This technical guidance has been produced for data protection officers, information governance officers and research governance managers.
Safeguards protect personal data. The GDPR requires that organisations processing data for research purposes have appropriate organisational and technical measures in place to ensure that data is processed lawfully, fairly and in a transparent manner and are kept to a minimum and secure in the research context.
GDPR grants some exemptions from its requirements when personal data is processed for research. This means that researchers can, for example, keep very long-term patient health data, refuse to delete personal data if the data subject withdraws their consent for the research, and use data from one research project for others.
However, these exemptions apply only if appropriate safeguards are in place. Without them, researchers will not be able to use the exemptions and will therefore be subject to the stricter requirements in the legislation.
Appropriate safeguards include checking that when processing special category personal data for research purposes, this is carried out in the public interest.
What constitutes appropriate safeguards?
Appropriate safeguards to the processing of personal data for health research require the following:
- the research will not cause substantial damage or
distress to the data subject (i.e. substantial physical harm, financial loss or
psychological pain),
- medical research has approval from a research ethics
committee (as defined in the new Data Protection Act) if it involves processing
data in order to do or decide something with respect to an individual person,
- the data controller has technical and organisational
safeguards in place that ensure respect for the principle of data minimisation
and ensure that exemptions to data subjects’ rights are not exercised unless
the rights are likely to render impossible or seriously impair the achievement
of the purposes of the processing,
- if processing special category personal data, this must be in the public interest (demonstrated over and above using ‘task in the public interest’ as the legal basis)
Technical and organisational measures
Organisations must also have technical and organisational measures in place to ensure respect for the principle of data minimisation. These should include that only the absolute minimum amount or type of personal data required for a purpose is processed. Personal data should be pseudonymised where compatible with the research purpose, and identifiable data should not be used where the research purpose can be fulfilled by further processing with anonymised data.
These measures can be achieved largely through organisational policies and governance arrangements that are likely to already exist in your organisation. These include:
- IT security and data protection policies
- Data Security and Protection Toolkit compliance
- assurance that research ethics committee approval
is in place where needed
- codes of practice/organisational guidance that
state personal identifiers are only used on a ‘need to know’ basis.
Data Protection Officers need to work with existing information governance and research governance functions, to ensure that organisational systems take account of the assurances that are already in place for managing research.
Safeguards applicable to special category personal data
Where it is necessary for research purposes to process special category personal data such as health or some genetic data, a different safeguard applies: processing must be ‘in the public interest’.
The ‘public interest’ referred to in this context should be proportionate to the processing of special category personal data and is different from ‘task in the public interest’ as a lawful basis for processing personal data.
The data controller must ensure that processing of special category personal
data has an appropriate basis in law, and it is good practice to document
decisions in this area. Relevant considerations could include that the
processing is subject to a governance framework which operates with public
interest as a criterion, assessed independently of the data controller. This
could be by peer review from a public funder, research ethics committee review,
Confidentiality Advisory Group (CAG) recommendation for support in England and
Wales or support by the Public Benefit and Privacy Panel for Health and Social
Care in Scotland. Relevant evidence of appropriate review may also be provided
by a Data Protection Impact Assessment.