Organisations (including the College) that process personal data (also known as “controllers”) must have a lawful basis for any processing activity.

Research is not explicitly designated as its own lawful basis for processing, so we need to look for a lawful basis that is appropriate in the circumstances. There are six lawful bases to choose from.

If no sensitive personal data will be collected and processed, then:

  1. The College should be able in most cases to carry out such data processing for the primary purpose of research on the lawful basis of processing set out in Article 6 (1)(e) of the GDPR namely that the processing is necessary for the performance of a task carried in the public interest i.e. the research in question;

  2. If processing necessary for the performance of a task carried out in the public interest is not made out on the facts of the case (e.g. because of the nature of the research), then processing may be justified on the basis that it is necessary for the purposes of the legitimate interests pursued by the College or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child;

Accordingly, it may not be necessary for College researchers to ask research data subjects for consent by default unless the above two bases have been considered and it has been concluded that neither applies in the context.

Note that whilst “necessary” in this context does not mean strictly necessary or mission critical for Imperial’s public interest task (it means reasonably necessary, in the sense of being a proportionate step that assists a legitimate aim), it would cease to be necessary in this sense if, for example, Imperial decided to use more personal data than it reasonably needed. Data minimisation issues therefore come into play, but should not be strictly interpreted against the research purpose if that makes the public interest research task unnecessarily harder.

At the same time, transparency requirements will require that, in order for any of this to be lawful, Imperial’s public task should be accurately reflected in the relevant privacy notice that describes where it processes personal data on that ground.

Where sensitive personal data will be collected and processed, then:

(1) In addition to going through the above analysis first, one then needs to go through additional requirements in the GDPR which prohibit the processing of sensitive personal data, unless:

(i) The data subject has given explicit consent.

(ii) The processing is necessary in the context of employment law, or laws relating to social security and social protection.

(iii) The processing is necessary to protect vital interests of the data subject (or another person) where the data subject is incapable of giving consent.

(iv) The processing is carried out in the course of the legitimate activities of a charity or not-for-profit body, with respect to its own members, former members, or persons with whom it has regular contact in connection with its purposes.

(v) The processing relates to personal data which have been manifestly made public by the data subject.

(vi) The processing is necessary for the establishment, exercise or defence of legal claims, or for courts acting in their judicial capacity.

(vii) The processing is necessary for reasons of substantial public interest, and occurs on the basis of a law that is, inter alia, proportionate to the aim pursued and protects the rights of data subjects.

(viii) The processing is required for the purpose of medical treatment undertaken by health professionals, including assessing the working capacity of employees and the management of health or social care systems and services.

(ix) The processing is necessary for reasons of public interest in the area of public health (e.g., ensuring the safety of medicinal products).

(x)The processing is necessary for archiving purposes in the public interest, for historical, scientific, research or statistical purposes, subject to appropriate safeguards.

The ones that are most likely to help in the College context are the ones in bold above but some of the others may also apply depending on the facts.

EU Member States may maintain or introduce further conditions, including limitations with regard to genetic data, biometric data or health data. So, we need to watch out the space on this on.

(2) In addition, if one is relying on processing being necessary for archiving purposes in the public interest, for historical, scientific, research or statistical purposes, subject to appropriate safeguards – appropriate safeguards for the rights and freedoms of the data subjects will need to be specifically considered - those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes should be fulfilled in that manner.

Please note: Consent might still be necessary or appropriate as a primary processing basis regardless of the conclusions of the above analysis:

  • an ethics assessment, or a privacy impact assessment, had come to the view that consent was necessary or, at least, appropriate in the particular circumstances (e.g. due to its capacity for distress or intrusion);
  • other circumstances meant that the research was outside of Imperial’s public task and legitimate interests was not made out (for similar reasons); or
  • the processing was clearly unnecessary for the particular task; or
  • the processing was not transparent (e.g. if the nature of the research could not be supported on the basis of Imperial’s extant privacy notices). Of course for consent to be valid it would still need to be specific and informed; or
  • the research involved sensitive / special category personal data, hence more likely needing explicit consent – although on this see below.