Processing for scientific research purposes
GDPR requirements are relevant to several aspects of research involving personal data. For example:
- Transparency. The manner in which information is provided to participants can be important in research projects, for example when observing human behaviour. This must be navigated in light of GDPR transparency requirements.
- Consent. Ensuring that datasets are sufficiently representative can require additional work where GDPR consent requirements apply.
- Special category data. Research often requires the use of special category data, for example in the fields of health and social science. This must be carried out in compliance with the more restrictive GDPR regime for this type of data.
- Purpose limitation. Research goals often evolve over time. This must be considered in light of the GDPR purpose limitation principle.
- Data combination and sharing. Research often involves combining or sharing personal data, for which a GDPR legal basis is required.
Various provisions in the GDPR (the ‘research provisions’) are designed to ensure that these considerations do not unduly restrict scientific research. The research provisions enable several GDPR requirements to be relaxed where necessary, including in relation to transparency, consent, the use of special category data and purpose limitation.
However, the application of these provisions is not always clear. One reason for this is that there is no clear definition of ‘scientific research’ in the GDPR. Another is that the provisions only apply to research which is subject to ‘appropriate safeguards’, but it is not always clear what this requires in practice.
The definition of scientific research
The draft guidance confirms that scientific research can include research carried out in commercial settings, and ‘technological development and demonstration’. This is likely to be welcome for many organisations whose internal research and development, innovation or AI activities involve processing personal data.
The guidance also sets out a list of indicative criteria for assessing whether particular processing can be considered as scientific research for the purposes of the UK GDPR. These criteria are split into:
- Activities, such as formulating hypotheses, isolating variables, designing experiments, and objective observation and measurement of data.
- Standards, such as ethics guidance and committee approval, peer review, and compliance with relevant rules on carrying out research with human participants.
- Access, such as publication of results, and commitment to sharing the findings of research.
The guidance makes clear that not all of these criteria have to be met, although there is an expectation that ‘more than one’ should be. This is helpful, although the question of which criteria, or combinations of criteria, are sufficient to bring processing within the definition is likely to remain a key question.
The inclusion of ethics guidance and committee approval as a relevant criterion may assist organisations who have already implemented these or equivalent forms of oversight, for example in the context of their deployment of AI. However, given the variety of activities which can constitute research, this type of oversight will presumably not always be relevant or appropriate.
The guidance also confirms that UK GDPR requirements are conceptually distinct from parallel standards for research involving human participants. In particular, it states that consent will often not be the most appropriate lawful basis under the UK GDPR, even where informed consent is obtained under applicable research standards (for example in the context of clinical trials). Again, this is a helpful clarification, and seems appropriate in light of the differing definitions of consent in research settings, and the status of the UK GDPR as providing a unified legal framework for the processing of personal data.
Appropriate safeguards
The draft guidance also includes clarification as to the ‘appropriate safeguards’ required. The focus here is on anonymisation and pseudonymisation, and there is reference to planned guidance on privacy enhancing technologies, suggesting that these could play an important role.
From a UK perspective, a further helpful clarification is that an additional UK safeguard - that research must not be carried out for the purposes of taking measures or decisions about data subjects - does not prevent research which aims to change how services are provided, or how measures and decisions are taken in future.
Next steps
Assess how the research provisions could assist your organisation’s responsible R&D, innovation, product and service improvement, and AI activities.
Consider making a written submission to the ICO to help shape the final form of the guidance. The deadline is 22 April 2022.
Authored by Eduardo Ustaran, Mark Brennan, and Nick Westbrook.
