GDPR and implications for Research
To mark Data Protection Day, Trilateral has produced a special article that examines how the General Data Protection Regulation (GDPR) changes the rules for research. The GDPR adopts a “broad” definition of research, encompassing the activities of public and private entities alike (Recital 159). Research occupies a privileged position within the Regulation. Organisations that process personal data for research purposes may avoid restrictions on secondary processing and on processing sensitive categories of data (Article 6(4); Recital 50). As long as they implement appropriate safeguards, these organisations may also override a data subject’s right to object to processing and to seek the erasure of personal data (Article 89).
Research as a basis for processing
Organisations that process personal data (“controllers”) must have a lawful basis for any processing activity. Article 6(1) delineates the lawful bases for processing. Where a controller collects personal data under a lawful basis, such as consent, Article 6(4) allows it to process the data for a secondary research purpose. Research is not explicitly designated as its own lawful basis for processing, but, in some cases, it may qualify under Article 6(1)(f) as a legitimate interest of the controller.
One way a controller can process personal data for research purposes is by obtaining the data subject’s consent. Under the GDPR, consent must be “unambiguous” and specific to the processing operation. However, this poses a challenge for research because “[i] it is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of collection” (Recital 33). To address this challenge, Article 6(4) allows for subsequent processing operations that are “compatible.” Recital 50 specifies that further processing for research purposes “should be considered to be compatible.”
Article 5(1)(b) states, “further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes.” Article 89 sets out the safeguards that controllers must implement in order to further process personal data for research.
Conditions for research exemptions
Controllers that process personal data for research purposes must implement “appropriate safeguards” (Article 89(1)). These controllers must put in place “technical and organizational measures” to ensure that they process only the personal data necessary for the research purposes, in accordance with the principle of data minimisation outlined in Article 5(c). When processing personal data for research purposes, Recital 33 states that controllers should act “in keeping with recognized ethical standards for scientific research.” Disciplinary norms outlined by professional associations or other bodies may be a good resource for identifying such recognised ethical standards.
Article 89(1) provides that one way for a controller to comply with the mandate for technical and organisational measures is through deployment of “pseudonymization.”
Pseudonymisation is “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organizational measures to ensure non-attribution to an identified or identifiable individual” (Article 4(3b)). For example, Establishing participant “keys” (records which link identifiable research subjects with pseudonyms or participant numbers) is one way in which this could be accomplished, so long as the key is stored securely and separately from the research data.
Another technical measure relates to anonymisation. One of the appropriate safeguards that researchers could employ is to anonymise the personal data of data subjects. Recital 26 of the GDPR defines anonymised data as “ data rendered anonymous in such a way that the data subject is not or no longer identifiable. When done properly, anonymisation places the processing and storage of personal data outside the scope of the GDPR.
Whilst controllers are not required to obtain the data subject’s consent for all processing for research purposes, they remain bound by the GDPR’s notice requirements. Article 12(1) requires controllers to “take appropriate measures” to inform data subjects of the nature of the processing activities and the rights available to them. Controllers are required to provide this information in all circumstances, regardless of whether consent is the basis for processing, “in a concise, transparent, intelligible and easily accessible form, using clear and plain language” (Article 12(1)).
The notice should be provided at the time when the data is first collected and it must include the controller’s identity and contact information, the intended purposes of the processing activities, and, where applicable, that the data will be transferred to another entity or to a third country.
An updated notice should be provided where a controller intends to further process data for a different purpose, including for research. Providing up-front notice about research at the point of collection poses a challenge for researchers because of the difficulty in identifying research purposes in advance, especially in the context of big data. The GDPR accounts for this challenge in Recital 33, providing that data subjects should be able to “consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.”
Data transfer outside the EU
The GDPR prohibits the transfer of personal data to countries outside of the European Union (EU) unless they offer an “adequate level of protection” as determined by the European Commission (Article 45(1)). A controller also may transfer personal data to a third country if it has implemented specific safeguards, including Binding Corporate Rules and standard contractual clauses, or if the data subject has provided explicit consent after being informed of the risks related to the transfer (Article 46(2); Article 49(1)(a)). In the absence of any of the above measures, the GDPR introduces a new basis for transferring data which is particularly relevant for researchers. Under Article 49(1), a controller may transfer data to a third country when “necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject.” Recital 113 makes clear that “the legitimate expectations of society for an increase of knowledge” should be taken into account when determining whether a “compelling legitimate interest” exists.
To make use of this transfer mechanism, however, researchers must meet stringent requirements. The transfer may be based on this ground only if it is not repetitive, it concerns a limited number of data subjects, and “the controller has assessed all the circumstances surrounding the data transfer and has on the basis on that assessment provided suitable safeguards” (Article 49(1)). Moreover, the controller must inform the data subject as well as the data protection authority of the relevant Member State of the international transfer.
The GDPR creates new exemptions for research. Specifically, the GDPR exempts research from the principles of storage limitation and purpose limitation so as to allow researchers to further process personal data beyond the purposes for which they were first collected. The Regulation allows researchers to process personal data and, in limited circumstances, to transfer personal data to third countries that do not provide an adequate level of protection. To benefit from these exemptions, researchers must implement appropriate safeguards, in keeping with recognised ethical standards, that lower the risks of research for the rights of individuals. Finally, many of the provisions of the GDPR represent what is currently undertaken in research as best practice and encapsulated within research codes of practice, and so should not prove to be too onerous for researchers.
For more information visit Trilateral Data Protection Officer page and contact our team: firstname.lastname@example.org