Universities and other research bodies set to benefit from carve outs to new UK data protection laws

The legislation, set to be introduced before the UK parliament next month, may allow the institutions to reject requests to access or rectify personal data  or object to the processing of, or prevent further processing of, such data, in certain circumstances, the government said last week.

Confirmation of the plans to apply derogations available for personal data processing for scientific or historical research purposes were contained in a statement of intent the government issued on the planned new UK Data Protection Bill.

The derogations are provided for in the General Data Protection Regulation (GPDR), which will have effect from 25 May 2018. The government had consulted on which of the GDPR 'flexibilities' to apply earlier this year.

The move is aimed at removing some data protection barriers that can hamper or disrupt research projects.

The GDPR and derogations relating to research

The GDPR gives each EU member state the right to limit certain rights that people enjoy under the GDPR where their personal data is processed for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

People's rights to access data about themselves, demand speedy corrections to inaccurate data about them, as well as to restrict or object to data processing activities can be governed by national law where data is processed for scientific or historical research purposes or statistical purposes in certain circumstances explained in the Regulation.

National laws in such areas can restrict those rights where their application is "likely to render impossible or seriously impair the achievement of the specific purposes" – for example, the aim of the research – and it is "necessary" for the rights to be restricted. The national laws, however, must contain "appropriate safeguards" that ensure people's rights and freedoms are accounted for. For example, organisations should consider whether it is possible reduce the personal data held to the minimum required for the research and/ or whether the data could be pseudonymised without impacting on the quality of the research.

What has the government outlined?

In its statement of intent, the government confirmed that it would apply the derogations available for processing that relates to research.

The final wording of the new carve outs will not be known until the Data Protection Bill is published, but the government confirmed that the derogations would only apply if complying with the rights individuals otherwise enjoy under the GDPR "would seriously impair these organisations’ ability to carry out research, archiving or statistics-gathering activities". It provided examples of how they might apply.

It said: "For example, it may be that only by archiving inaccurate data is it possible to audit a decision-making process which led to an unfavourable outcome. Should all such data be rectified, the opportunity to learn lessons, and prevent a similar outcome in the future, may be severely diminished. A further example would be that statistical data may be compromised, leading to inaccurate conclusions, if individuals’ personal data is removed from the statistical 'pool'."

"The government will legislate to exercise this exemption in order to ensure that the UK continues to be a centre for groundbreaking research. We will ensure that research organisations and archiving services do not have to respond to subject access requests when this would seriously impair or prevent them from fulfilling their purposes. Research organisations will not have to comply with an individual’s rights to rectify, restrict further processing and, object to processing where this would seriously impede their ability to complete their work, and providing that appropriate organisational safeguards are in place to keep the data secure," it added.

In a letter to stakeholders, digital minister Matt Hancock said the derogations the government intends to apply "in effect … will maintain the system we have today".

New guidance on the way

A number of organisations supported the use of the research derogations in submissions made to the government's consultation.

Universities UK and the Council for Advancement and Support of Education, said, for example that exemptions from the requirement to fulfil the rights of access, rectification, restriction or objection would help "ensure that research projects may be conducted properly and without prejudice, particularly as research (particularly health research) moves to more longitudinal studies and large data sets".

The Wellcome Trust also endorsed the options in its submission. In a further statement issued to Out-Law.com, the Wellcome Trust said the implementation of the GDPR was "an important opportunity to provide greater certainty and clarity for researchers, and to support work to build public trust in the use of health data in research".

It said: "Making full use of the derogations will ensure there are not disproportionate burdens on research to comply with data subject rights. For example, the right of rectification (Article 16) would present specific challenges for researchers where it could undermine the integrity of data sets."

"The Regulation does include new rules that researchers will need to follow, for example around increasing accountability and transparency. Researchers and research organisations will need to keep good records about their data processing activities and be clear on the legal basis they have for processing personal data. It will be very important for researchers to have clear guidance to enable them to comply with the new law. The Health Research Authority is currently compiling sector-specific guidance for health research and the ICO is developing wide-ranging guidance as well," the Wellcome Trust said.

Kathryn Wynn is a data protection specialist at Pinsent Masons, the law firm behind Out-Law.com