Use of Personal Data in Research
The GDPR and the Data Protection Bill sets down certain exemptions which allow personal data to be used for research purposes (including historical or statistical research), where the data were originally gathered fairly and lawfully for other purposes. Data collected for one purpose or piece of research can be used for other research, and can be kept for longer, provided appropriate safeguards are implemented.
- The data must be used solely for research purposes, and not for any other purposes (e.g. general administration) unless those purposes are the same as the purposes for which the data were gathered.
- The data must not be processed to support measures or decisions in regard to particular data subjects.
- The processing for research purposes must not cause, or be likely to cause, substantial damage or distress to data subjects. Closure of the data to outside access would be one way of helping to ensure this, as would anonymisation of research results.
Where the above conditions have been met, data retained for research purposes are exempt from subject access requests and other rights under the GDPR, provided the results of the research are not published in a form which identifies the data subjects. However, other aspects of the Data Protection Principles will still apply, such as the requirement to keep the data secure, and the requirement that the data should be processed fairly and lawfully.
We have produced a guidance document for researchers which can be accessed by contacting the Data Protection Officer. With the introduction of the GDPR, it is unlikely that consent will be the lawful basis for processing personal data in research. Instead, for many types of research funded by the public purse, the provision for conducting a task in the public interest can helpfully be relied upon as the lawful basis for data processing. But, importantly, the GDPR relates to data processing: other legislative and regulatory requirements will apply for identifiable data collection. For example, the common law duty of confidence applies where personal information is given in circumstance where a duty of confidence is expected, and that information cannot be disclosed without the consent of the data subject, or an over-riding safeguarding or legal duty.
For further information on research and the GDPR, please see:
- Health Research Authority guidance: https://www.hra.nhs.uk/planning-and-improving-research/policies-standards-legislation/data-protection-and-information-governance/gdpr-guidance/
- Medical Research Council guidance on consent in research and confidentiality: https://mrc.ukri.org/documents/pdf/gdpr-guidance-note-3-consent-in-research-and-confidentiality/
- Medical Research Council Regulatory Support Centre GDPR resources for researchers: https://mrc.ukri.org/research/facilities-and-resources-for-researchers/regulatory-support-centre/gdpr-resources/