The General Data Protection Regulation (GDPR) has significant implications for academic researchers. The Royal Historical Society recently published a set of guidelines to help researchers navigate the legal requirements around data protection. Dr Katherine Foxhall, RHS Research and Communications Officer explains some of the key factors that researchers in SHAPE subjects should be aware of.

The EU General Data Protection Regulation (GDPR) came into effect on 25 May 2018, and was designed to protect the online rights of individuals in relation to their personal data. In the United Kingdom, the GDPR was enacted through the Data Protection Act 2018 (UKDPA). While the UK is within the transition period of its withdrawal from the EU, the GDPR still applies; the government has explained its intention to incorporate a “UK GDPR” alongside UK data protection law from 2021.

Data protection laws apply to anyone who collects information about a living individual, whether for employment, study, or on a freelance, voluntary or personal basis. So what do researchers in arts, humanities and social sciences need to know?

1.Research is explicitly catered for in the GDPR

The good news is that research, broadly understood, that advances society’s collective knowledge and wellbeing, enjoys a privileged position within GDPR. As the new regulations were being developed, organisations urged the European Parliament and European Commission to protect research. In the UK, the British Academy and Economic and Social Research Council, along with social science associations worked hard to ensure that the ‘public-focused nature’ and ‘critical social value’ of academic expression was shielded within the new GDPR, for example to prevent universities from interpreting the new regulations in a highly restrictive way through processes such as ethical review.

GDPR specifically enables data collection and processing for “scientific or historical research purposes” or “statistical purposes”, allowing some exemptions from data subjects’ rights related to access, rectification, the restriction of processing and the right to object.

Research, broadly understood, that advances society’s collective knowledge and wellbeing, enjoys a privileged position within GDPR.

2.Research must be ethical

Exemptions for research assume the existence of widely-accepted and long-standing sector-related methodological and ethical standards for research. While ethical and professional codes of conduct and practice do not govern SHAPE subjects in the same way as journalism and health research, researchers do have recognised methodological, ethical and professional norms that guide how social scientists and humanities scholars work. One example is the European Commission’s guidance on Ethics in Social Science and Humanities.

3.Follow the basic principles

If a researcher’s use of personal data is for “scientific or historical research purposes” or “statistical purposes”, they must comply with the basic principles for the processing of personal data at the heart of the GDPR. Thus, researchers need to ensure that they collect, process and store data:

• lawfully, fairly, and transparently
• for specific, limited purposes
• that only minimal data is collected
• for no longer than necessary
• securely and accountably

4.Choose a legal basis

In addition to complying with the basic principles, researchers must choose a legal basis for data processing. While consent may seem an obvious legal basis, UKRI advises its researchers that while seeking consent from people to participate in a project is ethical and may be necessary for other legal reasons (e.g. for medical trials), consent as defined by the GDPR is not likely to be a lawful basis for processing personal data for research purposes. One important reason for this is because individuals have the right to withdraw consent.

While ethical and professional codes of conduct and practice do not govern SHAPE subjects in the same way as journalism and health research, researchers do have recognised methodological, ethical and professional norms that guide how social scientists and humanities scholars work.

Instead, academic researchers employed by UK Higher education institutions, and/or whose work is funded by a research council or charity such as the Wellcome Trust, are likely to be able to choose “public task” as a suitable legal basis, reflecting that University Charters, and legislation such as the Education Reform Act 1988 explicitly provides for research. Relying on “public task” as a lawful basis, UKRI further notes, may also help to assure research participants that the organisation is credible and their personal data will contribute to a public good.

If “public task” is not available or appropriate (e.g. because a researcher is freelance), then “legitimate interest” can provide a flexible and appropriate legal basis for data processing which can include commercial interests, individual interests (including that of the researcher) or broader societal benefits. “Legitimate interest” will likely be an appropriate legal basis for using material containing personal data in teaching, and for projects such as student dissertations, though students and staff must be made aware of their responsibilities.

5.Special Category (Sensitive) Personal Data

One key way that research is protected in GDPR is in the provisions for the processing of certain “special” categories of personal data. Previously known as “sensitive data”, this includes information about a person’s racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic or biometric data; health, sex life or sexual orientation. Processing of special categories of personal data is permitted if a lawful basis is identified and an appropriate separate condition for processing special category exists. Research is considered one of these appropriate conditions.

6.Special purposes exemptions

There is a second route to exemptions from the obligations of the GDPR and the UKDPA. This is through the provisions allowed for the category of “special purposes”, which now includes academic purposes alongside journalistic, artistic or literary purposes. On the face of it, “special purposes” exemptions seem particularly attractive because they offer relief from obligations relating to the basic principles of data protection such as identifying a lawful basis; conditions for Consent; processing of special categories of data; and data subjects’ individual rights.

However, “special purposes” exemptions should be used with care. Data protection regulations are not independent of legislation such as the Human Rights Act (1998) and Equality Act (2010), and GDPR explicitly requires that regulatory codes and guidelines (such as BBC Editorial Guidelines and Ofcom Broadcasting Code) are followed. Recent analysis by legal specialists suggests that thresholds in these exemptions relating to “necessity” and publication are high. Because academic purposes were a new addition to the pre-existing category of special purposes in 2018, the legal limits to the interpretation of the exemptions for academics have yet to be tested.

Conclusion

As the European Data Protection Supervisor recently observed: “respect for personal data is wholly compatible with responsible research”. The key considerations for researchers using personal data are ethical and practical. Data must be collected for reasons that are clear, proportionate and necessary. Data must be protected against misuse, destruction or damage both before and after any resulting publications. Researchers must keep records, including about decisions that have been taken in relation to data. Researchers must not make decisions about individuals that are based solely on automated processing and use pseudonymisation and encryption where possible.

None of this represents a seismic shift in how researchers should approach their use of data. It does, however, represent an opportunity for researchers to review their methods and ensure that their use of personal data is fair, lawful, transparent, secure, and will not cause substantial harm, damage or distress to individuals.

Download the Royal Historical Society Guide to Data Protection and Historians in the UK.

Note: This article gives the views of the authors, and not the position of the LSE Impact Blog, nor of the London School of Economics. Please review our comments policy if you have any concerns on posting a comment below

Image credit: comfreak via Pixabay