Pondering, as one does, the likely impact of the General Data Protection Regulation on one’s working life, this Blogger has been trying to figure out how simple it will be to use personal data for research purposes (especially research in healthcare) after 25th May 2018 – the day on which the GDPR comes into force. Before you ask, whatever happens with Brexit, the timing is such that the GDPR will come into force in the UK.
The GDPR is similar and yet different to the present Data Protection Act. Similar in that the use of personal data is still governed by a series of principles and that processing of personal data must have a lawful basis. Different in the detail of the duties placed on data controllers and processors, the rights granted to individuals and the justifications available to show that data is being processed lawfully. For now, this Blogger is focussing on the research use context.
The GDPR allows some latitude for research uses. ‘Latitude’ is not the same as ‘get out of jail free’. If research users apply appropriate safeguards and data minimisation (limiting any processing to the extent necessary for the particular purpose) then some of the individual’s rights may be excluded. But the core principles of the GDPR still apply.
Today, consent is the researcher’s go to justification for processing personal data. Under the DPA and the GDPR, processing is lawful if the individual has given consent. However, GDPR consent is a different animal to DPA consent. The GDPR sets higher standards in terms of information (specific uses and specific recipients should be listed) and record keeping. The GDPR is clear that it must be as easy to withdraw as to give consent – potentially really troublesome for a research project. The ICO’s draft guidance talks of obtaining granular consent that describes in advance all the proposed uses of the personal data and everybody who will have access to the personal data. The consent will have to be specific and records comprehensive. Under the DPA a researcher can be (fairly) comfortable with wording consenting to the use of personal data for a defined project ‘and other related research’. Under the GDPR, the researcher will have to describe the project (ie the intended use) and list all those that will have access to the personal data and explain which other projects the personal data may be used for. In effect, ‘if you’re not on the list, you’re not coming in’. Thankfully, a pragmatic ICO recognises that not all future research uses can be specified in advance and the guidance allows some scope to ‘do the best you can’.
The result of these changes? From the morning of 25th May2018, existing consents may be rendered inadequate.
Can you hear the sounds of the research based economy grinding to a halt? Be afraid, but not petrified. Other possible means of demonstrating that processing has a lawful basis may be available.
First possibility is legitimate interest: GDPR treats processing as lawful to the extent that it is necessary for the purposes of the legitimate interests of the data controller as balanced against the impact on the individual concerned. An interest is the broader aim or stake that the controller has in the processing. It does not need to be described in advance but it will need to fall within the reasonable expectations of the individual.
The problem for healthcare research is that sensitive personal data (classified under GDPR as a ‘special category’), can only be processed where one of a separate list of exemptions applies. The special categories include data concerning health. This separate list of exemptions does not include legitimate interest: the legitimate interest justification does NOT justify the use of health data for research purposes.
Second possibility is that processing a special category of data is permitted where it is necessary for scientific research conducted in accordance with appropriate safeguards and where use of the data is proportionate to the research aim. Useful but the emphasis is on ‘necessary’, ‘appropriate safeguards’ and ‘proportionate’.
A third possibility is to use anonymous data. Like the DPA, the GDPR only applies to data relating to an identified or identifiable individual. Currently, individuals do not have to give their consent for their personal data to be anonymised. So, anonymise the data and all your problems fall away.
Inevitably, it is not that easy. How anonymous does the data have to be before it no longer relates to a living and identifiable individual? Today’s test is whether the anonymization process is robust enough to be likely to defeat the efforts of the Motivated Intruder (about whom this Blogger has mused before). The problem is that big data makes more things are possible. More pieces of the jigsaw are available to be found and linked together. The Motivated Intruder doesn’t have to try too hard.
Despite its difficulties, consent may still be a useful possibility. The GDPR permits processing of special category data where the individual has given explicit consent for a specified purpose. The granular nature of consent has already been considered: proposed uses must be specified in advance. In addition, the consent cannot be coerced – an outcome cannot be conditional on consent being given. This may be a problem for commercial providers (‘you can only use this service if you give me all your personal data’).
It is less likely to be a problem in research world. Does ‘you must consent if you want to participate in this clinical trial’ amount to imposing a condition? Probably not. Research is not the provision of goods or a service. But the problem remains that it must be as easy to withdraw consent as it was to give consent in the first place. Consent is not a simple answer.
Clearly, researchers (and their admin support!) will have to plan carefully to comply with GDPR. That is not a Bad Thing: behind every data point there is an individual who deserves protection. In any case, facing more detailed provisions is not the same as being prevented from performing research. The GDPR is an intricate piece but, like eating an elephant, it can be dealt with in small chunks. So, as a starting approach for those wishing to use personal data in their research:
First, establish what data it is that you wish to process. Do you need to process all of it (data minimisation)? Could you use anonymous data instead?
Second, establish whether it is a special category of data (eg health data) and if so, whether the intended use is permitted by any of the available exemptions: including necessary for scientific research, consent (granular) or legitimate interest (but not for health data).
Third, if it is not a special category of data, or, if it is a special category but there is an exemption available, then check that the proposed processing is lawful. Essentially that means demonstrating that Article 6 of the GDPR is satisfied. That is worthy of a separate blog post in itself…