To process special category personal data, in addition to identifying a lawful basis for processing, as described above, researchers must satisfy one of a further set of conditions. The conditions most relevant to research projects are:
Consent to use special category personal data requires the research team to obtain that consent explicitly. This means that the consent must be provided in the form of an express statement to that effect (‘I consent to my data being processed for…’). As above, data subjects must have the right to withdraw their consent at any time.
This applies where an individual deliberately makes special category personal data about themselves public. By making the information public, the individual has effectively waived their privacy interests in the information, but researchers still need to abide by the duty of fairness as described above.
In this context medical purposes means the purposes of preventative or occupational medicine, the assessment of the working capacity of an employee, medical diagnosis, the provision of health care and treatment, and the management of healthcare services. The condition applies where the processing is pursuant to a contract with a health professional. Researchers should note that health professional is defined narrowly.
Archiving purposes in the public interest, or scientific and historical research purposes, or statistical purposes
This will apply so long as technical and organisational measures are in place to provide appropriate safeguards for the rights of research participants, as described below, and provided the research is in the public interest. This public interest requirement is separate and beyond that relating to the lawful basis for processing described above, ie the fact that public interest task is the lawful basis for processing is not sufficient to demonstrate that the processing of special category data is in the public interest.
Researchers should note that each of the conditions described above is in addition to any conditions which might be set by the applicable body for ethical review and approval. Ethics committees are generally alive to issues of data protection and in many cases their conditions will overlap with those discussed above, but ethics committees do not provide legal advice and cannot waive any obligation arising under the GDPR. Even so, the consideration given to data protection as part of the ethical review process will help to demonstrate the University’s compliance with the GDPR, and in particular the need to embed data protection requirements into processing activities (‘privacy by design’).