Updated 21 February 2019
This guidance note, designed to be read in conjunction with UCL’s ‘’ (Original Guidance), provides further information on the ‘appropriate safeguards’ that must be put in place where either:
- personal data;
- special categories of personal data; or
- personal data relating to criminal convictions or offences,
are processed at UCL in a research context.
This document was last updated on 8 November 2018. It may be updated further as relevant guidance on the issues raised is published by the UK Information Commissioner’s Office (ICO).
Personal data means any information relating to an identified or identifiable living individual. The definition of personal data in law is broad and covers direct identifiers (like a person’s name) and indirect identifiers (like a full postcode). An identifiable individual is one who can be identified:
‘…directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’
[GDPR, Article 4]
Pseudonymised personal data means:
‘...personal data [that] can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person'
[GDPR, Article 4]
Anonymised data is data which does not relate to an identified or identifiable natural person or personal data that has been rendered anonymous in such a manner that the data subject is not or no longer identifiable.
Special categories of personal data means:
‘…personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation’
[GDPR, Article 9]
Like our Original Guidance, this guidance applies only to researchers who are processing personal data as defined above.
If you are processing anonymised data as part of your research, this guidance does not apply to your work.
If you are processing pseudonymised personal data as part of your research, then this guidance applies to your work.
- What are the requirements relating to 'appropriate safeguards' in data protection legislation?
Under data protection legislation, ‘appropriate safeguards’ must be put in place where personal data is processed for research purposes. This is important because if these safeguards are not put in place, then researchers cannot benefit from a series of research-specific exemptions from powerful individual rights that could significantly impair their research project. This is explained further in (iv) below.
This section will explain the requirements relating to appropriate safeguards in further detail.
(i) Background: legal basis for processing personal data in a research context
Researchers at UCL should generally rely on the following as their legal bases for processing:
- all personal data: Article 6(1)(e) of the GDPR , i.e. the ‘public task’ basis. For further information on this, please see UCL’s Statement of Tasks in the Public Interest
- special category data: Article 9(2)(j) of the GDPR and Schedule 1, paragraph 4 of the DPA 2018, ie for research purposes; and
- personal data relating to criminal convictions or offences: Article 10 GDPR and Schedule 1, paragraph 4 of the DPA 2018, ie for research purposes.
Where the ‘research purposes’ basis is used, the processing must be:
- necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
- carried out in accordance with Article 89(1) of the GDPR, as supplemented by section 19 DPA 2018; and
- (in respect of special category data) in the public interest.
(ii) Article 89(1) GDPR
Article 89(1) of the GDPR states that processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, must be subject to ‘appropriate safeguards’ for the rights and freedoms of the data subject.
The safeguards specified under Article 89(1) GDPR include:
- putting in place technical and organisational measures to protect the rights and freedoms of data subjects, including measures to ensure data minimisation e.g. pseudonymised personal data; and
- where the purposes of the research can be fulfilled by using anonymised data, then anonymised data should be used.
In the UK, the requirements of Article 89(1) GDPR will not be met unless the provisions of Section 19 DPA 2018 are also complied with.
(iii) Section 19 DPA 2018
Section 19 DPA specifies that the processing must not:
- cause substantial damage or distress to individuals; or
- support measures or decisions with respect to a particular individual, unless the purposes for which the processing is necessary include the purposes of ‘approved medical research’.
The term ‘approved medical research’ has a specific definition in the DPA 2018 which includes medical research carried out by a person who has approval to carry out that research from:
- a research ethics committee recognised or established by the Health Research Authority;
- a relevant NHS body e.g. an NHS trust or NHS foundation trust; or
- United Kingdom Research and Innovation or a body that is a Research Council for the purposes of the Science and Technology Act 1965.
Approved medical research falls under the UK Policy Framework Health and Social Care Research and more information can be found . If you think that your research falls within the definition of ‘approved medical research’, this should be highlighted when you are applying for data protection registration and ethical approval through UCL. The steps for these procedures can be found .
(iv) Exemptions from certain data protection law obligations
The GDPR and the DPA 2018 provide for several exemptions from the rights of data subjects where personal data is processed in a research context, provided the requirements of Article 89(1) and section 19 DPA 2018 are fulfilled.
Where appropriate safeguards are in place, researchers may benefit from exemptions to the following GDPR provisions relating to data subject rights:
- Article 15(1) to (3) GDPR (confirmation of processing, access to data and safeguards for third country transfers);
- Article 16 GDPR (right to rectification);
- Article 18(1) GDPR (restriction of processing);
- Article 21(1) GDPR (objections to processing).
Please note that these exemptions can only be relied upon to the extent that the application of the above GDPR provisions would seriously impair the achievement of your specific research purposes.
You must contact the data protection team immediately if you receive any requests from data subjects wishing to exercise their rights.
- Summary of appropriate safeguards to be implemented by UCL researchers
Taking into account the legislative provisions set out above, UCL researchers must implement the following ‘appropriate safeguards’ when carrying out research, in particular research involving the processing of special category information or personal data relating to criminal convictions or offences:
- Third party governance requirements
Please note that specific guidance on appropriate safeguards has been produced by bodies such as the Medical Research Council (see ) and the Health Research Agency (see ). If your research is subject to the governance requirements of any third party such as the HRA or MRC, then you will need to comply with both this UCL guidance note and all relevant requirements imposed by that third party.
- What to do if there is a security breach of personal data
If there is a security incident involving personal data, you must report it immediately. Follow .
- Further guidance
We hope that you find this guidance helpful. If you require any further information on the issues raised in this document, please use the following contact details:
- for data protection enquiries, please contact the data protection team at ; or
- for ethics enquiries, please contact the ethics team at .
- for information governance queries, please contact ISD Information Governance services firstname.lastname@example.org