Regulatory Developments

Last updated: 
3 months 2 weeks ago
Blog Manager
Log in to request membershipHide blog description
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Recent members:

Research Provisions in the GDPR

Thursday, April 26, 2018 - 09:46

Like the current Data Protection Act 1998, the General Data Protection Regulation (GDPR) will apply to any research involving data about identifiable living individuals. Also like the Act, the Regulation provides for adaptation in a couple of areas where this is needed to make such research possible.

All processing of personal data needs a legal basis. Six are listed in the GDPR Article 6: three seem most likely to be suitable for research:

  • Under the GDPR consent needs to be freely-given, informed, opt-in and capable of being withdrawn at any time. For research the requirement to inform is relaxed so the researcher only needs to describe the "areas of research" (Recital 33), rather than giving specific detail. But consent must still be free, withdrawable and indicated by a specific positive action by the data subject;
  • For research where GDPR-compliant consent is not feasible, either legitimate interests or public interest may be a better fit. The boundary between the two is still unclear – the Information Commissioner has recently confirmed that public interest is unlikely to apply to all of a university's activities – but both require the benefits of research to be balanced against the risks caused to individuals. This needs to be done by the researcher for legitimate interest or the legislator for public interest. It may be safer for researchers to incorporate the balancing test in any case, as if it is later ruled that public interest does not apply then the research may become unlawful if this has not been done. With both bases, individuals have the right to object to processing;
  • GDPR Article 9(2)(i) requires research using special category data (health, race, religion, etc.) to be authorised by EU or national laws that set appropriate conditions and safeguards. For the UK, this will be done by the Data Protection Bill currently being debated in Parliament (see Schedule 1).

It's worth noting that whereas the law does not normally allow a change of basis for ongoing processing, the Information Commissioner has recognised that the introduction of the GDPR is an occasion when such a change may be permitted. That offer is likely to be open for only a limited period of time, so it is worth double-checking that your current legal basis will still be the appropriate one under the GDPR's new conditions or if a different one would be preferable.

Whereas the research adaptation for legal basis is set across Europe by the GDPR itself, the adaptations in the area of data subject rights are left (by Article 89) for individual member states to decide. The Regulation permits research activities to be exempted from some rights, but only if those rights would "render impossible or seriously impair" the research process. Member states must specify which rights (at most Subject Access, Rectification, Objection and Restriction,  i.e. suspending processing while performing a rectification or objection) may be refused, as well as specifying safeguards that must be applied to research before it can qualify for any exemption. Under section 33 of the 1998 Data Protection Act, those safeguards include that the processing of data must not lead to decisions or measures with respect to individuals and there must be no substantial risk of damage or distress arising out of the research. The Data Protection Bill, currently being debated in Parliament, has similar requirements in Schedule 2, but also includes a proposal to allow results of approved medical research to be used to treat the individual research subjects.

Finally, GDPR Article 85 for the first time gives research publications a similar status to journalism so, while it should still be unusual to identify individuals in a publication, it may be possible to claim that the public interest justifies doing this in some cases. Further legal guidance will be needed on this permission – newspapers frequently have to defend their publication choices in court – but it may, for example, help those studying the history of recent events where it is impossible to avoid identifying the (still-living) individuals involved.

Data Protection Regulation
GDPRtopics
  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo