We have already noted that the DPA 1998 makes a distinction between ‘personal data’ and ‘sensitive personal data’. You may process ‘sensitive personal data’ if you meet one of the conditions for processing personal data and one of 10 additional conditions.
Four of these additional conditions are likely to apply to researchers:
- The data subject has given their explicit consent to the processing of the personal data
- The personal data has been made public as a result of steps deliberately taken by the data subject
- Use of the data is necessary for medical research undertaken by a health professional, or a person owing an equivalent duty of confidentiality
- Use of the data is in the substantial public interest, necessary for research purposes and neither supports measures or decisions with respect to any particular individual, nor is likely to cause substantial damage or substantial distress to any person.
The first condition appears to be the normal basis on which non-medical research involving the processing of sensitive personal data proceeds. For the purposes of the DPA 1998 there is no requirement that ‘explicit consent’ need be in written or recorded form (although written or recorded consent will provide the best evidence that consent was actually given explicitly).
It may not always be practicable or possible to obtain explicit consent for the processing of sensitive personal data (for example, a large-scale study of case files held in court archives) in which case the recourse to the fourth condition may be appropriate. If you can demonstrate that your methodology and use of the data meets its requirements, then you may process the sensitive personal data.
Substantial public interest
It is unlikely that simply stating that you are conducting ‘research’ will be sufficient to meet the requirements of the 'substantial public interest' test - rather, in cases involving sensitive personal data, a case for 'substantial public interest' should be explicitly made out.
The Scottish ICO in Decision 021/2005 Collie and the SCA for the Scottish Health Service (2010) noted "the very high tests required for these conditions to apply". The rules on notification of data subjects, will also apply where research is carried out on an existing dataset containing sensitive personal data.
Again, archived data which has been fully anonymized (e.g. by destruction of link codes, or removal of identifying factors) will not fall within the scope of the DPA 1998.