Can we process personal data collected and processed lawfully for another purpose for research purposes as a secondary purpose?  

This is possible if certain requirements are met as explained below.

The GDPR explicitly permits re-purposing collected data for research.

Where the College as a controller collects personal data under a lawful basis, such as consent (or indeed any of the other lawful bases), the GDPR allows it to process the data for a secondary research purpose.

The GDPR also helps with situations where at the point of obtaining consent for primary research processing, it is not possible to fully identify the purpose of processing for scientific research (e.g. a research project may evolve with time thereby changing the nature of the research project) – controllers can therefore use the GDPR (specifically Article 6(4)) to justify the processing.

Article 6(4) requires the controller to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, taking into account, among other things:

(i) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;

(ii) the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;

(iii) the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;

(iv) the possible consequences of the intended further processing for data subjects;

(v) the existence of appropriate safeguards, which may include encryption or pseudonymisation.

To help with the Article 6(4) analysis, one can use Recital 50 of the GDPR which specifies (among other things) that:

”Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be considered to be compatible lawful processing operations.”

Note the ‘public interest’ requirement.

In addition to Recital 50, Article 5(1)(b) also helps in the research context – it says:

“Personal data shall be:

(a)          … ;

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);”

Article 89 then sets out the safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes – these safeguards must ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes should be fulfilled in that manner.

Essentially, as currently envisaged, controllers that process personal data for research purposes must implement “appropriate safeguards” by putting in place “technical and organisational measures” to ensure that they process only the personal data necessary for the research purposes, in accordance with the principle of data minimization.

Note also that when processing personal data for research purposes, the GDPR states that controllers should act “in keeping with recognized ethical standards for scientific research.”

The GDPR provides that one way for a controller to comply with the mandate for technical and organisational measures is through deployment of “pseudonymization.” Pseudonymization is “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution to an identified or identifiable individual”. Pseudonymization is not always required but rather its use is encouraged “as long as [the research purposes] can be fulfilled in this manner”.

Unlike anonymous data, pseudonymous data remains subject to the remit of the GDPR. Many of the techniques traditionally used to protect privacy in research settings, such as key-coding, fall within the definition of pseudonymization and therefore remain subject to the GDPR. Anonymous data, by contrast, falls outside the scope of the GDPR.

Although this creates an incentive for controllers to anonymize data, determining whether data is anonymous is a fact-specific inquiry. The GDPR applies a standard, considering data anonymous only when it cannot be identified by any means “reasonably likely to be used ... either by the controller or by another person” (Recital 26). Thus, even if a researcher no longer has the ability to re-identify a data set, such data set may still be regulated under the GDPR if it could be re-identified with reasonable effort.