Research with personal data and special categories of data
The data protection legislation contains provisions and exemptions for the processing of personal data and special categories of data specifically for scientific or historical research purposes.
Processing data for scientific or historical research purposes requires appropriate technical and organisational safeguards, such as data minimisation, pseudonymisation and secure storage.
Please refer to our Research Checklist page for more information.
Lawful basis for processing
A lawful basis for processing must be identified in order to use personal data or special categories of data for scientific or historical research purposes.
In most cases, processing personal data for research purposes is likely to be considered necessary for the performance of a task carried out in the public interest (Article 6(1)(e)), as research is a component of the University's public tasks.
In most cases, processing of special categories of personal data is likely to be considered necessary for scientific or historical purposes, as long as appropriate safeguards are in place to protect the data (Article 9(2)(j)).
The consent of the data subjects must be obtained as part of an ethics application, however consent is not the most appropriate lawful basis for processing personal data for research. The extensive rights granted to an individual who has consented to the use of their data may adversely impact the reuse of research data and completion of projects.
Exemptions relating to research data
Personal data processed for scientific or historical research or statistical purposes are exempt from the following rights:
- Right of access, if results will not identify individual data subjects,
- Right to rectification,
- Right to restriction,
- Right to erasure,
- Right to objection of processing, if "public interest" was the lawful basis for processing
All exemptions are only relevant if the exercising of these rights would seriously impede or impair the completion of the research and appropriate security and organisational safeguards are in place.
Where personal data is not obtained directly from the data subject, researchers are exempt from providing privacy notices if:
- Provision of the notice would be impossible or involve a disproportionate effort, or
- Provision of the notice would seriously impair the research
- Technical and organisational safeguards must be in place to protect the data, and
- Relevant data subject rights must be protected, and
- The relevant notice information should be made publically available