Is research exempt from data protection?
A recurring question on the scope of Republic Act No. 10173, also known as the Data Privacy Act of 2012 (DPA), is whether it exempts the field of research from the application of the law. After all, the DPA does say that it does not apply to personal information processed for specific purposes, including research. What do we make of this provision, people would ask.
I was present in a number of public consultations conducted by the National Privacy Commission (NPC) with members of the research community, so I saw firsthand how much discussion revolved around this topic. The exchanges were sometimes heated but always ended with a conciliatory tone. The parties promised to work together to ensure the realization of the DPA’s twin promises of privacy protection and free flow of information.
It’s been more than a year since those discussions today. And there appears to be no formal, definitive policy guidance from the NPC that’s forthcoming—at least, not yet.
So as not to let a vacuum fester in this regard—because that’s not good for anyone—we should all see this as an opportunity to take the initiative of studying the matter in order to help formulate its future policy. For that purpose, surely it’s worth looking to the experience of other jurisdictions that have dealt with this issue before and whose data protection regimes are very similar to ours, only more mature. How did they go about reconciling the interests of both research and data protection?
I’ve done some digging and let me share with you two critical points I’ve discovered.
First, the presence of a research exemption in a data privacy or data protection law does not mean that personal data processing done in the name of research automatically falls outside the ambit of said law.
Instead—and this brings us to the second point—it usually means three (3) things for research:
Exemption from the Purpose Limitation Principle. The Principle states that personal data should only be collected for specified and legitimate purposes determined and declared before, or as soon as reasonably practicable after collection, and later processed in a way compatible with such declared, specified, and legitimate purposes only. The rationale for an exemption is the view that research is inherently compatible with any declared purpose. It is important, however, that the research or study meets two conditions: (a) it is not meant to support measures or decisions regarding specific persons; and (b) it will not cause or likely cause substantial damage or distress to any of the persons whose personal data are involved in the study.
Exemption from the Data Retention Principle. The Principle requires that personal data should only be retained for the period necessary to fulfill the purpose/s for which they were obtained, or for the establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided by law. Unfortunately, with research, the need for it is extremely difficult, if not impossible, to predict or anticipate. There is almost always something worth looking into given any dataset. With this, a strict implementation of the retention principle would forestall most, if not all, research opportunities. Hence, the exemption.
Suspension of the Right to Reasonable Access. A person has rights under a data protection law, including the right to reasonable access to details (e.g., sources of data, contact information of recipients, etc.) regarding the processing of his or her personal data. The exemption means that this may not be invoked vis-à-vis research if the two conditions cited above are complied with and the results of the research do not allow the identification of any of the individuals involved in the study. The justification is fairly simple: if the resulting data do not allow for a specific person to be identified, then there is no way for an individual to assert his or her rights over any of the data.
It remains to be seen whether the NPC will adopt these points as they stand, enhance them, or at least modify their implementation when interpreting the research exemption of the DPA. If synergy with international standards and best practices is the goal, any changes it makes should be quite minimal.
For now, I hope this clarification provides some guidance and maybe a reassuring thought to all concerned stakeholders. There is no blanket exemption for research, my friends. Just as there is no absolute right to privacy. The key, as always, is in the balancing of interests between those of the individual and society.
This article first appeared on GMA News Online on February 19, 2018 at 3:56pm.