Defining the research scheme and purpose for processing personal data
Processing personal data for purposes of scientific research must comply with the requirement of purpose limitation. The purpose of processing personal data must be planned and defined precisely before the start of processing to ensure its lawfulness.
The requirement of purpose limitation specifies that personal data must be collected for a specific, explicit and legitimate purpose. The data may not be processed in a manner inconsistent with this purpose at a later date. Expressions such as ”future research” or ”your personal data may be used for research purposes” do not convey the purpose of processing personal data clearly enough.
For scientific research, the purpose is usually specified more precisely in the research plan, which specifies the research scheme, material and methods, among other things. The research plan also specifies the data needed for carrying out the study and why such data is necessary for answering the research question. The research plan should also specify whether the study is a cross-sectional study, or a follow-up study that could require the processing of personal data for a longer time. The research plan can also support you in demonstrating compliance with the requirement of accountability.
Flexibility of consent in scientific research
In a scientific study, you can come across situations for which it is impossible to accurately specify the purpose of processing at the data collection stage. If consent is chosen as the basis for processing and the scientific study observes recognised ethical standards, the data subjects can give their consent for certain fields of research or parts of a research project, if the planned purpose of processing permits it. Compliance with ethical standards is often verified by an ethics committee opinion.
If special categories of personal data are processed in the study, the consent must be explicit (GDPR, Article 9, paragraph 2(a)) in addition to the other requirements for consent (GDPR, Article 4, paragraph 11; Article 6, paragraph 1(a) and Article 7). This requirement constrains the use of the flexible consent option.
It is also important to note that the flexibility of consent for the purposes of scientific research does not change the requirement that only specific consent can serve as the basis for lawful processing. Therefore, using the flexibility option requires the controller to satisfy the specificity requirement by other means.
Ways of specifying consent in scientific research
- If the purpose of the study cannot be fully specified at the outset, it is possible to request a general consent for the purpose of the research and the phases that have been decided on at the start of the study. Consent for the later phases of the project can then be obtained as the study progresses.
- The purpose of the study can be specified with transparent communications. The controller should provide regular updates on the development of the purpose as the study progresses in order to specify the consent as much as possible. Such communication helps the data subjects stay informed of the narrowing of the study’s purpose. Data subjects must be informed of the possibility of withdrawing their consent to the processing of their personal data as the purpose is specified.
- Making a comprehensive research plan or other clear and detailed description of the study available to the data subjects can compensate for the lack of a specific purpose. The research plan must be available before consent is given. The research plan must specify the intended research questions and methods as clearly as possible.
The controller must be able to demonstrate the type of personal data processing to which the data subjects have given their consent. In addition, the controller must be able to verify the additional measures taken to ensure compliance with the criteria of purpose limitation and consent. The data subject always has the right to withdraw their consent if they no longer wish to have their personal data processed for scientific research.
Read more about accountability
Compatibility of scientific and historical research with its original purpose
The GDPR seeks to facilitate access to diverse data for scientific and historical research. In certain situations, the processing of personal data for the purposes of scientific and historical research can be considered compatible with the original purpose if the appropriate technical and organisational safeguards are implemented in the processing.
Further processing for scientific research requires a case-by-case assessment, which also analyses the possibility of further processing in light of other data protection principles and regulations. The controller’s processing of personal data for compatible purposes can be based on the same processing basis as the original processing, in which case a new basis is not required. The processing must also be lawful from the perspective of other data protection regulations, however; a compatible purpose does not justify non-compliance with other data protection regulations.
When a controller intends to process personal data for purposes other than the original purpose of processing, it must notify the data subjects of this before starting the processing. This requirement also applies to cases in which the processing is compatible with the original purpose. The controller is required to inform the data subjects of the new purpose of processing, the rights of the data subject and all other relevant information unless there is a legal basis for deviating from the notification obligation.
Read more about informing the data subject about processing
If the personal data has been collected on the basis of consent, a new consent is usually required for the compatible purposes in order to ensure the lawfulness and fairness of the processing. The information on the processing of personal data must also be updated in order to fulfil the requirement of transparency.
Processing of personal data for new purposes different from the original is possible if the planned purpose of processing is compliant with data protection regulations and
- the data subject’s consent for the new purpose of processing is obtained before the start of processing; or
- there is a clear legal basis for the processing.