The CNIL publishes practical information sheets for research processing (excluding health)

 

Much scientific research in the humanities and social sciences uses personal data.

Although the regulations in force (RGPD, Data Protection Act) provide for these purposes associated with derogations and exceptions to allow such processing, it is not always easy to find one’s way through the various requirements linked to it.

The CNIL has therefore just published a series of practical sheets for these specific processing operations, which should prove indispensable for the compliance of any research processing operation.

In addition to the constraints common to all processing of personal data (registration of the processing in the ad hoc register, carrying out a privacy risk analysis for processing considered sensitive), the specificities attached to research processing mainly concern:

  • The legal bases that can be mobilised (necessary before any processing is carried out): consent – free, specific, informed and unequivocal – of the data subjects, the performance of a task in the public interest or the legitimate interests of the controller;
  • A research purpose that can be a posteriori: the GDPR indicates (Articles 5 and 89) that research purposes are not incompatible with the initial purposes of a processing operation, as long as this research does not lead to decisions being taken with regard to the data subjects. For example, it is possible to access administrative data (taxes, benefits, etc.) to carry out this work, even if the collection of the data did not mention research from the outset;
  • A data retention period which, although it can be quite long with appropriate security measures and taking into account the particularities of scientific research (long follow-up, re-reading before publication, etc.), cannot be unlimited;
  • Ensuring data minimisation: only processing data that is really needed. This principle of minimisation leads, for research processing, to quasi-systematic pseudonymisation so as to make it difficult to re-identify people. Typically, this involves deleting the surnames, first names and addresses of individuals;
  • The obligation to inform individuals and respect their rights with regard to their data: even if it is sometimes impossible to individually inform the data subjects of the processing that will be carried out on the basis of their data – or if this would require disproportionate means – general information must be provided (by means of posters, on websites, in a newsletter);
  • Guarantee the security of the processing, particularly with regard to the confidentiality of the data processed (including data exchanges) and backup: manage access authorisations, ensure traceability, secure the equipment, etc.

Research processing in the field of health is subject to dedicated regulations.

[Learn more]