The government welcomes views on the following questions: Q1.2.10. To what extent do you agree with the proposals to disapply the current requirement for controllers who collected personal data directly from the data subject to provide further information to the data subject prior to any further processing, but only where that further processing is for a research purpose and it where it would require a disproportionate effort to do so? ○ Strongly agree ○ Somewhat agree ○ Neither agree nor disagree ○ Somewhat disagree ○ Strongly disagree Please explain your answer, and provide supporting evidence where possible.
Q1.2.11. What, if any, additional safeguards should be considered as part of this exemption? 1.3 Further Processing 51.
Re-use (also known as 'further processing') of personal data can provide economic and societal benefits through facilitating innovation. Clarity on when data can lawfully be reused is important: data subjects benefit from transparency, data controllers benefit from certainty, and society benefits from unlocking the opportunities of re-use.
52.
The UK GDPR states that personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. In recognition of the value of re-use of data in certain circumstances, the UK GDPR sets out rules for when further processing of personal data is considered compatible with the purpose for which it was collected. Article 5(1)(b) of the UK GDPR states that, subject to safeguards, further processing of personal data for scientific or historical research purposes shall ’not be considered to be incompatible with the initial purposes’.
53.
The broader conditions for determining compatibility of purposes for further processing personal data are set out in Article 6(4) of the UK GDPR: a. Any link between the purposes for which the personal data have been collected and the purposes of the intended further processing b. The context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller c. The nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9 of the UK GDPR, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10 of the UK GDPR d. The possible consequences of the intended further processing for data subjects e. The existence of appropriate safeguards, which may include encryption or pseudonymisation 18
