Blog

“Research” is
not a dirty word

“Research” is not a dirty word

Published: 16th July 2018
Area: Corporate & Commercial
Author: Geraldine Swanton

We consider research in the context of the data-protection regime, prompted by the ICO’s investigation into the use of data analytics in political campaigns.

The Information Commissioner has recently published an up-date of her investigation into the use of data analytics in political campaigns. One of the recommendations is that universities consider the risks arising from the use of personal data by academics in a university research capacity and where they work in a private commercial capacity.

This article is intended to reassure researchers, however, that not only is the data-protection regime not hostile to research, it recognises the significant social utility of research and grants it some latitude as a result.

That latitude is as follows:

Personal data:

1. Must be collected for specified, explicit and legitimate purposes and cannot be further processed in a manner that is incompatible with those purposes. Further processing for research purposes is not, however, considered to be an incompatible purpose. Personal data obtained for one research purpose may therefore also be used for other unrelated research purposes.

2. Used for research purposes, unlike personal data used for other purposes, may be retained in a form that identifies individuals for longer than is necessary. This recognises that new research possibilities may arise, which were not envisaged at the time the personal data was originally obtained.

These freedoms cannot be exploited unless the use of the data is necessary for research purposes and certain safeguards are implemented, as follows:

  • both technical and organisational measures must be put in place to ensure respect for the principle of data minimisation (i.e. ensuring that data is adequate, relevant and limited to what is necessary for the research purposes);
  • both technical and organisational measures must be put in place to ensure respect for the principle of data minimisation (i.e. ensuring that data is adequate, relevant and limited to what is necessary for the research purposes);
  • personal data must be pseudonymised e.g. codes must be used rather than individuals’ names or other clear identifiers in order to minimise the opportunity for identifying specific individuals, unless the research purposes cannot otherwise be fulfilled;
  • where the research purposes can be fulfilled by anonymising the data, it must be must anonymised
  • the research must not be carried out for the purposes of measures or decisions relating to particular individuals (unless the research is necessary for approved medical research);
  • the research is unlikely to cause substantial damage or substantial distress to the individual.

Sensitive personal data (e.g. data relating to health, political opinions, racial/ethnic origins, a person’s sex life, criminal convictions) can be used for research purposes in the absence of consent provided that in addition to the safeguards outlined above, the use of that data is in the public interest. Use of non-sensitive personal data in research where it is necessary in the public interest may also be justified in the absence of consent.

There are exemptions from many of the rights afforded to individuals with regard to their personal data (e.g. the right to rectification, to object to or restrict processing) where the research is subject to the safeguards outlined above and complying with those rights would prevent or seriously impair the research purposes. There is also an exemption from the right of individuals to gain access to their data but only if the results of the research or any resulting statistics are made available in anonymised form.

Research committees in practice, however, may well impose requirements on researchers far more stringent than the data-protection regime requires. That notwithstanding, the Information Commissioner’s investigation serves as a salutary reminder that personal data used for approved research purposes does not automatically become the researcher’s sovereign property to use for any purpose whatsoever outside of the realm of bona fide research. When our data is used in entirely unanticipated way to make decisions about us or covertly to influence our behaviour, the law rightly intervenes.

Back to Thoughts & Insights