Scientific research and data protection
Taking care of data protection builds trust in research subjects and is a requirement for the success of any study. It is essential to plan the processing of personal data for its entire lifespan before the start of processing.
Data protection regulations protect the rights of research subjects. The purpose of the legislation is to strike a balance between the protection of personal data and the need to process personal data for scientific research. Data protection regulations contain special processing rules and exceptions for scientific research. They are designed to support and promote research.
Not all research is scientific, and the processing bases and exceptions designed for scientific research are not applicable to non-scientific research. For example, the planning and survey duties of authorities, or marketing surveys and polls are not scientific research. Personal data may still be processed for purposes of non-scientific research, but the basis for processing cannot be one designed for scientific research, and derogations from the rights of data subjects are not possible to the same extent.
Anonymised data can be used for non-scientific research. It is not considered to constitute personal data, and it is not subject to data protection regulations.
Read more: frequently asked questions about scientific research
The General Data Protection Regulation (GDPR) (EUR-Lex) does not include a definition for scientific research. The recitals of the GDPR nevertheless state that the processing of personal data for scientific research purposes should be interpreted in a broad manner for purposes of the Regulation. Scientific research could thus include the development and presentation of technology, basic research, applied research and research financed with private funds. This does not extend the definition of scientific research beyond its usual meaning, however.
Scientific and historical research entails an expectation of increasing the amount of information available to the public. For example, by combining data from different data files, scientists can obtain valuable new information on things like endemic diseases, such as cardiovascular disorders, cancer and depression. Research results obtained from data files offer reliable knowledge that can serve as a basis for drafting and implementing informed policies, improve the lives of many individuals and increase the effectiveness of services.
The research plan can often demonstrate that personal data is being processed for purposes of scientific or historical research. An evaluation of the scientific nature of a research project also needs to consider whether the project follows the methodological and ethical standards and best practices of the field.
All research should conform to the general principles of research ethics. This is particularly important when processing data belonging to special categories of personal data. In practice, this means that an ethical evaluation and an ethics committee opinion must be requested before launching such research projects. However, the research ethics committee merely evaluates the ethics of the study, and an ethics committee opinion is not a basis for processing personal data. Even though the ethics committee can point out that data protection regulations must be followed in the research project, the prior consultation procedure does not constitute a data protection audit, and the ethics committee cannot verify the study’s compliance with data protection regulations on behalf of the controller. The controller of the study is responsible for the lawfulness of the processing.
In legal practice (KHO 181:2013, Finlex), the requirements for disclosing confidential data for purposes of scientific research have been established as:
- an appropriate research plan;
- sufficient scientific qualifications of the project staff;
- the requirements of autonomy and openness; and
- the main scientific goals of the study
Taking data protection into account at different phases of scientific research
All activities involving personal data, from planning to processing, collection and erasure, constitute processing of personal data.
A data protection roadmap for scientific research guides controllers in taking data protection into consideration at the different phases of research and the lifespan of data.