Recent data protection laws, implemented across Europe in 2018, have implications for academic researchers. The Royal Historical Society recently published a set of guidelines to help researchers navigate the legal requirements around data protection. Here, Dr Katherine Foxhall, RHS Research and Communications Officer explains how the new rules support research, and some of the key elements that historians should be aware of.
What is the GDPR?
The EU General Data Protection Regulation (GDPR) came into effect on 25 May 2018. It was designed to protect the online rights of individuals in relation to their personal data. In the United Kingdom, the GDPR was enacted through the Data Protection Act 2018 (UKDPA). Since then, GDPR has become a shorthand for talking about data protection requirements. These laws apply to anyone who collects information about a living individual, whether for employment, study, or on a freelance, voluntary or personal basis.
What do historians need to know?
1. Research is explicitly catered for in data protection laws
The good news is that research, broadly understood as advancing society’s collective knowledge and wellbeing, enjoys a privileged position within GDPR. As the new regulations were being developed, organisations urged the European Parliament and European Commission to protect research. In the UK, the British Academy and Economic and Social Research Council, along with social science associations worked hard to ensure that the ‘public-focused nature’ and ‘critical social value’ of academic expression was shielded within the new GDPR, for example to prevent universities from interpreting the new regulations in a highly restrictive way through processes such as ethical review.
The European Data Protection Supervisor recently observed that: “respect for personal data is wholly compatible with responsible research”. GDPR specifically enables data collection and processing for “scientific or historical research purposes” or “statistical purposes”, allowing some exemptions from data subjects’ rights related to access, rectification, the restriction of processing and the right to object.
2. Research must be ethical
Exemptions for research assume the existence of widely-accepted and long-standing sector-related methodological and ethical standards for research. While ethical and professional codes of conduct and practice do not govern arts, humanities and social sciences in the same way as journalism and health research, as researchers we do have recognised methodological, ethical and professional norms that guide how social scientists and humanities scholars work. Examples include the European Commission’s guidance on Ethics in Social Science and Humanities, the RHS Statement on Ethics and the AHA’s Statement of Standards of Professional Conduct.
3. Follow the basic data protection principles
If a researcher’s use of personal data is for “scientific or historical research purposes” or “statistical purposes”, they must comply with the basic principles for the processing of personal data at the heart of data protection law.
Researchers need to ensure that they collect, process and store data:
- lawfully, fairly, and transparently
- for specific, limited purposes
- that only minimal data is collected
- for no longer than necessary
- securely and accountably
4. Choose the right Legal Basis
In addition to following the basic principles, researchers must choose one legal basis for data processing. While consent may seem an obvious legal basis in cases such as oral history interviews, UKRI advises its researchers that while seeking consent from people to participate in a project is ethical and may be necessary for other legal reasons (e.g. for medical trials), consent as defined by the GDPR is not likely to be a lawful basis for processing personal data for research purposes. One important reason for this is because individuals have the right to withdraw consent. If consent is withdrawn it is not usually then permissible to choose an alternative legal basis.
Instead, UKRI advises that academic researchers employed by UK Higher education institutions, and/or whose work is funded by a research council or charity such as the Wellcome Trust, are likely to be able to choose “public task” as a suitable legal basis, reflecting that University Charters, and legislation such as the Education Reform Act 1988 explicitly provides for research. Using “public task” as a lawful basis, UKRI further notes, may also help to assure research participants that the organisation is credible and their personal data will contribute to a public good.
If “public task” is not available or appropriate (e.g. for independent research), then “legitimate interest” can provide a flexible and appropriate legal basis for data processing. A legitimate interest might include commercial interests, individual interests (including the interests of the researcher) or broader societal benefits. “Legitimate interest” will also likely be an appropriate legal basis for using material containing personal data in teaching, and for undertaking projects such as student dissertations, though students and staff must be made aware of their responsibilities as outlined in the basic principles.
5. Special Category (Sensitive) Personal Data
One important way that the value of research is balanced against the need to protect individuals is through the provisions for the processing of certain “special” categories of personal data. Previously known as “sensitive data”, this includes information about a person’s racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic or biometric data; health, sex life or sexual orientation. Processing of special categories of personal data is permitted if a lawful basis is identified and an appropriate separate condition that justifies processing special category data can be identified. The good news is that research is considered one of these appropriate conditions. ink carefully. Of course, it is still vital that researchers use any information carefully.
6. Special purposes exemptions
There is a second route to exemptions from the obligations of the GDPR and the UKDPA, beyond those allowed for research in general. This is through the provisions allowed for the category of “special purposes”. The 2018 regulations include academic purposes alongside journalistic, artistic or literary purposes, which had previously made up this category.
On the face of it, “special purposes” exemptions seem particularly attractive because they offer relief from a number of obligations relating to the basic principles of data protection such as having to identify a lawful basis; conditions for Consent; processing of special categories of data; and data subjects’ individual rights.
However, “special purposes” exemptions should be used with care. Data protection regulations are not independent of legislation such as the Human Rights Act (1998) and Equality Act (2010), and GDPR explicitly requires that regulatory codes and guidelines (such as BBC Editorial Guidelines and Ofcom Broadcasting Code) are followed. Recent analysis by legal specialists suggests that thresholds in these exemptions relating to “necessity” and publication are high.
Because academic purposes were a new addition to the pre-existing category of special purposes in 2018, the legal limits to the interpretation of the exemptions for academics have yet to be tested in the same way that privacy in journalism has in the Leveson Inquiry.
7. GDPR, Brexit and the EU
Following the UK’s withdrawal from the EU, the data protection regulations still apply; the government has incorporated a “UK GDPR” to sit alongside UK data protection law from 2021.
EU data protection rules apply in the European Economic Area (EEA), including all EU countries, Iceland, Liechtenstein and Norway. Because the GDPR is a mandatory framework for the development of legislation by individual member states, much of the information related to the UK will also be applicable to historians in EU countries, and researchers working with archives in the EU. If your research involves research in EU countries, international collaborators or data transfers, you must make sure that you comply with the individual laws of individual member states.
The main considerations for researchers using personal data – as they were before 2018 – are ethical and practical. Data must be collected for reasons that are clear, proportionate and necessary. Data must be protected against misuse, destruction or damage both before and after any resulting publications. Researchers must keep records, including about decisions that have been taken in relation to data. Researchers must not make decisions about individuals that are based solely on automated processing and use pseudonymisation and encryption where possible.
None of this represents a seismic shift in how researchers can use data. It does, however, represent an opportunity for researchers to review their methods and ensure that their use of personal data is fair, lawful, transparent, secure, and will not cause substantial harm, damage or distress to individuals.
This post is adapted from a post that originally appeared on the LSE Impact Blog, and has been updated to take into account the UK’s departure from the EU.
Until recently Katherine Foxhall was Research and Communications Officer for the Royal Historical Society, including work on open access, policy development and the Society’s equalities agenda work.