I want to find out more about re-purposing personal data and use it for research purposes
It is possible to reuse personal data for a new purpose provided it is ‘compatible’ (very similar) to the original purpose the personal data was collected for.
For further processing or repurposing of personal data for research purposes, it is automatically considered to be compatible with the original purpose for processing. This means personal data collected for one purpose can be re-used if it is being used for scientific or historical research purposes archiving purposes in the public interest, or for statistical purposes.
Managing re-purposing personal data for research purposes
To re-purpose and use existing personal data for research purposes, you will need to:
1. Show that the processing is necessary to achieve the outcome.
Do not use personal data if you could reasonably achieve the same research outputs without using personal data, it must be more than 'just useful' or 'because it’s always been done'
Consider:
- Does this processing help to further the outcome you’re aiming to achieve?
- Is there another less intrusive way to achieve the same result?
2. Confirm that the re-purposed personal data will be used for research purposes.
Research purposes are broadly interpreted and include for social sciences, humanities and the arts, and technological development, as well as for demonstration. It is likely to fit within a research purpose if the purpose is to:
- Ensure the permanent preservation and usability of records of enduring value for general public interest (archiving).
- Provide innovative solutions to problems, generate new understandings or insights that add to knowledge on the subject matter (scientific or historical research).
- Generate statistics that may be used for further purposes, including scientific research (statistics).
Consider, will the personal data be processed:
- To secure records for future educational use?
- Because there is a long-term benefit to society to preserve personal information?
- To produce new knowledge or apply existing knowledge in novel ways?
- To formulate and test hypotheses?
- To interpret and analyse data?
3. Decide your lawful basis for processing personal data
If the personal data being re-used for a research purpose, was originally collected by º¬Ðß²ÝÊÓƵ, use the original lawful basis as the legal justification for the new processing activity, unless the original lawful basis was consent.
Consent must always be specific and informed, meaning personal data can only be processed for the purposes the individual consented to. If you wish to conduct research using data originally collected for a different purpose on the basis of consent, you will need to ask for new consent. If you want to re-use personal data collected by another organisation using consent as their lawful basis, they will need to obtain permission from the individuals before sharing it with you.
Consider:
- Consent as a lawful basis for processing personal data is different and separate to gaining ethical consent to participate in research,
- Where did the personal data originate from? Will it be provided by a separate organisation or was it originally collected by the University?
- Personal data collected using consent as the lawful basis cannot automatically be repurposed and re-used for research activities.
4. Ensure safeguards are put in place to protect the personal data.
There must be technical and organisational measures in place to safeguard individuals’ personal data, in particular to ensure their data isn't processed unnecessarily.
If sensitive special category data will be processed, a Data Protection Impact Assessment must be completed to evaluate and mitigate, or remove possible risks and issues.
Consider:
- Only collect the personal data needed to complete the research, do not collect additional data in case it might be useful.
- Where it is possible, use anonymised or pseudonymised personal data. According to the UK GDPR, pseudonymised data is personal data. However, pseudonymisation will reduce the risk of damage or distress in the event of a data breach.
- From the outset, plan where will the data be stored so it is secure, who will have access to it? Will the data be encrypted; and if it is necessary to share data, how will it be transferred safely?
- Ensure the study complies with relevant University policies, such as
- data protection,
- responsibilities of all staff and research students, and
- the Open Access Policy.
5. Update privacy information.
Update privacy information to include the new processing activity and inform the data subjects, unless doing so would be impossible or involve disproportionate effort; or providing information would prevent or seriously impair the achievement of the research purposes.
Consider:
- Including information about your lawful basis and intended purpose for processing the personal data for research.
How long can you keep personal data collected for research purposes?
The UK GDPR sets out seven key principles for the use of personal data, these are the foundation of data protection law. The principle of storage limitation means that personal data cannot be kept for longer than it is actually needed for.
However, personal data can be kept indefinitely if it is being used solely for research purposes. It cannot be used for any other purposes. This exemption is useful for longitudinal studies with no fixed end-data. For example, the Up series, a continuing longitudinal study that studies the lives of 14 people in the UK at seven-year intervals.
If the data is no longer being processed for any purpose (including for research), it must be deleted.