Data Protection & Freedom of Information Office

Lawful Basis

A lawful basis for processing must be identified in order to use personal data for scientific or historical research purposes.

• In most cases, processing personal data for research purposes is likely to be considered necessary for the performance of a task carried out in the public interest (Article 6(1)(e)), as research is a component of the University's public tasks.

In addition, a second legal basis is required when processing special categories of personal data.

• In most cases, processing of special categories of personal data is likely to be considered necessary for scientific or historical purposes, as long as appropriate safeguards are in place to protect the data (Article 9(2)(j)). 

Whilst obtaining the consent of data subjects is part of the ethics approval process, consent is not an appropriate lawful basis for processing personal data for research.

This is because the extensive rights granted to an individual who has consented to the use of their data may adversely impact the reuse of research data and completion of research projects.

Exemptions

Personal data processed for scientific or historical research or statistical purposes are exempt from the following data subject rights:

• Right of access (if results will not identify individual data subjects)
• Right to rectification
• Right to restriction
• Right to erasure
• Right to objection of processing (if "public interest" was the lawful basis for processing)

All exemptions are only relevant if the exercising of these rights would seriously impede or impair the completion of the research and appropriate security and organisational safeguards are in place.

Where personal data is not obtained directly from the data subject, researchers are exempt from providing privacy notices if:

• provision of the notice would be impossible or involve a disproportionate effort; or
• provision of the notice would seriously impair the research.

However: