Based on the origin of data and the collection method, a distinction can be made between primary and secondary data. Primary personal data are collected directly from the individual. In contrast, secondary personal data have been first collected for other purposes and are not obtained from the individual but from databases, archives or elsewhere.
Processing primary data for research purposes is generally easier and more straightforward, as the legal relationship is only between the data collector and the data subject, the legal basis is consent, and the controller bears all responsibility for processing personal data. Secondary personal data, however, are often processed without consent, and not only the data subject’s but also the controller’s obligations and interests must be taken into account. Therefore, processing secondary personal data is generally more complex, as several exceptions apply.
2.8.1. Secondary use may be compatible with the original purpose
If the new use of existing personal data is compatible with the original purpose for which the data were collected, it will generally not require a separate legal basis. Therefore, when using secondary data, it is necessary to assess whether the original purpose of processing and the new purpose are compatible. Although in research, Article 5 (1) b) and Recital 50 of the GDPR always presume consistency with the original purpose, it does not mean that any processing of previously collected personal data is automatically allowed in research. The controller must also consider other data protection principles and, on that basis, ascertain whether it is permissible to use the secondary data.
Although there is no single principle for assessing the compatibility of the original and the new purposes, the compatibility is presumed to be higher if the same controller processes the data for both purposes. Compatibility is lower or non-existent where personal data are transferred to a new controller, a significant difference exists between the original and the new use, special categories of personal data are processed, or the processing presents a higher risk to the persons’ rights and freedoms. If the new purpose is not compatible with the original one, a new legal basis for processing is needed (see also 1.5.3 and 2.8.4).
2.8.2. Providing information to the data subject when collecting secondary data
In the case of primary personal data, all relevant information is provided directly to the data subject either before or at the time of collection. In the case of secondary research, when personal data are not collected directly from the data subject, some exceptions to the obligation to provide information apply (see Article 14 of the GDPR). For example, there is no obligation to provide information if the provision of information proves impossible or would require a disproportionate effort (data were collected a long time ago or there is a vast number of data subjects). However, to protect the data subjects’ rights and interests, the information must be made public, for example, on the website of the research institution or project. In such cases, the controller is not obliged to contact the data subjects as they can be expected to find the necessary information on their own.
2.8.3. Secondary data holders
Secondary use of personal data is favoured, for example, under purpose limitation in Article 5 (1) b) of the GDPR and under subsections 6 (1) and (3) and the explanatory memorandum of the Personal Data Protection Act. The fact that it is necessary to consider the obligations of the data-holding institution towards data subjects makes it more complicated. Data protection legislation does not impose the obligation to provide secondary personal data to researchers, but considering the freedom to conduct research and the European Union’s commitment to open science, the freedom of information and the duty of public authorities to provide information, public authorities – including holders of public databases and registers – generally provide researchers with the information they request, provided that they meet all the respective requirements. The explanatory memorandum to the Personal Data Protection Act also supports it. Commenting on the provisions of subsection 6 (3), it states, “Research with ordinary personal data does not require the approval of the Data Protection Inspectorate or the ethics committee. Persons doing research or a similar activity who meet the conditions must be given access to information, such as databases.”
The situation with public databases is more straightforward. Many more problems arise in the private sector, where information may be protected by a commercial secret. Thus, even when the researcher has carefully assessed the need for personal data processing, public interest towards the processing and the proportionality of the infringement of the data subjects’ rights, it is always possible that the controller will still refuse to release the secondary data.
2.8.4. There must be a suitable legal basis for secondary use
The controller who collected the primary data may transfer them to a researcher or a research institution, and the researcher or institution may accept them for secondary processing if both parties have a legal basis.
Public interest task as a legal basis for secondary use When using the public interest task as a legal basis, assessing the public interest served by the research is necessary. Section 6 of the Personal Data Protection Act allows the processing of personal data without consent in research, but imposes additional requirements: pseudonymisation (subsection 1) or the use of personalised data in exceptional cases (subsection 3, see also 2.4). Researchers must also prove public interest. There are no agreed forms or standards for that. Still, since public interest is also demonstrated to the research funder or the ethics committee, the ethics committee’s approval is usually sufficient to convince the data holder of the public interest. However, the data holder may demand that the researcher proves the legal basis of the public interest task otherwise.
Consent as a legal basis for secondary use Consent may not be an appropriate legal basis for secondary use of data, because it is difficult, if not impossible, for researchers to obtain it from data subjects with whom they have no contact. However, if reasonably possible, the data holder could seek consent by making a one-off request or using another solution, such as the consent service. Consent would assure both controllers that releasing data for a specific research project is lawful. It would also give the research subjects more control over their data. Alternatively, it is possible to seek consent for the secondary use of personal data at the time of collecting the primary data already. In this case, the institution holding the data can be sure that it has the right to provide personal data to researchers or research institutions it trusts. At the same time, the promises given to individuals in the original consent must be respected. For example, if it was promised at the time of the initial data collection that the data would be kept for five years after the end of the project and then destroyed, the secondary use of the data must also fall within that period (see also 2.3).
2.8.5. Approval of the ethics committee is required for special categories of personal data
If special categories of personal data are required for secondary use, and the processing is not based on consent, the approval of the ethics committee is required pursuant to subsection 6 (4) of the Personal Data Protection Act. Release of data from the health information system or the biobank must be coordinated under other law acts. The ethics committee’s approval is just an additional safeguard that does not provide a legal basis for secondary processing. A task in the public interest could be the legal basis for a research study without consent (see also 2.13).
2.8.6. Contract may be required for the transfer of data
It is possible to obtain personal data by entering into a contract with the data holder, in which the conditions, purposes and time limits for processing personal data are agreed. That allows the data holder to verify that the released data are correctly processed and lay down conditions for destroying or long-term storing the data, among other things.
The research institution that receives the personal data is the controller for further processing. Thus, both the research institution and the researcher, as a representative of the institution, are responsible for complying with all requirements of the GDPR, even in the absence of a separate contract. The researcher and research institution will not have the obligation of data protection only if the data are anonymised before the release and can no longer be associated with the personal data held by the issuing institution.
2.8.7. Secondary use of disclosed personal data
The data protection principles also apply to personal data disclosed in the media. Therefore, if the data are used for secondary purposes, it is important to consider the appropriate legal basis for processing them or how to inform people about the planned research. For example, when collecting data from thousands of people in social media environments, it can be complicated to ask everyone for consent or to provide information to everyone. When applying the exceptions and looking for possible alternatives, it is worth bearing in mind that the aim is to avoid harming people’s interests and rights, respect people’s right to decide on their data and ensure transparency and reliability of research.
In most cases, the environments from which the disclosed personal data are collected have specified in their terms of use how and for what purposes the data may be used. Some have created separate APIs which enable automatic collection of data. In all such cases, the requirements and conditions of the owner of the environment must be observed to ensure the lawful collection of data. Some companies may impose unreasonable restrictions on processing the data in their possession for research. As mentioned at the beginning of this subchapter, in the case of personal data of scientific value held by the private sector, it is not always clear whether the private interests of companies or the interests of science prevail.
Read more
|