Privacy notices for research purposes

Information about an organisation’s processing of personal data is often contained within a ‘privacy notice’. However, providing an up front privacy notice about the data protection implications of a research project at the point of collection can pose a challenge. 

A researcher may not know the scope of the research until after the data is collected and used. The GDPR allows for this challenge in Recital 33, which allows a more relaxed specificity in the notice provided for research processing.


Tiered information

In many cases, privacy information is best provided in a tiered manner in order to avoid information fatigue.

For example, general information about data processing should be given at an organisational level, for example through the website and in clinic waiting rooms where data subjects will notice it.

However, information about specific uses of personal data, for example where a patient's data might be used in a research study, should be given via a specific consent form which should provide sufficient information to the patient to allow them give their explicit consent to the data processing involved.


Notice exemptions that apply to research

  • A researcher may be exempt from the notice requirement if they received the personal data from someone other than the data subject if “the provision of such information proves impossible or would involve a disproportionate effort,” (Recital 62).
  • A researcher may also claim an exemption if providing notice would be “likely to render impossible or seriously impair the achievement of the [research] objectives,” provided there are appropriate safeguards in place, “including making the information publicly available” (Article 14(5)(b)).
Disclaimer

This guidance has been prepared by the HRB to help researchers in the health domain comply with GDPR requirements.

It is intended to be general guidance for educational and informational purposes only.

It is not legal advice.