What to tell research data subjects
Although we may not be required to obtain the data subject’s consent for processing for research purposes, we remain bound by the GDPR’s notice requirements. The GDPR requires us to “take appropriate measures” to inform data subjects of the nature of the processing activities and the rights available to them. We are required to provide this information in all circumstances, regardless of whether consent is the basis for processing or not, “in a concise, transparent, intelligible and easily accessible form, using clear and plain language”.
Notice should be provided at the time when the data is first collected and it must include the controller’s identity (this will be the College in our case) and contact information, the intended purposes of the processing activities, and, where applicable, that the data will be transferred to another entity or to a third country. Additionally, the College must provide notice of the data subject’s rights to access, rectification, erasure and to object to processing, as well as notice of “the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.”
An updated notice should be provided where the College intends to further process data for a different purpose, including for research. The subsequent notice must include both the new research purpose and explain again the data subject’s rights with regard to her/his data.
As noted above, providing up front notice about research at the point of collection poses a challenge for researchers because of the difficulty in identifying research purposes in advance, especially in the context of big data. Unlike traditional research, where a researcher identifies a hypothesis and tests it against a data set, data mining techniques often search for correlations within data sets without the baseline of a specific test hypothesis. Thus, a researcher may not know the scope of her research until after the data is collected and used. The GDPR accounts for this challenge in Recital 33, providing that data subjects should be able to “consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.” This demonstrates that the GDPR permits more relaxed specificity in the notice provided for research processing.
Additionally, a researcher may be exempt from the notice requirement if she/he received the personal data from someone other than the data subject, such as where the data came from a publicly available source. Article 14 exempts controllers (like the College) in these circumstances, if “the provision of such information proves impossible or would involve a disproportionate effort,” which "could in particular be the case” in the research context. A researcher also may claim exemption if providing notice would be “likely to render impossible or seriously impair the achievement of the [research] objectives,” provided there are appropriate safeguards in place, “including making the information publicly available”.
If you are proposing to engage in medical/health research, you can use this Medical Research Privacy Notice template [Word] (which is drafted to comply with both the GDPR and HRA requirements). For other research (i.e. not medical/health research) that involves processing personal data, you can use this Non-medical research privacy notice template [Word].