What is the legal basis for research under GDPR?

Under the GDPR, for processing of personal data for health and care for research to be legal, both criteria below must be satisfied:

  • A legal basis under GDPR must be identified
  • Other relevant legal frameworks need to be met which may include consent to participate in research.  A wide reaching example is meeting the common law duty of confidentiality through consent (or the common law duty has been set aside through section 251 support in England and Wales or equivalent arrangements in Scotland and Northern Ireland)

Historically, most research studies that have involved use of confidential patient information have sought consent from participants. This meets ethical expectations to promote the autonomy and privacy of research participants. Legally speaking, consent was obtained to avoid a breach of the common law duty of confidentiality, for participation in a drug trial, to remove and use human tissue samples, etc. These are not changing with the introduction of the GDPR.

The GDPR requires each activity of processing data to have a legal basis under this legislation, in addition to the common law basis. For health and social care research undertaken within the UK Policy Framework for Health and Social Care Research, the legal basis is determined by the type of organisation that is the data controller for the processing:

  • For universities, NHS organisations, Research Council institutes or other public authority the processing of personal data for research should be a ‘task in the public interest’.
  • For commercial companies and charitable research organisations the processing of personal data for research should be undertaken within ‘legitimate interests’.

The GDPR sets out the expectation that consent would not be appropriate as a legal basis under this legislation where there is an imbalance of power in the relationship between the controller and the data subject, eg where the controller is a public authority and the data subject depends on their services, or fears adverse consequences, so feels they have no choice but to agree.  Furthermore, consent should not be used as the legal basis under GDPR if the subject’s rights that follow from consent under the legislation cannot be applied eg because it would limit the validity of the research.

For the purposes of the GDPR, the legal basis for processing data for health and social care research should NOT be consent. This means that requirements in the GDPR relating to consent do NOT apply to health and care research.

You should note that if it would be possible to undertake your research without processing personal data then your intended legal basis will not be valid. This means that you should minimise use of identifiable data to the minimum needed for your purpose (see guidance on data minimisation).

For paediatric research, the above also applies. Although GDPR places additional emphasis on use of personal data of children because of the increasing use of social media, this does not change the legal basis under GDPR for processing such data for research, which is the same as above (ie public interest or legitimate interests).

Even though consent is not the legal basis for processing personal data for research, the common law duty of confidentiality is not changing, so consent is still needed for people outside the care team to access and use confidential patient information for research, unless you have support under the Health Service (Control of Patient Information Regulations) 2002 (‘section 251 support’) applying via the Confidentiality Advisory Group in England and Wales or similar arrangements elsewhere in the UK.