OVERSTRETCHING RESEARCH-SPECIFIC PROVISIONS

1.2 Research Purposes

• Impact on NHS patients and medical data
• Impact on BAME, LGBTQIA+, other vulnerable groups
• Our draft response to Section 1.2: Research Purposes

The Government propose to consolidate and amend research provisions, expand the legal definition of “scientific research”, and introduce a new lawful ground to use data for research purposes.

These proposals are based on a poor understanding of data protection laws, and would not help researchers in navigating regulatory requirements. Instead, they risk overstretching research-specific provisions by enabling commercial and for profit uses of personal data under the guise of “scientific research”. In turn, this would strip individuals of important safeguards, and risks undermining trust in legitimate research activities.

Impact on NHS patients and medical data

Government plans would extend the definition of what is “scientific research”, probably to encompass activities such as market research or the development of Artificial Intelligence applications. Furthermore, a new legal basis for research would risk circumventing existing protections, thus allowing NHS medical data to be shared with private corporations without patients’ knowledge or consent. For instance:

• Pharmaceutical companies have long sought access to NHS medical data to conduct market research and inflate prices of drugs.
• Scientific research could be used as a disguise to feed medical data to AI models, and develop health tech products. In the United States, this led to rampant discrimination against black individuals: these algorithms were penalising historically disadvantaged groups in order to reduce hospitalisation costs.
• Google DeepMind is a company that develops commercial AI applications. In 2016, they collected health records of 1.6 million NHS patients to train their AI models. The ICO found that the parties did not use this data legally. A UK-based Law firm is now bringing representative action on behalf of NHS patients, lamenting the breach of UK data protection laws.

Impact on BAME, LGBTQIA+, other vulnerable groups

Government plans would extend the definition of what is “scientific research”, probably to encompass activities such as market research or the development of Artificial Intelligence softwares. Enabling more data to be used to automate systems and take decisions based on one’s profile will increase harm against vulnerable individuals. For instance:

• Automated recruitment and fraud detection softwares have been know to discriminate against minorities.
• Scientific research could be used as a disguise to feed medical data to AI models, and develop health tech products. In the United States, this led to rampant discrimination against black individuals: these algorithms were penalising historically disadvantaged groups in order to reduce hospitalisation costs.

Our draft response to Section 1.2: Research Purposes

In our answer to Q1.2.1, we explain how:

• The Government fail to make a convincing case to modify provisions in the UK GDPR for research purposes. Researchers are not supposed to have a legal background, and they are unlikely to find it any helpful that a regulatory text has been amended.
• The Government make the wrong decision by dismissing regulatory guidance as an appropriate tool to support researchers. Instead, clear and user-friendly guidance tailored on researchers need would be more helpful, and it would not undermine the legal protections afforded to individuals.

In our answer to Q1.2.2, we explain how:

• The Government conclude that the definition of “scientific research” under Recital 159 of the UK GDPR is unclear because they mischaracterise the legal value of Recitals.
• Amending the existing definition of “scientific research” risks extending its scope beyond research carried out in the interest of science. This could bend research-specific provisions to for profit and corporate interest, and undermine trust in responsible research activities.

In our answer to Q1.2.6, we explain how:

• Introducing a new lawful ground for research risks undermining legal protection afforded by the UK GDPR to individuals.
• In turn, this may enable irresponsible or malicious uses of data to be mischaracterised as “scientific research”, while reducing protections and individuals’ rights over how their data is used for research purposes.
• Regulatory guidance would be better suited to support researchers in selecting the right lawful ground, and it would not risk undermining legal protections for individuals.

The government is proposing to consolidate and bring together research-specific provisions

Q1.2.1 To what extent do you agree that consolidating and bringing together research-specific provisions will allow researchers to navigate the relevant law more easily? Please explain your answer, and provide supporting evidence where possible.

We strongly disagree that consolidating research-specific provisions will “allow researchers to navigate the relevant law more easily” (Q1.2.1). We urge the Government not to modify the legal rules underpinning the use of data for research purposes.

Responsible researchers would instead benefit from regulatory guidance, which is more suitable to support an audience that lacks legal background and take into account the specific need of researchers.

Q1.2.1a. Please explain your answer, and provide supporting evidence where possible.

The UK GDPR does provide a clear legal framework that governs the responsible use of personal data in the interest of research. Contrary to the Government opinion, recitals do form part of the operative text of the UK GDPR: they clarify the meaning of the law and its interpretation in practice.

Claims at §30 that legal definitions are unclear and create barriers to innovation are unsubstantiated, and the Government failed to test these assumptions about obvious counterarguments. For instance:

• Responsible researchers may find data protection rules unclear because they lack an understanding of the legal methodology. Contrary to the Government opinion at §37, regulatory guidance developed by the ICO is more likely to ease their understanding of the UK GDPR. For instance, a step by step guidance written in everyday language will prove more valuable to researchers than consolidating legal jargon in one place.
• Irresponsible or malicious respondents may claim that data protection rules are unclear only because they wish to breach these rules. In this case, we emphasise that there is no evidence that the UK GDPR is creating barriers to innovation, and indeed the Government notes at §34 that “the UK is ranked second in the world for science and research”.

It follows that changes to the legal text of the UK GDPR are unlikely to bring further clarity to responsible researchers who are struggling with the interpretation of the law. Clear and user-friendly guidance issued by the ICO will be more helpful than any regulatory text.

On the other hand, if the Government purpose is to enable “responsible innovation”, protecting the rights and freedom of individuals cannot be a hindrance to legitimate research activities. Modifying data protection provisions around research only risks undermining the protections afforded by the law.

The government therefore proposes to incorporate a clearer definition of ‘scientific research’ into legislation

Q1.2.2. To what extent do you agree that creating a statutory definition of ‘scientific research’ would result in greater certainty for researchers?

We Strongly disagree about the need to “incorporate a clearer definition of ‘scientific research’ into legislation” (Q1.2.2). The UK GDPR already enshrines clear definition of scientific research at Recital 159.

On the other hand, amending the definition of “scientific research” may inappropriately expand its definition to encompass commercial activities or for-profit interests, thus undermining public trust over the use of personal data for research purposes

Q1.2.2a. Please explain your answer, and provide supporting evidence where possible.

The Government reasoning at §41 underpinning the need to amend the definition of scientific research is wrong. Recital 159 has interpretative status, and therefore it addresses uncertainties regarding what constitutes research by clarifying what kind of research activities fall under the UK GDPR regime for research purposes.

Furthermore:

• There is no evidence that the definition provided by Recital 159 is unclear. Even if it were, regulatory guidance could reduce legal uncertainty over its interpretation without the need to change its legal definition.
• The definition of “scientific research” provided by Recital 159 is not exhaustive. Within the limit of reasonableness, it can be expanded to take into account societal and technological developments.

On the other hand, we take note that the Government is inviting respondents to provide “supplementary or alternative definitions of scientific research” at §42. We stress that amending the definition of “scientific research” may inappropriately expand its definition to encompass commercial activities or for-profit interests. This would not provide a suitable basis for a statutory definition and would not provide greater certainty to responsible researchers. In turn, this would damage public trust over the use of personal data for research purposes and adversely affect responsible researchers.

The government is considering the following two proposals to tackle the challenge of determining the best lawful ground to apply to the use of personal data for research purposes: (a) Clarifying in legislation how university research projects can rely on tasks in the public interest (Article 6(1)(e) of the UK GDPR) as a lawful ground for personal data processing. (b) Creating a new, separate lawful ground for research, subject to suitable safeguards.

Q1.2.6. To what extent do you agree that creating a new, separate lawful ground for research (subject to suitable safeguards) would support researchers to select the best lawful ground for processing personal data?

We strongly disagree “that creating a new, separate lawful ground for research (subject to suitable safeguards) would support researchers to select the best lawful ground for processing personal data” (Q1.2.6). We urge the Government not to introduce a new lawful ground for research purposes. Regulatory guidance would be better suited to support researchers to select the best lawful ground for their research.

Introducing a new lawful ground for research purposes would affect the protection afforded by the UK GDPR for individuals whose data are used for research purposes. This may allow irresponsible or malicious uses of data that are not in the public interest, while reducing individuals’ ability to control how their data is used for research purposes.

Q1.2.6a. Please explain your answer, and provide supporting evidence where possible.

The UK GDPR already strikes the right balance between the interests of researchers and the rights of individuals. This balance has proven to be appropriate; thus, it should not be undermined. Furthermore, there is no evidence that the existing legal grounds cannot accommodate or would constitute a barrier to responsible researchers.

On the other hand, introducing a new legal ground for researching risks undermining such balance, thus enabling irresponsible or malicious activities to be justified under the guise of research.

For instance, a “research” lawful basis would provide:

• An alternative to the lawful basis of “consent” (Article 6(1)a of the UK GDPR). In such case, this may undermine the individuals’ ability not to consent to a research activity they do not want wish to participate in. Individuals would also lose their ability to withdraw from research projects at a later stage.
• An alternative to the lawful basis of a “task carried out in the public interest” (Article 6(1)e of the UK GDPR). In such case, it would remove the restriction that scientific research has to be “in the public interest”. This may bend research rules to corporate and for-profit interests, thus subverting the meaning of “scientific research”.
• An alternative to the lawful basis of “legitimate interests” (Article 6(1)f of the UK GDPR). In such case, it would remove the requirement of conducting a balancing test between the legitimate interests of the researcher and the rights and freedom of the individuals. Thus, irresponsible and malicious individuals would be allowed to trump the rights of individuals by claiming that they are conducting “scientific research”.

Enabling research that is conducted against the will of the individuals involved, or allowing research activities that are not in the general interest regardless of the adverse consequences they may cause to the rights and freedom of individual is not a desirable outcome. Rather than providing any benefit to responsible researchers, it would adversely affect them by reducing trust and public support for scientific research.

Instead, responsible researchers can be supported in selecting the best lawful ground for processing by the ICO, who can issue regulatory guidance. This alternative approach would present important benefits:

• Regulatory guidance would support researchers in navigating legal requirements without affecting the legal protection afforded to the individuals.
• Regulatory guidance can be tailored to researchers’ needs; thus, it is more likely to be written in a way that can be useful for who is not a privacy professional. On the other hand, regulations are intrinsically legalistic and cannot be made user-friendly in the same way guidance can — for instance, you cannot write regulations as a step-by-step guide.