High on the Government’s wish list for data protection reform is the reduction of legislative barriers to ‘responsible innovation,’ particularly within the field of scientific research. Due to perceived complexity and lack of clarity, it is feared that organisations either choose not to conduct research at all or rely on unnecessarily burdensome consent processes. This blog considers the likely impact of the Government’s ideas.
The Government’s key suggestions for change
Although the GDPR and Data Protection Act 2018 were drafted with scientific research firmly in mind, the Government suggests the following changes:
- Clarification of which Article 6 lawful ground applies
Data can only be processed lawfully in accordance with one of six lawful bases within Article 6 UK GDPR. The consultation paper refers to apparent confusion on the part of universities and consent fatigue, and asks whether a new lawful basis should be introduced specifically for research.
On one hand, this appears unnecessary. The existing lawful basis of ‘legitimate interests’ is sufficiently broad to accommodate scientific research. There is also already a specific pathway in place for processing special category data (Article 9(2)(j) UK GDPR), with common sense considerations concerning security and the data rights of research subjects. This process of balancing the rights and interests of all those involved is an exercise which sits naturally alongside ethical considerations integral to research projects. On the other hand, a specific lawful basis for research may provide clarity across public, private and third sectors.
- Facilitating re-use of data for purposes other than those for which it was collected and formalisation of ‘broad consent’ for additional research purposes
In general, a further lawful basis must be relied upon when personal data is further processed for an incompatible purpose. Article 5(1)(b) UK GDPR confirms that scientific research is deemed compatible with the original purpose for processing. The Government queries whether the legislation should explicitly confirm that such processing is lawful.
This proposal is linked to a further suggestion to formalise the nebulous concept of ‘broad consent’ for processing of data for additional research purposes buried within Recital 33 UK GDPR.
The Government must tread carefully here. As emphasised by the ICO in its response to the consultation, re-use must be fair and within the reasonable expectations of data subjects, not least given the Government’s suggestion (below) to extend the exemptions to transparency obligations. This concept of ‘broad consent’ jars with the gold standard of specific, informed, unambiguous consent emphasised throughout the GDPR. The ICO takes the view that data provided by consent should only be re-used for matters of genuine public importance. Any steps to create a second, more loosely defined, variety of consent may breed confusion in an area which the ICO has spent the last four years clarifying.
- Transparency of use and re-use
Transparency is a vexed issue. The GDPR was designed to protect an individual’s right to understand how, and by who, their data is being processed. There is an existing exemption specifically available to scientific research projects where it would be impossible, or disproportionate, to inform data subjects how their data is being used – although this is only available where data is not obtained directly from the data subjects involved. The Government suggests removing this disparity so that it is also available where data is obtained directly from data subjects. This makes good sense. However, given the impact of this exemption upon the rights of data subjects, detailed guidance is needed to assist research organisations identify when compliance with these obligations in fact becomes disproportionate.
- Consolidation of all research related provisions into one place within the legislation, to include a definition of ‘scientific research.’
Although it is clear that the GDPR was intended facilitate scientific research, the relevant provisions are unhelpfully split between the operative provisions and recitals. Consolidating and clarifying these provisions would clearly by helpful. The ICO endorses the current definition of scientific research within the UK GDPR, noting that the acid test is whether the processing falls within the reasonable expectations of the individual.
Given the clear intention of the existing legislation to facilitate processing for scientific research, at worst, these proposed changes may amount to little more than harmless tinkering. At best, in combination with greater clarity around anonymity and reliable pathways for the international transfers of data, they will provide the scientific research community with more clarity and certainty. Either way, given the Government’s stated commitment to protecting the rights of data subjects, research organisations must continue to carefully exercise their responsibility to balance the rights and interests of all those involved.