Research and data protection


Research is unquestionably fundamental to the development of any society. It contributes to scientific knowledge and economic development, and it can be used to solve significant societal issues. While the traditional image of research has been that of the universities, research has always been conducted by different actors and will continue to do so in the future. Numerous private entities, ranging from small organizations to large and influential tech and social media corporations, conduct ongoing research. Even though the motivations for such research are frequently more commercial in nature, it is essential for innovation and economic development. The utilization of data is fundamental to all types of research. Often, this includes personal data or information. The ability of researchers to access confidential data is frequently a determining factor in the viability of various types of research. In many instances, regulatory frameworks, including data protection frameworks, play a significant role in determining not only what categories of research can be conducted, but also what types of researchers can conduct them.

Personal Data in Research

In recent years, the significance of data protection frameworks to research has grown substantially. This is due to the increasing use of personal data in research, as well as the increased complexity and breadth of data protection frameworks. These changes result from the ability to digitize and share more and more personal information in an increasingly interconnected world. Data that has been pseudonymized (with identifiers separated) may still be personal data, depending on how hard it is to reconnect the identifiers with the dataset. Robust controls that separate the two – for example, a legal agreement that prevents reidentification and controls access to the identification key – will help protect the data so that it may be possible to classify it as not personal data to those that do not have access to the key. All research organizations must meet all legal requirements relevant to the processing activity (e.g., common law of confidentiality) and specify a lawful basis for data processing for their activities. If you are processing personal data for research purposes, you should know the lawful basis you are relying on because you may be asked to specify it. There are six lawful bases, and at least one must apply. The legal bases are consent; contract; legal obligation; vital interests; public task; or legitimate interests.


Appropriate Lawful Basis

The most likely lawful basis for research in public institutions and in universities (as public authorities) is ‘task in the public interest’. For example, the Ghana Statistical Service (GSS), the Public Utilities and Regulatory Commission (PURC) are public institutions that conduct research. Organisations can demonstrate they meet the requirements to use this lawful basis by reference to their legal constitutions, or because they are operating under a relevant statute that specifies research as one of the purposes of the organisation, e.g., for universities. Using this lawful basis helps to assure research participants that the organisation is credible and using their personal data for public good. For non-public authorities such as charities and commercial research organisations (e.g., Independent Research Organisations – such as IMANI Ghana, the CDD, etc.), ‘legitimate interests’ is likely to be the appropriate lawful basis for processing personal data for research. This helps to assure participants that there are compelling reasons for processing their personal data for research.

Research Ethics

Research ethics matters for scientific integrity, human rights and dignity, and collaboration between science and society. These principles make sure that participation in studies is voluntary, informed, and safe for research subjects. There are some key ethical considerations in research. For example:

Informed Consent: Participants know the purpose, benefits, risks, and funding behind the study before they agree or decline to join.

Anonymity: You do not know the identities of the participants. Personally identifiable data is not collected.

Confidentiality: You know who the participants are, but you keep that information hidden from everyone else. You anonymize personally identifiable data so that it cannot be linked to other data by anyone else.

Potential For Harm: Physical, social, psychological and all other types of harm are kept to an absolute minimum.

When conducting research on human subjects, minimize harms and risks and maximize benefits; respect human dignity, privacy, and autonomy; take special precautions with vulnerable populations; and strive to distribute the benefits and burdens of research fairly.

Data Protection and Research Exemptions

Data Protection laws and regulations make provisions for research and provide some exemptions. For example, in Ghana, the Data Protection Act (Act 843) gives some exemptions for research. Many data protection laws exempt research from the principles of storage limitation and purpose limitation to allow researchers to further process personal data beyond the purposes for which they were first collected. Research may provide a legitimate basis for processing without a data subject’s consent. To benefit from these exemptions, researchers must implement appropriate safeguards, in keeping with recognized ethical standards, that lower the risks of research for the rights of individuals.

Special Note

When processing special categories of data, like health data, ethnicity, political opinions, religious beliefs, etc., you must meet an additional condition. In these cases, the most likely condition will be that such processing is ‘necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with safeguards’.

What are data protection safeguards?

Safeguards are protections for participants, and include (but are not limited to):

  • not causing substantial damage or distress to research participants
  • not making decisions that affect individuals on the basis of research personal data
  • respecting the principle of data minimisation, i.e., processing personal data that is adequate (sufficient to fulfil the research purpose), relevant and limited to what is necessary
  • anonymising or pseudonymising, where possible
  • understanding the importance of privacy, confidentiality and
  • meeting a separate public interest test for processing special categories of personal data

Notice Requirements

Although controllers (researchers) are not required to obtain the data subject’s consent for all processing for research purposes, they remain bound by the data protection’s notice requirements. Controllers are required to take appropriate measures to inform data subjects of the nature of the processing activities and the rights available to them. Controllers are required to provide this information in all circumstances, regardless of whether consent is the basis for processing, “in a concise, transparent, intelligible and easily accessible form, using clear and plain language”.

The author is a (Data Protection Officer, IIPGH and Data Privacy Consultant and Practitioner at Information Governance Solutions)

For comments, contact author [email protected] or Mobile: +233-243913077

Leave a Reply