Most data protection laws around the world have a reference to processing personal data for historical (archiving), statistical or research purposes. The exact wording is slightly different in the different laws but they all really come down to the same thing. If you are processing personal data for research purposes, the law is less strict on you and you can do more with the personal data than you could if your purpose was something like direct marketing.

What exactly is personal data?

Personal data is any data that identifies a person. It is also called personal information in some jurisdictions.

How have data protection laws changed the way researchers process personal data?

There is definitely a heightened awareness amongst researchers that they must think about the consequences of processing personal data as part of their research. Research is often data-driven and researchers use lots of different kinds of data to conduct research. When that data includes personal data, researchers have to be thinking about data protection laws.

The sharing of personal data has become a lot harder and people are much more reluctant to do it. Each organisation that holds personal data needs to be asking themselves whether it is lawful to share it with others.

It has become more important for researchers to get consent from the data subject whose personal data they are processing although is important to remember that the law does not require researchers to get consent.

Who owns the data? This is a question that researchers, governments, funders and donors are starting to ask.

What to do differently when collecting data?

Not much actually. Data protection law does not require researchers to get consent and, generally speaking, you don’t even need to notify the data subject at the point of collection.

What is the impact on research methods?

The key one is to di-identify any personal data before you start conducting research using this data. If you anonymise or pseudonymise personal data, it is no longer personal data and you can then process that data without restriction. But remember the data needs to be anonymized to the extent that it cannot be re-identified so that you can not identify an individual.

Many researchers are using encryption in order to secure the personal data that they process.

Top tips for organisations doing research

  1. Data protection law has a much lower impact on research than what most people think. Don’t let data protection law stop you from doing research. There are some important considerations to keep in mind but, as a general statement, data protection law does not stop research.
  2. You must know your purpose. You must know why you are processing personal data. If you are processing for research purposes, there is leeway and, generally speaking, you are able to process personal data more extensively than if it was for other purposes.
  3. You must classify your data so that you know when you are processing different kinds of data and in particular it is important that you know when you are processing personal data.

Useful resources

  • The University of Leicester offers a course but it is outdated and based on the 1998 DPA.
  • The Institute of Education provides a checklist for researchers.
  • ESOMAR also have a checklist but it was only revised in 2017 so is a bit outdated.
  • The European University Institute offers a guide on Good Data Protection Practice in Research.
  • The section of POPIA on research.
  • Section 1798.105 Right to deletion of the CCPA that mentions research.
  • Article 89 of the GDPR dealing with safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.