This technical guidance has been produced for data protection officers, information governance officers and research governance managers.
The new legislation will strengthen data subject rights in some areas, yet provides some conditional exemptions to these rights for research. Data Protection Officers must be careful to apply these exemptions correctly.
The specific safeguard relating to exemptions to data subjects’ rights, over and above the others already covered, is that applying the right would prevent or seriously impair the achievement of the research purpose. Considerations should be given to research integrity and reproducibility, other legal requirements, resource implications and the impact on scientific validity.
The data controller, through the Data Protection Officer, is responsible for making and justifying this decision.
There is also the need to be fair with data subjects so, before applying an exemption, Data Protection Officers need to be aware of what research participants have been told about their rights. What has been said about withdrawal from the study is important here. Also important is whether the research has substantially evolved from what participants understand.
Right of access
The right of data subjects to access personal data about them includes a right to a copy of the personal data and access to information about the processing. However, this right does not apply when data is processed for health or social care research purposes where:
- appropriate safeguards are in place; and
- the results of the research or any resulting statistics are not made available (including to other data controllers) in a form which identifies the data subject; or in the opinion of an appropriate health professional, disclosure to the data subject is likely to cause serious harm.
Right to rectification
Data protection legislation gives data subjects the right to obtain from the controller, without undue delay, the rectification of inaccurate personal data. This can include having incomplete personal data completed by means a supplementary statement.
However, this right does not apply where data is processed for research purposes and appropriate safeguards are in place.
Right to erasure (‘Right to be forgotten’)
Data protection legislation gives data subjects the right to request erasure of personal data about them (including pseudonymised data) in specific circumstances.
However, this right does not apply where data is processed for research purposes and appropriate safeguards are in place.
Example:
For research integrity and participant accountability reasons, the research may not meet the standards expected if data was to be erased, and therefore the research activity could be seriously impaired.
Erasing data when a database has been locked for analysis would seriously impair achievement of the purposes of a research activity (as would rectification when the research is based on a snapshot of time).
Right to erasure and consent
The significance of this research exemption on the right to erasure is reduced when consent is the legal basis for processing under data protection law. If consent is the legal basis for processing the data involved and the data subject withdraws this consent, the data will need to be erased even if this is likely to render impossible or seriously impair the achievement of the objectives of that processing. This underlines the importance of ensuring that, when specifying the legal basis upon which data is processed, consent is only used where there are no more suitable alternatives.
Right to restriction of processing
Data protection legislation gives data subjects the right to restrict the processing of data by the data controller in specific circumstances.
However, this right does not apply where data is processed for research purposes and appropriate safeguards are in place.
Right to data portability
Data protection legislation gives data subjects the right to data portability: to move, copy or transmit personal data easily from one IT environment to another. The right applies where:
- the processing is carried out electronically
- the data was given directly to the controller by the data subject; and
- processing is on the basis of either consent or contract.
However, this right does not apply where the legal basis for processing the data is ‘task in the public interest’ or ‘legitimate interests’.
Right to object
Data protection legislation gives data subjects the right to object to the processing of personal data about them. This applies where the legal basis for processing is ‘task in the public interest’ or ‘legitimate interests’.
However, this right does not apply where:
- data is processed for research purposes
- appropriate safeguards are in place, and
- the processing is necessary for a task carried out in the public interest.
If the legal basis for processing is ‘task in the public interest’, this meets the requirement that the processing is necessary for a task carried out in the public interest. No additional justification is necessary.
However, if the legal basis for processing is different from this, the data controller should document alternative justification for the processing being necessary for a task carried out in the public interest. You can demonstrate that the processing is necessary for a task carried out in the public interest, even if the legal basis for your processing is not ‘task in the public interest’.
This justification allows the exemption to be used, and the data to be processed, even where a research participant withdraws from a study, provided that consent is not the legal basis for processing.
Although the research exemption means the right to object does not need to be upheld, you should consider what participants have been told about withdrawing from the study and the ethical considerations of relying on the exemption to this right.