The Legal Framework for Administrative Data Research
What is the Legal Framework?
There are a number of laws which govern research conducted using data originally collected by the public sector, or ‘administrative data research.’ Most important is perhaps the Data Protection Act 1998. This is the piece of UK legislation which sets out the current parameters within which any data which identify living individuals (also known as ‘personal data’) can be used. For more information on the Data Protection Act, see the Legal Issues for ADRN Users guide.
Public authorities need to ensure that they do not breach the Data Protection Act, the Human Rights Act 1998, or the confidentiality of any identifiable individual. They must also ensure they are acting within their legal powers, either under statute or at common law. Chapter 5 of the newly enacted Digital Economy Act 2017 provides new powers to disclose information to administrative data researchers.
How has Chapter 5 Digital Economy Act 2017 come about?
This part of the Digital Economy Act shares its origins with the Administrative Data Research Network. In 2012, the Administrative Data Taskforce, led by the Economic & Social Research Council, produced a report which made a number of recommendations. Some of these recommendations led to the creation of the ADRN, while the recommendation for new legislation to facilitate administrative data research took longer to bear fruit.
The passage of the Act is significant, and suggests the right balance was struck to satisfy parliament. In 2009, the broader powers proposed under a system of Information Sharing Orders were dropped from the then Coroners and Justice Bill following privacy concerns raised by the Joint Committee on Human Rights.
What is the General Data Protection Regulation?
The General Data Protection Regulation (‘GDPR’) is a significant piece of EU legislation, which will apply directly to the UK from 25 May 2018. It replaces the European Directive (which is due to be repealed) on which the Data Protection Act 1998 is based, and will become the key piece of data protection legislation in Europe.
In February 2017, the Minister of State for Digital and Culture expressed an intention to repeal sections of the Data Protection Act 1998 to make way for the GDPR. Where there is any difference between the GDPR and the current Data Protection Act 1998, it is safe to assume for the time being that the GDPR will prevail.
What are the implications of the GDPR for administrative data research?
The GDPR will introduce a number of changes to the law which may have some impact on administrative data research. It includes enhanced obligations for those working with personal data, and also creates a higher standard of consent for data processing, which must be ‘unambiguous’ and capable of being withdrawn at any stage.
Are there research exemptions under the GDPR?
Scientific, historical and statistical research data are exempt from some of the provisions of the GDPR. This will be a ground on which data can be ‘further processed’ (i.e. used for a purpose other than that for which they were initially collected) as long as certain privacy safeguards are in place.
The ‘right to be forgotten’ (i.e. to be erased from a dataset) does not apply to personal data used for research. These data can be held for longer periods of time, and there is an exemption from the requirement to inform individuals that their data is being processed for research of this kind, if to do so would create a disproportionate burden. It is also more difficult for individuals to object to the processing of their data, if this processing is for research.
The GDPR also provides the UK with the power to create a broader exemption for ‘academic expression,’ which may also cover administrative data research. The Department for Culture, Media and Sport is currently consulting on the scope of the UK exemption, it remains to be seen how the resulting derogation may impact upon administrative data research.
What is ‘privacy by design’?
This is one of the requirements of the GDPR. It applies to those who work with personal data (except those who are merely processing the data on behalf of someone else). These ‘data controllers’ should ensure they implement technical measures (such as pseudonymisation) to implement data protection principles, in particular the principle of data minimisation. Personal data should only be used or retained to the degree that it is necessary for the controller’s purposes.
When are data ‘personal data’?
When they identify, or are reasonably likely to identify, a natural, living person. Under the Data Protection Act 1998, the definition of personal data is:
data which relate to a living individual who can be identified
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller.
The question of ‘likelihood’ is therefore important as to whether someone can be identified. The UK Information Commissioner’s Office (ICO) has produced guidance to the effect that a realistic assessment of the risk of re-identification in future should be made. This should be pragmatic, but bear in mind the fact that risk can change over time.
The processes of the ADRN are designed to minimise the risk that any individuals could be re-identified from the de-identified, linked datasets they produce. The aim is to ensure, to the greatest extent possible, that data provided to researchers could not be considered ‘personal data.’
Are de-identified data still personal data?
At present, it is unlikely that the kind of de-identified data provided to researchers from the ADRN would be considered personal data under UK law. This is because the risk of re-identification is very low.
There is some debate as to whether this position will change under the GDPR. The GDPR introduces a category of ‘pseudonymous’ data, which is defined as data which can no longer be attributed to an individual without the use of additional information that is kept separately, with technical and organisational measures to prevent this re-identification. This definition is very similar to the concept of what ADRN calls ‘de-identified’ data.
In order to determine whether pseudonymised data are personal data, regard must be had to Recital 26 of the GDPR. Analysis by the Wellcome trust suggests that pseudonymised data may be anonymous, as long as the methods ‘reasonably likely’ to be used would not permit re-identification. If this is the case, there may be little significant change under the GDPR.
If data are personal, do you need consent to use them for research?
Not necessarily. Under the Data Protection Act 1998, and the forthcoming GDPR, there are a number of grounds on which personal data can be used other than consent. These include the legitimate interest of the data controller, as well as public interest. Both pieces of legislation recognise that it is not always practical for researchers to contact each individual whose data they process.
What impact will Brexit have on data sharing in the UK?
It remains to be seen what legislation will be brought in to govern data protection in the UK from April 2019. However, it is likely that this legislation will be similar to the GDPR in many respects. The Government announced in a recent White Paper that it plans, by way of the Great Repeal Bill, to convert directly applicable EU law into UK law. This will include the GDPR.
Even after Brexit, it is likely that the UK will retain much of the substance of the GDPR to ensure a continued flow of trade and data with the EU.