BrochuresCartoon

Amberhawk
COURSES (BCS)
follow link for detail

Data Protection/GDPR Training

DP Practitioner
Jan 25-27 & Feb 8-10r
March 22-24 & 29-31
May 16-20 (5 days)

DP Foundation
Feb 1-3
May 9-11

Training/Update/Events
Conference: tbc
PIA: tbc
DP Audit: tbc

Amberhawk

Other Information Law

Government’s UK_GDPR proposals for research are unethical and unsafe

This blog concerns the Government’s proposals for the processing of personal data for research purposes; they are unreliable, untrustworthy and unethical.  For instance, I show how the proposals are so “flexible” they can allow for secret research, using of special category of personal data or criminal offence personal data, similar to the “research” that gave rise to the Cambridge Analytica scandal.

The proposals relating to research

The commentary is limited to the proposals in Section 1.2 (paragraphs 34-50) of the DCMS consultation document: “Data: a new direction” (the “Consultation”).  These proposals can be summarised by the following set of questions:

  1. Should the research elements of the UK_GDPR/DPA2018 be consolidated in one place in a revised DP law?
  2. Should there be a definition of “scientific research”?
  3. Should the A.6 lawful basis of consent of the data subject for one scientific research project be considered as allowing the personal data to be re-used for another scientific research project?
  4. When should the A.6 lawful basis for research in Universities be “in the public interest” (A.6(1)(e))?
  5. Should a new lawful basis be created to cover research in general?
  6. Should there be an exemption from the right to be informed (replicating A.14(5)(b)) be inserted into A.13 which relates to the processing of personal data for a research purpose?
  7. What should be the safeguards for the research purpose?

I note the emphasised comment at paragraph 34 of the Consultation: that “the UK is ranked second in the world for science and research”.  This goes to show that the previous data protection regimes were not a hindrance to “science and research”  and, given COVID,  I doubt whether the UK_GDPR has had time to actually change this conclusion.

This accounts for the paucity of evidence that supports the proposed changes.  It also explains why the Government has to repeatedly ask: “Please explain your answer and provide supporting evidence where possible”.

The proposal to consolidate the legal text

The first issue (very minor) relates to the consolidation of the data protection law concerning the scientific research purpose; it arises because the relevant provisions are scattered across the UK_GDPR and DPA2018.  Currently these provisions can be found at A.5 and A.89 of the UK_GDPR and S.19, Schedule 1 [Para 4];  Schedule 2 [Para 27] of the DPA2018.

However, any consolidation will result in three or four pages of dense legal text.  This is to be compared with different components of “scientific research” (e.g. relation with the Principles; exemptions) each having its own, more manageable, bite-sized texts.  In summary, it’s a question of: “You pays your money and takes your choice”.

The proposal for a definition of “scientific research

I am unconvinced that scientific research needs defining as the Government proposes, because there is a broad non-exhaustive specification in Recital 159 (R159) which has interpretive effect.

R159 says the term “scientific research purpose” should “be interpreted in a broad manner” which “includes” a long list of things (e.g. “fundamental and applied research”; “privately funded research”).  To be honest, the Government’s intended non-exhaustive list may be longer but I cannot see how that non-exhaustive list is broader than that already specified by R159. 

Perhaps the intent is to define research in terms not specified in A.89 or R159 (e.g. include market research; research into AI algorithms).  This doubt arises because the Consultation is silent on what it means by “research” so we have to trust the Government on what it means.

In addition, inclusion of a Government definition could raise its non-application to social sciences research.  For instance: “Is a social science research purpose an example of a scientific research purpose?”:  Mrs Thatcher thought the answer was a firm “no”.

It is easy to see that the populist Rt Hon. Nadine Dorries, the new data protection supremo at the DCMS,  throwing a spanner in the works in relation to University academics and their research into the impact of Government social policy (e.g. on poverty, criminology, food banks, employment etc)?   I suspect this could be a political opportunity too good to miss?

So my answer to Q1.2.3 is “no” because the change is not needed.  In addition, Q1.2.3 is incorrectly worded; it poses a question about an exhaustive list for the definition of scientific research purpose when R159 clearly shows, via the word “includes”, that this list is non-exhaustive.  The answers to this question will be clearly unreliable.

The proposal with respect to data subject consent

I am of the view, contrary to that expressed in the Consultation, that data subject consent for scientific research purposes currently allows for personal data to be used or disclosed for other forms of scientific research.  The Consultation claims the use of consent needs clarity; its text reads as if current consent is limited to a particular science research project  (and not the scientific research purpose as specified in R159 as a whole).

It follows that the answer to Q1.2.8 of the Consultation is “strongly disagree” as the proposed change in relation to data subject consent is not needed.  This is especially the case as Recitals 156-163 set out a great deal of flexibility for researchers who obtain consent. (Researchers should read these Recitals before replying to the Consultation as they are not covered in detail).

Article 6 states the processing is lawful when “the data subject has given consent to the processing of his or her personal data for one or more specific purposes” where the specific purpose under discussion is the “scientific research purpose.  “Processing” remember includes “use”, “retention” and “disclosure” for a scientific research purpose which is itself broadly defined (see previous heading above).

In short, I cannot see why personal data provided to the controller for a scientific research purpose with the data subject’s properly informed consent, cannot be used, disclosed or retained by that controller for its own further scientific research projects.

This is because the purpose of the processing has not changed from the scientific research purpose,  and because the controller, when obtaining consent at the outset, should be able to specify, in general terms, the use for a range of future scientific research projects and any consequent disclosure and retention etc (as mentioned in R159).

This includes when explicit consent is sought for the processing of special category of personal data or for the transfer of research data outside the UK.   If other controllers become involved in the scientific research, I cannot see why this cannot also be covered in the original obtaining of consent from the data subject.

If that new scientific research project comes along at a later time, there should be no compatibility issues as the compatibility test in A.6(4) is not required when the processing is based on the data subject’s consent (which it is).  In other words, contrary to the Consultation’s assertion.  I cannot see the compatibility problem with data subject consent that is raised by paragraph 48 of the Consultation – so long as the original consent is properly formed.

Even if there were to be compatibility issues and consent could no longer be relied upon to be the correct lawful basis, A.6(4) compares the purpose of obtaining with the new further purpose in circumstances where that purpose has not changed from scientific research purpose. So the further processing is very likely to be compatible.

This position becomes more certain, if pseudonymisation (as defined by A.4(5)) and other data protection controls (e.g. data minimisation) are used to protect the data subject’s interests.

Proposal for a lawful basis for research

The discussion concerning consent will become redundant if the Government proposal to add a new lawful basis for research is enactedI cannot see many controllers pussyfooting around with data subject consent if the Government legislates for a lawful basis that does not need any consideration of consent at all.

In summary, a “research” lawful basis would become the “go to” alternative to the lawful bases of “consent” (A.6(1)(a)), “public interest” (A.6(1)(e)) and “legitimate interests” (A.6(1)(f)).  Such a “research” lawful basis will have four important implications:

  • It avoids the consent lawful basis and therefore avoids the data subject’s ability to withdraw from the research without providing a reason. The other attributes of consent (e.g. fully informing the data subject; proof of data subject agreement to the processing etc) can also be ignored.
  • It removes the restriction that University scientific research has to be “in the public interest” as any old private interest will do.
  • It avoids the balancing test between the legitimate interests of the controller and data subject’s interests and indeed whether the research can be classified as possessing a “legitimate interest” on the part of controller or Third Party.
  • It specifies that the controller’s research interests will always prevail irrespective of the consequences for data subjects as the right to object is negated.

A research lawful basis would also negatively impact on rights as the right to object (A.21) and the right to erasure (A.17) are negated.  The right to be informed (A.13) might be negated (see next section) and if the research exemption applies, the right of access (A.15), right to rectification (A.16) and right to restrict (A.18) might also go (see Schedule 2, Part 6 of the DPA2018).

I respectfully suggest that this bonfire of rights and other negative implications identified above do not comprise “world leading data protection standards” as claimed in the Ministerial Forward to the Consultation.

The absence of transparency

The Consultation proudly states that its proposals “will also improve transparency for individuals” (e.g. in paragraph 44).  Hence, it appears somewhat contradictory to discover that such “improved transparency” is to be achieved by introducing a new exemption from the data subject’s right to be informed.

The proposition is to insert an exemption, based on Article 14(5)(b), into Article 13 which is “limited only to controllers processing of personal data for research purposes” (paragraph 50 of the Consultation).

Technically if the new exemption is similar to A.14(5)(b), it will exclude the right to be informed when personal data are collected from the data subject  in circumstances when providing transparency information involves disproportionate effort.  This is a contradiction as when personal data are collected from the data subject,  it can’t be disproportionate effort to contact the data subject!

However, the Consultation’s text then conflates A.14(5)(b) with A.14(4) to say that this new exemption from the right to be informed only applies when there is further processing for the research purpose where that further research processing arises after the collection of personal data from the data subject, who can be then not informed of the further research purpose because it involves disproportionate effort.

Despite this confusing text, one can definitely conclude that if one controller is processing personal data for a further research purpose and then discloses these personal data to another controller for its research purpose, it appears that there are going to be circumstances when there is no need for either controller to inform the data subject about the research purpose  (i.e. as both the proposed new exemption and the existing A.14(5)(b) exemption applies).

When these circumstances arise, the research becomes secret.

Making Cambridge Analytica the “research” standard?

I now show that the Consultation’s “public interest” proposals allow for special category of personal data to be used secretly for research purposes.

Let us suppose a University Department has already collected student personal data and has given the right to be informed notice in accordance with A.13.  Suppose in future, it wants to do research into student browsing habits on the Internet undertaken on the University’s computers; this is the further processing for a research purpose which occurs after the collection of personal data.

Suppose further this research has no impact on the students and there are 25,000 students involved: this should trigger the disproportionate effort requirements that ensures the proposed new exemption from transparency applies (see above).

As the Government propose that “University research projects rely on tasks in the public interest”,  A.6(1)(e) provides the lawful basis for the further processing  (e.g. it is lawful for the University to process student identifiers, logon details and internet browsing history for research).  The University does not inform the data subject about the further processing as explained in the previous paragraph.

If students visit websites that reveals health, mental health, sexual orientation etc, this is still lawful because Schedule 1, paragraph 4 permits the processing of special category of personal data and criminal offence personal data for a scientific research purpose in the “public interest” (which it is, if these proposals see the light of day).

Compatibility is not a barrier: paragraph 48 of the Consultation tells us that “further use of data for research purposes is always compatible with the original purposeand lawful under Article 6(1)).

If the student finds out and starts being a nuisance, the “bonfire” of rights described above applies protects the controller’s research interests from prying eyes.

Such research comprises surveillance of University students and their internet use to discover their personality traits and very personal characteristics (e.g. sexuality).   This is exactly the sort of research that was the precursor to the Cambridge Analytica scandal, which started life as academic research into browsing habits, using Facebook, at Cambridge University.

In other words, the Government’s proposals permits Cambridge Analytica type research, undertaken in secret, that is in the “public interest” where rights of data subjects are exempt.

Don’t worry: the Consultation states that privacy is not at risk because “world leading data protection standards” apply to such processing.

Concluding comments

Many researchers start from the assumption that their research is ethical; I think the Government proposals are a million miles from anything remotely approaching ethical.

Ethical research needs the trust of data subjects; the Government’s proposals erode that trust.  Ethical research needs to take into account of the concerns that data subjects might have; the Government’s proposals allow for those concerns to be exempt from consideration.

Most researchers want those who they research to engage with their research, the Government’s proposals delivers disengagement from that research.

Oh I forgot to answer the question: “What should be the safeguards for the research purpose?”.  The safeguards are the ones specified in A.89 (the promotion of anonymisation, pseudonomisation and data minimisation where possible) and definitely not this set of proposals.

Fortcoming Data Protection Practitioner Course (Autumn)

Because of Indian variant and the continuing COVID pingdemic uncertainty, the course can be attended in person, or via Zoom, or as a mixture if you get pinged (it's up to you).


23/11/2021

19/11/2021

08/11/2021

03/11/2021

28/10/2021

14/10/2021

05/10/2021

26/08/2021

29/07/2021

07/07/2021

All materials on this website are the copyright of Amberhawk Training Limited, except where otherwise stated. If you want to use the information on the blog, all we ask is that you do so in an attributable manner.