ICO consultation on draft guidance for the research provisions within the UK GDPR and the DPA 2018

The Information Commissioner’s Office (“ICO”) has published a draft guidance on the research provisions in the UK General Data Protection Regulation (Regulation (EU) 106/679) (the “UK GDPR”) and the Data Protection Act 2018 (the “DPA”) (the “Draft Research Guidance”) and launched a public consultation seeking feedback on the Draft Research Guidance.

The Draft Research Guidance highlights:

• the provisions relating to research in the legislation;
• how they fit together and their practical effect; and
• definition of key terms.

The ICO clarified that the Draft Research Guidance is intended to help those engaged in research to carry out their processing in compliance with the law and to provide researchers confidence to make use of the provisions where appropriate.

The UK GDPR and the DPA contain a number of provisions for processing personal data for research purposes. The Draft Research Guidance lists three types of “research related purposes”:

• archiving purposes in the public interest;
• scientific or historical research purposes; and
• statistical purposes.

It provides a useful list of criteria that can be used to identify whether a purpose for processing personal data is likely to be considered a research related purpose.

The UK GDPR and the DPA provisions cover three broad areas of data protection:

1. The data protection principles
   • The purpose limited principle (Article 5 UK GDPR) allows processing of personal data for specified, explicit and legitimate purposes. Any further processing must be compatible with the original processing unless it is for a research related purpose.
   • This means that there is no requirement to identify a further lawful basis for further processing for research unless the original lawful basis was consent. Where the original lawful basis was consent, fresh consent to re-use will be required.
   • The ICO says the processing must still be generally fair and lawful, and privacy information should be updated to ensure the processing is transparent.
   • Article 5 UK GDPR provides a further exception to the storage limitation principle, which says that personal data can be kept indefinitely to the extent that it is processed for one of the research related purposes.

2. A condition for processing special category data and criminal offence data
   • Article 9(1) UK GDPR creates a prohibition on processing special category data, which is data that requires more protection because it is considered sensitive and relates to matters such as race, ethnicity, health, genetic and biometric data, unless a condition applies. One of these conditions is that the processing is necessary for a research related purpose.
   • The DPA sets some requirements on relying on this condition and the Draft Research Guidance provides some helpful commentary on its understanding of these requirements.
   • For any personal data relating to criminal convictions and offences or related security measures, a lawful basis is required for its processing along with the fulfilment of other conditions in the DPA.

3. Exemptions from data subjects’ rights
   • The UK GDPR and DPA contain a number of exemptions to complying with a data subject rights requests received from an individual. Such requests can include the right of access, erasure, rectification, portability, restriction and objection. For some of these rights, an exception is available if the data is processed for a research related purpose.
   • However, in relation to some of the rights, relying on this exemption is allowed only if complying with the request (i) would prevent or seriously impair achieving the purpose for processing and the processing is subject to the safeguards set out in Article 89(1) UK GDPR, (ii) is not likely to cause substantial damage or distress, and (iii) is not used to measure or make decisions about individuals.

The Draft Research Guidance advises that where possible, research should be carried out using anonymous or pseudonymous data. If not possible, the Draft Research Guidance will be helpful in navigating the various compliance hurdles in order to rely on the flexibility provided in the UK GDPR and DPA for processing data for research related purposes.

The consultation on the Draft Research Guidance is open for feedback  till  5 pm on Friday 22 April 2022.

Please contact Jose Saras if you have any questions regarding the above.

The material contained in this article is only for general review of the topics covered and does not constitute any legal advice. No legal or business decision should be based on its content.