/filters:quality(90)/0x275:1920x575/prod01/tudublin-cdn-pxl/media/website/images/header/Student-walking-Blanchardstown-Campus-Header.jpg)
Personal Data & Scientific Research
Privacy is a fundamental right for individuals within the European Union, and the GDPR applies to all research activities that involve the processing of personal data. Universities and research institutions that collect and use personal data for research purposes must therefore remain mindful of these rights and their corresponding legal obligations.
Under the GDPR, organisations that determine the purpose and means of processing personal data (known as data controllers) are required to inform individuals about why their data are being processed. As a general rule, personal data should not be used for purposes beyond those originally specified at the time of collection.
However, the GDPR acknowledges that research activities present particular challenges. In many cases, it is not feasible to fully define all aspects of future data use at the outset of a research project. The Regulation also recognises that achieving research objectives may require the further use of personal data that were initially collected for a different, but related, purpose.
To address this, the GDPR provides a specific accommodation for scientific research. The principle of purpose limitation is relaxed where further processing is carried out for archiving in the public interest, scientific or historical research, or statistical purposes. Article 5(1)(b) of the GDPR confirms that such further processing, when conducted in line with Article 89(1), is not regarded as incompatible with the original purpose of collection.
Article 89(1) sets out the conditions under which this flexibility applies. It requires that appropriate safeguards are implemented to protect the rights and freedoms of data subjects. In particular, researchers must ensure that suitable technical and organisational measures are in place to uphold principles such as data minimisation. These safeguards may include measures such as pseudonymisation, where feasible. Where research goals can be achieved without identifying individuals, or where identification is no longer necessary, the data should be processed in a way that prevents or eliminates identification.
Note: For scientific research using health related data see Research Using Health Related Personal Data.