Use of Personal Data in Research
The GDPR and the Data Protection Bill sets down certain exemptions which allow personal data to be used for research purposes (including historical or statistical research), where the data were originally gathered fairly and lawfully for other purposes. Data collected for one purpose or piece of research can be used for other research, and can be kept for longer, provided appropriate safeguards are implemented.
- The data must be used solely for research purposes, and not for any other purposes (e.g. general administration) unless those purposes are the same as the purposes for which the data were gathered.
- The data must not be processed to support measures or decisions in regard to particular data subjects.
- The processing for research purposes must not cause, or be likely to cause, substantial damage or distress to data subjects. Closure of the data to outside access would be one way of helping to ensure this, as would anonymisation of research results.
Where the above conditions have been met, data retained for research purposes are exempt from subject access requests and other rights under the GDPR, provided the results of the research are not published in a form which identifies the data subjects. However, other aspects of the Data Protection Principles will still apply, such as the requirement to keep the data secure, and the requirement that the data should be processed fairly and lawfully.
Specific guidance will be published here once the Data Protection Bill (which includes the exemptions) is published. Please contact the Data Protection Officer for further information.