Most health research uses special categories of personal data. These are defined as:
Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership; and the processing of genetic data or biometric data for the purpose of uniquely identifying a person; data concerning health or data concerning sex life or sexual orientation.
Research organisations that hold and use special categories of personal data must ensure that they have a lawful basis to hold and use personal data (section 1 above, GDPR Article 6), and an additional condition to hold and use special categories of personal data (GDPR Article 9). You can find a list of all available lawful bases and conditions in the Appendix.
The new legislation was written with research in mind, in fact one of the additional conditions for holding and using special categories of personal data (for all organisations, public authority or otherwise) is:
Article 9(2)(j)
processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
This refers to Article 89(1) which outlines safeguards that are likely to be present in most scientific research already (see Introduction section). Research is managed tightly within universities, research council institutes, NHS, charities, etc. through governance mechanisms. These governance arrangements provide research participants with assurance that their personal data is:
• Necessary to support research,
• Will only be used to support legitimate research activities that are considered to be in the public interest, and
• Their interests are safeguarded/protected.
These organisational assurances are in addition to the controls research participants have on the use of their personal data through the normal research consent process.