What requirements and safeguards must we have in place?

At a glance

• The UK GDPR sets out some specific requirements for processing carried out for RAS purposes.
• You must be able to show that any processing for RAS purposes, apart from data collection or anonymisation, is essential – that is, you could not fulfil your research purposes without it.
• You must have appropriate safeguards in place. These protect the rights and freedoms of the people whose personal information you are processing.
• You must have technical and organisational measures in place to ensure respect for the principle of data minimisation.
• Where possible, you must carry out your research using anonymous information. This information is not personal information and data protection law does not apply.
• Where it is not possible to use anonymised information, you should consider whether it’s possible to pseudonymise the information. Pseudonymous information is still personal information and data protection law applies.
• You must not use the RAS provisions if the processing is likely to cause someone substantial damage or substantial distress.
• You must not use the RAS provisions if you’re carrying out the processing for the purposes of measures or decisions about particular people, unless the research is approved medical research.

In detail

What does the law say?

Article 84B of the UK GDPR sets out some additional requirements if you’re processing for RAS purposes. It says:

“Personal data may only be processed for RAS purposes if—

(a)the processing consists of the collection of the personal data (whether from the data subject or otherwise),

(b)the processing is carried out in order to convert the personal data into information which can be processed in a manner which does not permit the identification of a data subject, or

(c)without the processing, the RAS purposes cannot be fulfilled.

2.Processing of personal data for RAS purposes must be carried out subject to appropriate safeguards for the rights and freedoms of the data subject.”

This means you can collect or anonymise personal information for RAS purposes. For anything else, you must be able to show that you couldn’t fulfil your RAS purposes without using personal information.

Article 84C gives more detail about the safeguards you must have in place for people’s rights and freedoms: 

• You must not carry out processing likely to cause substantial damage or substantial distress to the people whose personal information you’re using;
• You must not carry out processing to inform measures or decisions about the people whose information you’re using, except in the case of approved medical research;
• You must have technical and organisational measures in place to ensure respect for the principle of data minimisation. This may involve, where possible, anonymising or pseudonymising information.

What is anonymisation?

Article 84B of the UK GDPR states that you can only process personal information for RAS purposes if you couldn’t fulfil your purposes without it. If you can carry out your research using anonymised information, then you don’t need to process personal information. Therefore, before beginning your research, you must consider whether you can anonymise the information first.

Anonymous information is not personal information. Data protection law doesn’t apply.

Anonymisation refers to the techniques and approaches that aim to ensure the information: 

• isn’t about an identified or identifiable person; or 
• is anonymous in such a way that people aren’t (or are no longer) identifiable.

However, anonymised information may not fulfil your research purposes. For example, if you’re tracking people in a study that takes place over multiple time points, then aggregated or anonymous information might make the research impossible.

What is pseudonymisation?

Where you cannot use anonymised information, you should consider whether you could pseudonymise the information. 

Pseudonymisation is the processing of personal information so that you can no longer attribute it to a person without the use of additional information. This means that people are not identifiable from the dataset itself. However, you can still identify them by referring to other, separately held information. 

Pseudonymous information is still personal information and data protection law applies.
You should ensure that you anonymise or pseudonymise personal information at the earliest possible opportunity. Ideally, you should do this prior to using the information for research purposes.

When is processing likely to cause substantial damage or substantial distress?

Article 84C says that you are must not use the RAS provisions if the processing is likely to cause substantial damage or substantial distress to the person whose information you are using.

The legislation does not define what it means by substantial damage or substantial distress.
However, in most cases, substantial damage can include both material and non-material harms, such as: 

• financial loss; 
• economic or social disadvantage; 
• physical harm; 
• damage to reputation; 
• loss of confidentiality; or 
• deprivation of rights. 

Substantial distress can include:

• severe upset; and
• emotional or mental pain. 

It goes beyond annoyance, irritation, or strong dislike.

What does not used for measures or decisions about the people whose information you are using mean?

Most research has some influence on how organisations take future measures and decisions. It does this by generating new insights that inform policy-making, or producing new techniques and processes that change how organisations offer services. 

These are legitimate objectives for research to pursue. Processing which aims to change how organisations take future measures and decisions can often rely on the RAS provisions.

However, article 84C of the UK GDPR says that you must not use the RAS provisions if you are carrying out processing for the purposes of measures or decisions with respect to the people whose information you are using, unless the research is approved medical research. This means you must not rely on the research provisions if you intend to use the information you’re processing, and the results of your research, to:

• make specific decisions about the people involved; or 
• inform the services you provide to them.

It also means that if you rely on the RAS provisions to justify keeping personal information past your normal operational retention periods, you can’t later decide to reuse that information to make decisions about the people involved. You can only use it for research.

This doesn’t mean you can’t do research where the principal aim is to change how organisations make future decisions. Many research projects have practical application, or aim to influence how we treat people. However, you must not use the findings of your research to:

• provide specific, individualised services to any subject of your research; or
• make specific decisions about them. 

The only exception to this is approved medical research. This means medical research approved by a research committee recognised or established to assess the ethics of research involving people by:

• the Health Research Authority; or
• another body appointed by:
  • the Secretary of State, the Scottish Ministers, the Welsh Ministers or a Northern Ireland Department;
  • in England, an NHS trust or NHS foundation trust;
  • in Wales, an NHS trust or Local Health Board;
  • in Scotland, a Health Board, Special Health Board or the Common Services Agency for the Scottish Health Service;
  • in Northern Ireland, a Health and Care social body as defined by Section 1(5) paragraphs (a) to (e) of the Health and Social Care (Reform) Act (Northern Ireland) 2009; 
  • United Kingdom Research and Innovation or one of the Research Councils; or
  • a research institution as defined by Chapter 4A of Part 7 of the Income Tax (Earnings and Pensions) Act 2003.

What other safeguards do we need to have in place?

Article 84C of the UK GDPR explicitly mentions data minimisation, including anonymisation and pseudonymisation, as appropriate safeguards. You must have these in place when you are processing personal data for research-related purposes. However, these are not the only safeguards you need to consider. 

What counts as an ‘appropriate’ measure depends on the purposes of your processing. For example, you may find data minimisation and anonymisation inappropriate when processing for archiving purposes in the public interest. This is because such measures risk compromising the integrity and authenticity of the records. You should ensure you adopt the appropriate technical and organisational measures for your context and purposes.

There are a range of technical and organisational measures you can use. These may include:

• taking a ‘data protection by design and default’ approach to your processing activities;
• implementing appropriate security measures;
• carrying out DPIAs, where necessary;
• appointing a data protection officer, where necessary;
• providing appropriate levels of staff training;
• using privacy-enhancing technologies eg trusted research environments; and
• using accountability frameworks such as the Five Safes Framework.