General Data Protection Regulation (EU)
In April 2016, the European Union published the final text of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
The General Data Protection Regulation (GDPR) takes effect on 25 May2018, after a two-year implementation period. It replaces EU Directive 95/46/EC, which will be repealed. In the UK, the current Data Protection Act 1998 will also be repealed in May, and replaced with a new Data Protection Act 2018. This new Data Protection Act will apply the UK’s national derogations from the GDPR; these are the modifications which are allowed under the Regulation.
The GDPR regulates the use of personal data across a wide range of sectors. As a Regulation, the GDPR is a directly binding legislative act that must be applied in its entirety across the EU. As such it contrasts with the previous Directive—a Directive being a legislative act that sets out a goal that all EU countries must achieve but leaves it to individual countries to devise their own laws on how to reach and implement them.
However, under the GDPR individual member states may maintain or introduce further conditions, including limitations, relating to certain issues, such as the processing of genetic or health data.
The GDPR includes:
• higher fines, based on global turnover, for firms contravening the new regulation
• requirements to appoint a data protection officer if the institution handles significant amounts of sensitive or personal data
• direct obligations on data processors in defined circumstances
• data protection ‘by design’ (data protection safeguards to be built into firms’ products and services from the earliest stages of development)
The ADRN is made up of a number of institutions, most of which are based within Universities or other public bodies. As Universities are currently due to be classified as public authorities under the new UK Data Protection Bill, this places some constraints on the basis on which they can process personal data under the GDPR. Following recent guidance from the Information Commissioner’s Office, it is likely that the ADRN will rely on the ‘public task’ basis for processing personal data for research.
The GDPR also requires information to be provided to data subjects when their personal data are acquired from a third party; this would apply when personal data are received for linkage purposes. Even when it would involve disproportionate effort to contact every data subject directly, information about the processing must be made publicly available. The ADRN will ensure it complies with the GDPR’s transparency requirements.
In June 2017, the ADRN moved away from a ‘create and destroy’ model and towards retention of pseudonymised datasets for use by other approved administrative data researchers. This will be done in a manner which respects the GDPR principle of data minimisation in research. The GDPR includes exemptions for scientific research, which include the ability to retain personal data for ‘longer periods’ where this serves a legitimate research purpose.
The GDPR introduces ‘pseudonymisation’ as a new legal concept; meaning a process applied to personal data to reduce the risk of identification, but which does not render them anonymous. Despite this new concept, the ADRN is satisfied that the measures in place to protect the data accessed by researchers mean that this access is still lawful, and that these data will be ‘functionally anonymous’ when accessed by researchers.
For more detail, see https://doi.org/10.1016/j.clsr.2018.01.002.