This is, perhaps, the most important data protection principle: it is the overriding objective of the GDPR and all the subsequent data protection principles are, in effect, requirements for complying with this principle. There are three aspects to this data protection principle, which are discussed below.
‘Fair’ processing requires researchers to consider more generally how their use of personal data affects the interests of the individuals to whom it relates.
In circumstances where your use may cause detriment to an individual, you need to consider whether that detriment is justified.
Fairness is naturally linked also to the transparency of the processing and the ability of the individual to object.
The processing of personal data must have a lawful basis (a legally acceptable reason for processing the data), which must be documented by the data controller. Of the six possible legal bases specified in the GDPR, three are of relevance to research.
Public interest task
This will likely be the most common legal basis for processing, and applies where the processing is necessary for the performance of a task carried out in the public interest. As a result, personal data can be processed without consent where the processing is necessary for research carried out in the public interest, which would cover the majority of the University’s research.
The consent of the individual to whom the information relates provides a lawful basis for the processing of personal data, whether that consent is obtained directly from the individual concerned or indirectly by a third party contributor to the research project.
However, the GDPR sets a very high standard for valid consent, as detailed in GDPR consent requirements, and it may therefore be difficult to rely on consent as your basis for processing, particularly where you are relying on consent obtained by a third party on your behalf. Care needs to be taken over the form of any document seeking consent to ensure that consent has been freely given and that it includes the purposes for which the research team wish to use it.
The GDPR recognises that it may not be possible to specify all the purposes of the research in advance. Researchers will therefore be expected to allow individuals to give consent only to certain areas of research or to certain parts of the project. Care should also be taken, where necessary, to document in contracts with third party contributors the consent obligations which they are required to satisfy.
The GDPR grants individuals a specific right to withdraw consent at any time, and it must be as easy to withdraw consent as to give it. If a research participant were to exercise this right, the research team would be obliged to stop processing that individual’s data, since it would no longer have a lawful basis for processing.
This applies where the processing is necessary for the University’s legitimate interests or those of a third party, and those interests are not outweighed by the interests and rights of the data subjects.
As a public authority, the University cannot rely on legitimate interests for any processing it does to perform its public interest tasks. However, legitimate interests may be the appropriate legal basis where it would be difficult to demonstrate that the research was necessary to meet a public interest, for example, because the research was funded by a private company and was commercial in nature.
The ICO recommends that those considering this basis should undertake a Legitimate Interests Assessment (LIA), comprising three parts. The first part involves identifying the legitimate interests in question; the second determining whether the processing of personal data is necessary to meet those interests; and the third determining whether those interests are outweighed by the rights and interests of the research participants.
To process special category personal data, in addition to identifying a lawful basis for processing, as described above, researchers must satisfy one of a further set of conditions. The conditions most relevant to research projects are:
Consent to use special category personal data requires the research team to obtain that consent explicitly. This means that the consent must be provided in the form of an express statement to that effect (‘I consent to my data being processed for…’). As above, data subjects must have the right to withdraw their consent at any time.
This applies where an individual deliberately makes special category personal data about themselves public. By making the information public, the individual has effectively waived their privacy interests in the information, but researchers still need to abide by the duty of fairness as described above.
In this context medical purposes means the purposes of preventative or occupational medicine, the assessment of the working capacity of an employee, medical diagnosis, the provision of health care and treatment, and the management of healthcare services. The condition applies where the processing is pursuant to a contract with a health professional. Researchers should note that health professional is defined narrowly.
Archiving purposes in the public interest, or scientific and historical research purposes, or statistical purposes
This will apply so long as technical and organisational measures are in place to provide appropriate safeguards for the rights of research participants, as described below, and provided the research is in the public interest. This public interest requirement is separate and beyond that relating to the lawful basis for processing described above, ie the fact that public interest task is the lawful basis for processing is not sufficient to demonstrate that the processing of special category data is in the public interest.
Researchers should note that each of the conditions described above is in addition to any conditions which might be set by the applicable body for ethical review and approval. Ethics committees are generally alive to issues of data protection and in many cases their conditions will overlap with those discussed above, but ethics committees do not provide legal advice and cannot waive any obligation arising under the GDPR. Even so, the consideration given to data protection as part of the ethical review process will help to demonstrate the University’s compliance with the GDPR, and in particular the need to embed data protection requirements into processing activities (‘privacy by design’).
In view of the potential difficulties that researchers may have satisfying the higher standard of consent required under the GDPR, and the need to respect its withdrawal, the University recommends that researchers should not seek to rely on consent as their legal basis for the processing of personal data. For the same reason, it is recommended that researchers should not select explicit consent as their additional condition for legitimating the processing of special category data. Rather, it is recommended that researchers should rely on public interest task as the legal basis for the processing of personal data; and research as the additional condition for the processing of special category data.
There will continue to be a need to seek consent from participants in research in order to satisfy ethical considerations, but this will be separate from, and in addition to, the requirement under the GDPR to identify a lawful basis for the processing of personal data and to meet a condition for the processing of special category data. How the consent is sought in such cases will depend on the nature of the project. For small-scale projects that do not involve data of a sensitive nature, it may be sufficient to use an opt-out approach to obtain consent from participants, provided they have been given adequate information about the use of their data, in accordance with the enhanced transparency requirements outlined below. The rationale and justification for using an opt-out approach to recruitment and consent should always form part of any application for ethical review. For larger projects and/or for those involving special category data, it would be more appropriate to seek positive, opt-in consent, even where consent is not the legal basis for processing. However, in either case, the wording of such consent should be careful not to conflate the issues of consent to participate in the project and 'consent' to the University’s use of personal data under the GDPR.