How research interacts with data protection

Research underpins so much of modern life and society. The research community in the UK is world-leading, and this is reflected in the commitment of the UK government to spend £14.9bn on research and development in 2021/22. According to UK Research and Innovation (UKRI), the UK is home to 16 of the world’s top 150 universities, ranks second globally for the quality of its scientific institutions and attracts a large proportion of international researchers.

Research also enables innovation. We have seen this first-hand over the past two years, with the creation of the vaccination and booster programme, as well as countless other discoveries and interventions that were made possible through the medium of research. It has and continues to play a large role in the everyday fabric of our lives.

At the ICO, the UK’s data protection regulator, we understand the value and importance of research. Our technology and innovation department frequently works on the cutting-edge of scientific and technological advances, ensuring that data protection is considered and discussed from the very start of these exciting projects. We have undertaken research projects ourselves – from our work with the Alan Turing Institute on guidance for researchers working with artificial intelligence (AI), to our successful grants programme which funded projects in areas such as data protection implications in the building of smart homes and research into fairness of employment AI decisions.

We have today launched a consultation on draft guidance covering research provisions in the UK GDPR – a key document which is vital to protecting the integrity of your research while still ensuring that people’s personal data is protected from the outset.

The UK GDPR contains a number of research provisions and exemptions which enable growth and innovation to take place, whilst still protecting people’s personal data. However, they are not collated in one place in the legislation, and it is sometimes difficult for researchers to navigate and find the correct research exemptions and provisions.

Our draft guidance maps out these provisions and explains how they work together. It also covers how the provisions interact with the seven data protection principles, and provides some much needed definitions of what does, and does not, count as research. It also makes clear that in order to use these research provisions, you must have appropriate safeguards in place to protect the rights and freedoms of your data subjects. We have also included a number of examples and case studies to help aid your understanding of data protection law in relation to research. In particular, our draft guidance focuses on:

•         archiving purposes in the public interest
•         scientific and historical research purposes
•         statistical purposes.

The draft guidance recognises and seeks to protect the importance of research to society as a whole. It enables researchers to conduct their essential work while remaining compliant with data protection law. It also ensures that data protection requirements enable technological innovation, rather than present barriers, and facilitate the advancement of knowledge.

We are inviting researchers to read and comment on our draft guidance because we value and appreciate your knowledge. It is important to us as an organisation that our guidance works for those it is aimed at.

The consultation is open now and runs for nine weeks, until 22 April 2022. We hope that you will consider submitting your views and helping us protect the integrity of the research sector while ensuring that data protection is not a barrier to your important work.

Once we have consulted on the guidance, we will consider all views submitted and make any necessary changes to the text. We will then issue a final version of the guidance later this year.

You can find the survey on our website here.

By Ian Hulme, director of regulatory assurance at the ICO.