provides that:

"Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards ... for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner.  Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner."

Section 36 of the Data Protection Act 2018 gives effect to the "appropriate safeguards" required by GDPR Article 89:

Suitable and specific measures that may be taken include—

• explicit consent of the data subject for the processing of his or her personal data for one or more specified purposes,
• limitations on access to the personal data undergoing processing within a workplace in order to prevent unauthorised consultation, alteration, disclosure or erasure of personal data,
• strict time limits for the erasure of personal data and mechanisms to ensure that such limits are observed,
• specific targeted training for those involved in processing operations, and
• governance and security measures including:—
  • logging mechanisms to permit verification of whether and by whom the personal data have been consulted, altered, disclosed or erased,
  • designation of a data protection officer (where it is not already mandatory)
  • in circumstances where the processing involves the provision of healthcare data , a requirement that the processing is undertaken by a health practitioner or other person who owes an equivalent duty of confidentiality
  • pseudonymisation of the personal data,
  • encryption of the personal data, and
  • other technical and organisational measures designed to ensure that the processing is carried out in accordance with the Data Protection Regulation and processes for testing and evaluating the effectiveness of such measures.

The suitable and specific measures for data processing provided for in Section 32 of the Data Protection Act 2018 are given further and more specific effect in Regulation 3 of the Health Research Regulations 2018 (Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018).

• For more information go to "What are suitable and specific safeguards for the processing of personal data for health research purposes"