Governance and Compliance

Research and GDPR

Please see the attached flowchart for information about how the exemptions that apply to research under the General Data Protection Regulation.

Research and GDPR [PDF 192.89KB]

More details about the terms highlighted in red in the document above can be found in the Glossary.

The General Data Protection Regulation (‘GDPR’) and the Data Protection Act 2018 apply to any circumstances at the University where we are processing personal data. Processing includes things such as the collection, recording, analysis, storage, dissemination and even deletion of data, so any research involving personal data will amount to processing and the research will need to comply with the Regulation and Act.

Personal data is anything that enables a living person to be identified. It includes information that enables a person to be directly identified as well as information that enables them to be indirectly identified, such as a research participant number. In particular, personal data includes the physical, physiological, genetic, mental, economic, cultural or social identity of a living person.

However, the Regulation exempts some of the requirements when personal data is processed for “archiving purposes in the public interest, scientific or historical research purposes or statistical purposes” (Article 89).

The Article 89 exemption can only be relied upon if the research cannot be done in a way that would not enable individuals to be identified and there are appropriate safeguards in place for the rights and freedoms of data. Specifically:

  • Any personal data must be adequate, relevant and limited to what is necessary for the research;
  • There must be appropriate technical and organisational measures in place, for example, to ensure security of personal data; and
  • Any processing should be in keeping with recognised ethnical standards for research.

Subject to the above, the following rights of data subjects do not apply to research*:

  • Article 15(1) – the right to obtain information about whether an individual’s personal data is being processed, the purpose of processing, what personal data is held and other information required by Article 15(1).
  • Article 15(2) – the right for an individual to know the details of any safeguards in place if their personal data is transferred to a country outside of the European Economic Area.
  • Article 15(3) – the individual’s right to be provided with a copy of all of their personal data being processed by the University.
  • Article 16 – the right to have inaccurate or incomplete personal data rectified or completed.
  • Article 18(1) – the right to restrict the processing of an individual’s personal data in certain circumstances, for example, where the individual believes that personal data is accurate.
  • Article 21(1) – the right to object to the processing of personal data where the University is relying on its public task or legitimate interests as the legal basis for processing.

Two of the data protection principles are also limited in how they apply under the Article 89 exemption*:

  • Purpose limitation – under the second data protection principle, personal data should be collected for a specified, explicit and legitimate purposes and must not be processed in a way that is incompatible with those purposes. However, further processing of the personal data is allowed under Article 89, allowing personal data to be used for other research purposes.
  • Storage limitation – under the fifth data protection principle, data which enables an individual to be identified should not be kept for longer than is necessary for the purpose that it was obtained. However, Article 89 allows personal data that is processed in research to be stored for longer periods.

When processing special category data (such as racial or ethnic origin, health data, genetic data, religious or philosophical beliefs), further conditions also need to be met under Article 9 of the General Data Protection Regulation, such as having the individual’s explicit consent.

However, Article 89 allows special category data to be processed (because it is one of the conditions in Article 9), subject to the following*:

  • The processing is in the public interest;
  • It is not likely to cause substantial damage or distress to the individual; and
  • The processing must not be for the purpose of measures or decisions about a particular person, unless it is necessary for approved medical research.

If you have any queries about the data protection exemption for research, please contact the University’s Data Protection Officer, Alexandra Elliott, at GDPR@sussex.ac.uk or dpo@sussex.ac.uk

* Although certain data protection requirements / rights / conditions do not apply, the research will still need to meet the requirements of recognised ethical standards. For example, explicit consent may not be required to process ‘special category data’ for data protection purposes, but will still be required to meet ethical standards.