should be updated to ensure the processing is transparent.  Where the original lawful basis was consent, fresh consent to re-use will be required.

The ICO underlines that conducting research using data collected from a third party effectively uses new data.  The processing cannot rely on compatibility with the original organisation's purpose and a lawful basis for the processing must be identified.  While privacy information given to data subjects must reflect this, the information will not need to be provided to data subjects if to do so would be impossible or would involve disproportionate effort.

Safeguards

The special regime for scientific research under the GDPR is tied into the requirement under Article 89(1) to provide appropriate safeguards to the rights and freedoms of data subjects.  These take the form of technical and organisational measures, in particular, to ensure data minimisation.  The standards of these safeguards and what they entail are not set out in detail and must be assessed on a case by case basis.  Some may involve significant investment of economic and personnel resources but the cost to an organisation is not a relevant factor in deciding whether or not to implement them.

Under s19 DPA 18, processing will not satisfy Article 89 requirements if the processing is likely to cause substantial damage or distress to data subjects, or where it is carried out for the purposes of measures or decisions about particular individuals except in the case of approved medial research.

The guidance doesn't say a great deal about data minimisation beyond the main points on anonymisation and pseudonymisation, partly because separate guidance on these issues is also in development.  There is slightly more detail on what is meant by decisions about particular individuals and approved medical research.

Exemptions

A section of the guidance is devoted to the application of the exemptions themselves.  In some ways, this is the least enlightening section of the guidance as it mainly consolidates the various applicable provisions of the legislation and explains them in layman's terms, often using previously published guidance, but it is worth noting the emphasis the ICO places on:

• making assessments of the application of exemptions on a case by case basis
• documenting the reasons for relying on an exemption
• applying the exemption only to the extent it is required ie in a proportionate manner
• informing the individual without undue delay and within one month of receipt of a request to give effect to a particular right about reasons for refusing the request and their right to complain to the ICO or seek redress through the courts.

Consultation

A consultation on the draft guidance is open until 22 April 2022.