This technical guidance has been produced for data protection officers, information governance officers and research governance managers. 

What is processing data?

Processing data includes doing any of the following to the data:

collecting recording organising
structuring storing adapting
altering retrieving consulting
using disclosing transmitting
disseminating making available aligning
combining restricting erasing

Organisations must have a valid, legal reason to process personal data. This is called a ‘legal basis’. This requirement is not new, however there are some important changes in the forthcoming legislation. Organisations have to record, and inform data subjects, what their legal basis for processing data is.

The legal basis that research organisations have used under the 1998 data protection legislation is most likely to support ‘legitimate interests’. Under GDPR, commercial companies and charitable research organisations will continue to use ‘legitimate interests’ as their legal basis.

However, public authorities (as defined in Freedom of Information legislation), when carrying out public tasks – such as research in NHS organisations, universities and Research Council institutes – will no longer be able to use ‘legitimate interests’. Instead, they will use ‘task in the public interest’ as their legal basis. Public authorities should document their justification for this, by reference to their public research purpose as established by statute or University Charter.

The new legislation does not introduce different standards between organisations that use ‘legitimate interests’ and organisations that use ‘task in the public interest’.

The legislation will also require research organisations to be explicit about which of the new legal bases they are using. Under the new legislation, you will need:

  • a legal basis to process personal data; and
  • an additional legal basis to process any ‘special category’ personal data (e.g. health information).

Legal basis and consent

Consent is an important part of the research process and is frequently sought for participation in research studies. One reason is to ensure that any disclosure of confidential information meets the requirements of the common law duty of confidentiality. Where consent is sought from research participants, they are normally told how information about them will be used.

Consent to participation in research is not the same as consent as the legal basis for processing under data protection legislation. An example is that a person is asked to consent to participate in research but is told that, if they agree to participate, data about them will be processed for a task in the public interest. The legal basis for data processing is not consent.

If you use consent as the legal basis for your processing and a participant withdraws their consent, you will not have a legal basis to process personal data about them. See the ICO guidance on consent to understand the implications.

If you use 'task in the public interest', it does not automatically mean that the requirements of the common law duty of confidentiality have been met. The requirements of both data protection legislation and the common law duty of confidentiality must be satisfied. National guidance on confidentiality is unaffected by the GDPR (see the Information Governance Alliance’s GDPR guidance on consent and information about the Confidentiality Advisory Group on the HRA website for more information).

Legal basis for processing personal data

Data controllers must already have a legal basis for processing personal data. However, the new data protection law makes some changes in this area. For example, organisations must now include the legal basis for processing in a ‘privacy notice’ (the information for data subjects about processing). This information should be given at the appropriate level. For example, the legal basis for a research organisation’s processing can be provided in corporate information but project-specific details about the purpose of the processing should belong in the participant information sheet for the individual research project. 

Legal basis for processing ‘special category’ personal data

‘Special category’ personal data is:

  • data which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership
  • data concerning health (the physical or mental health of a person, including the provision of health care services)
  • data concerning sex life or sexual orientation
  • genetic or biometric data processed to uniquely identify a natural person.

    ‘Genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.

    Whether processed by a public authority or by a commercial organisation or charitable research organisation, special category personal data can be processed for research purposes, but only if processing such data is:

    • necessary for archiving purposes, scientific or historical research purposes or statistical purposes,
    • subject to appropriate safeguards (Safeguards section), and
    • in the public interest.

    Back to gdpr: technical guidance