Stuck in the thicket? Social research under the first data protection principle

International Journal of Law and Information Technology

Volumn 19, Issue 2, 2011, Pages 133-152

  Erdos, David ^a  

^a BALLIOL COLLEGE   (United Kingdom)

Author keywords

Academic freedom; Data protection; Deception; Ethical review; Fair information notice; Privacy; Sensitive personal data; Social research

Indexed keywords

EID: 79956149102     PISSN: 09670769     EISSN: 14643693     Source Type: Journal    
DOI: 10.1093/ijlit/ear001     Document Type: Article

References (128)

1. European Parliament and Council Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data 1995/46, 1995 O. J. (L 281) 31 (EC).
2. Campbell v. MGN Ltd. [2002] EMLR 30 77.
3. DPA, § 32
4. G-G Westrin and T Nilstun, "The Ethics of Data Utilisation: A Comparison between Epidemilogy and Journalism," British Medical Journal 308 (1994)
5. Julian Peto, Olivia Fletcher, and Clare Gilham, "Data Protection, Informed Consent, and Research," British Medical Journal 328 (2004)
6. Judith Strobl, Emma Cave, and Tom Walley, "Data Protection Legislation: Interpretation and Barriers to Research," British Medical Journal 321 (2000)
7. DPA, sch. 1. Other aspects of the DPA, notably purpose specification (principle two), subject access (principle six) and data export (principle eight), may impose serious restrictions on social research. For an analysis of general interaction between the data protection framework and academic social investigation see David Erdos, "Systematically Handicapped? Social Research in the Data Protection Framework" (forthcoming, Information and Communications Technology Law).
8. United Kingdom Government Ministry of Justice. "Call for Evidence on the Current Data Protection Legislative Framework." (London: Ministry of Justice, 2010), http://www.justice.gov.uk/dpa-call-evidence-02-07-2010.pdf.
9. European Commission. "A Comprehensive Approach on Personal Data Protection in the European Union." (Brussels: European Commission, 2010), http://ec.europa.eu/justice/news/consulting_public/0006/com_2010_609_en.pdf.
10. Data Protection Directive, art. 28. The ICO was previously styled the Office of the Data Protection Registrar (1984-1998) and then the Data Protection Commissioner's Office (1998-2000). Since 2000, the ICO has also overseen implementation of the Freedom of Information Act, 2000.
11. DPA, § 1(1). In contrast, the 1984 Act's definition of processing confined itself to operations performed "by reference to the data subject" (§ 1 (7)) and specifically excluded processing "performed only for the purpose of preparing the text of documents" (§ 1(7)).
12. In other words on computer or other electronic equipment
13. DPA,§ 1(1). In contrast, the DPA 1984 excluded structured manual files from its definition of 'data' (§1(2)). As a result of an extension made by the Freedom of Information Act 2000, information held by public authorities even in an unstructured format will also be 'data' but need not be processed in conformity with either the first or most of the other data protection principles. See Freedom of Information Act, 2000, § 68-70.
14. DPA,§ 1(1). Data control may be exercised alone, jointly or in common with other persons. The DPA's in concreto formulation of "identifiable" is narrower than the in abstracto definition in article 2 (a) of the Data Protection Directive.
15. Under the DPA 1984, which used the same statutory language, the ICO even determined that this would encompass the name of an author coupled with a book title
16. (Committee of Vice-Chancellors and Principals, Data Protection Act 1984: Code of Practice for Universities (London: The Committee, 1987))
17. In 2003 the UK Courts sought to narrow this definition holding that, in order to be "personal" , data must affect the subject's "privacy, whether in his personal or family life, business or professional capacity" (Durant v. Financial Services Authority, [2003] EWCA Civ 1746 at 28). However, this limitation has been undercut not only by divergent ICO guidance but also by contrasting rulings from the European Court of Justice.
18. See Information Commissioner's Office, "Data Protection Technical Guidance Determining What Is Personal Data" (Wimslow: Information Commissioner's Office, 2007) http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/personal_data_flowchart_v1_with_preface001.pdf.
19. Tietosuojavaltuutettu v. Satakunnan Markkinapörssi Case C-73/07, 2008 E.C.R. I-09831 and Commission v. Bavarian Lager Co. Ltd. Case C-28/08 P (judgment dated 29 June 2010).
20. Information Commissioner's Office, "CCTV Code of Practice" (Wimslow: Information Commissioner's Office, 2008), http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/ico_cctvfinal_2301.pdf.
21. Common Services Agency v Scottish Information Commissioner [2008] UKHL 47
22. DPA, sch. 1.
23. Peter Carey, Data Protection: A Practical Guide to UK and EU Law, 3rd Edition (Oxford: Oxford University Press, 2009), 47
24. The DPA grants research processing an exemption, albeit significantly qualified, from all or part of the second, fifth and sixth data protection principles. Section 7 (a) of the DPA 1984 had similarly provided a qualified exemption from the obligation to obtain research data fairly. This was not included in the DPA 1998. The current regime does provide for a specific research legitimating condition for processing sensitive personal data as well as an additional narrower one for medical research. These conditions will be examined in detail in section five below.
25. Section 32(1) of the DPA provides that such processing is generally exempt from compliance with all but the seventh data protection principle if "(a) the processing is undertaken with a view to the publication by any person of any journalistic, literary or artistic material, (b) the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest, and (c) the data controller reasonably believes that, in all the circumstances, compliance with that provision is incompatible with the special purposes." Nevertheless, this section does not exempt such activities from either the requirement to register automatic processing with the ICO (an aspect of the first principle) (§ 17) or the right of data subjects to prevent processing for the purposes of direct marketing (an aspect of the sixth principle) (§ 11).
26. Information Commissioner's Office, "N887 - University," https://www.ico.gov.uk/onlinenotification/PurposeDetails.aspx?key=ajq161&;tid=377 (accessed 12 December 2010).
27. Andrew Charlesworth. "Code of Practice for the Further and Higher Education Sectors on the Data Protection Act 1998." (London: JISC Legal 2008), http://www.jisclegal.ac.uk/Portals/12/Documents/PDFs/DPACodeofpractice.pdf (accessed 12 December 2010).
28. Carey, Data Protection: A Practical Guide to UK and EU Law, 173
29. Rosemary Jay, Data Protection Law and Practice (London: Sweet and Maxwell, 2007), 537
30. Rosemary Jay, "The Impact of the Data Protection Act 1998 on Socio-Legal Research" (2004) http://www.kent.ac.uk/nslsa/images/slsadownloads/onedayconferences/rosemary%20jay%20slsa%20paper.doc (accessed 12 December 2010).
31. Note. See Information Commissioner's Office, "Data Protection Public Register," http://www.ico.gov.uk/ESDWebPages/search.asp (accessed 15 August 2010) and university of Manchester.
32. Records Management Office, "Data Protection," http://www.staffnet.manchester.ac.uk/services/records-management/data-protection/ (accessed 7 March 2011).
33. The Russell Group is composed of twenty leading research intensive universities in the UK: Russell Group, "About Us," http://www.russellgroup.ac.uk/about-russell-group/ (accessed 7 March 2011).
34. Whilst Jay supports such an 'integrationist thesis', Liddell writes in opposition
35. See Jay, Data Protection Law and Practice, 20
36. Kathleen Liddell, "The Mythical Connection between Data Protection Law and Confidentiality: Processing Data Lawfully" , Bio-science Law Review 6 (6) (2003/4)
37. In Murray v. Big Pictures [2008] EWCA Civ 446 at 62, the Court of Appeal ruled that at least a breach of the tort of the misuse of private information would constitute unlawfulness in DPA terms.
38. The requirement to register unless exempt is a straightforward strict liability offence. Once registered, data controllers are also obliged to keep their registration up to date. Failure to do so is also a strict liability offence, although in this case a defence of due diligence is available. See DPA, § 24.
39. Data controllers processing only for the purpose of national security or, if they are an individual, domestic purposes are virtually exempt from the DPA altogether (DPA, §§ 28 and 36). In all other cases, even data controllers exempt from registration must, within twenty one days of the receipt of a written request from any person, provide him or her with a copy of their 'registerable particulars'. Failure to do so constitutes a strict liability offence, although a defence of due diligence is available. See DPA, § 24.
40. Information Commissioner's Office, "Data Protection Public Register"
41. Official guidance from the ICO has stressed that the test to be applied is whether the person is question decides "why and how" personal data are to be used
42. Great Britain Information Commissioner's Office, Data Protection Act 1998 - Legal Guidance (Wilmslow, Cheshire: Information Commissioner's Office, 2001), 17
43. In reality, such control is exercised by individual academics in British higher education
44. The requirement to be completely transparent about not only one's name but also one's address has led to the National Union of Journalists raising concerns regarding freelance journalists' privacy (and safety)
45. See Mike Holderness, "Data Protection Required" , Freelance: Newsletter of the London Freelance Branch, NUJ (2008), http://media.gn.apc.org/fl//0809dpa.html (accessed 12 December 2010).
46. In principle, similar concerns could confront individual academics
47. All data controllers, of whatever size, must pay an annual fee to ICO of at least £35
48. In some cases the logistical difficulties associated with such burdens would appear insuperable. For example, the Act on its face would require that an academic based outside the European Economic Area and intending to enter the UK with a laptop holding personal data for research purposes had completed a full data protection registration prior to entry and that this included not only her current overseas address but also the current UK address of her nominated representative.
49. Committee of Vice-Chancellors and Principals, Data Protection Act 1984: Code of Practice for Universities
50. A search of the public register indicates that virtually all UK universities have registered as Data Controllers. By contrast, few (if any) individual academics have done so.
51. It is beyond the scope of this article to comprehensively consider the range of restrictions thereby placed on academics. To indicate the type of restrictions which may be imposed, some examples of onerous interpretations of the first data protection principle by leading UK universities will be noted periodically throughout this piece.
52. DPA, § 55(1). Nevertheless, if data is unlawfully disclosed, this will not be enough in and of itself to render the obtaining of the data by the academic also unlawful. However, any obtaining, disclosing or procuring of data without the consent of the relevant data controller will generally not only be unlawful but will also be a criminal offence. Such acts will not be criminal if they can be justified as being in the public interest. Even if the information will not be finally published in identifiable form, reliance on this exemption may well be necessary in order to carry out the type of covert or deceptive studies noted below. This public interest exemption is significantly less generous that that for "journalism, literature and art" which applies the same test in this context as that which applies generally under section 32. See DPA, § 55(1)(ca).
53. Case DA/90 (1991). In concrete terms, this case concerned the use of data about a third party in the assessment of an application for credit.
54. The cognate entity in the 1984 Act for what the 1998 Act now defines as "data controller"
55. Case DA/90 at 51
56. The guidance stated that "[t]he Commissioner takes the view that in assessing fairness, the first and paramount consideration must be given to the consequences of the processing to the interests of the data subject" : Great Britain Information Commissioner's Office, Data Protection Act 1998 - Legal Guidance, 30
57. University of Bath, "Guidelines on Academic Research and the Data Protection Act 1998," http://www.bath.ac.uk/internal/data-protection/academic-research.htm (accessed 12 December 2010).
58. Case EA/0006/0015 (2007) (hereinafter Corporate Officer). This was the first of two cases dealing with the release of expenses information about individual Members of Parliament under the Freedom of Information Act, 2000.
59. Great Britain, Economic and Social Research Council, Research Ethics Framework (Swindon: Economic and Social Research Council, 2005), 22 http://www.esrc.ac.uk/esrcinfocentre/images/esrc_re_ethics_frame_tcm6-11291.pdf (accessed 12 December 2010).
60. DPA para. 1 (1), sch. 1, pt. 2.
61. DPA 1984, para. 1(1), sch. 1, pt. 2. The only apparently non-substantive difference is that the 1984 version used the words "shall be had" as opposed to "is to be had" . On the other hand, unlike the current DPA, the 1984 Act provided research with a qualified exemption from this provision.
62. Case DA/92 (1993) (hereinafter Innovations)
63. Where such prior consent was not possible, the tribunal held that it would be necessary to obtain the data subject's subsequent "positive consent" for any use of the data for the non-obvious purpose (at 31)
64. Carey, Data Protection: A Practical Guide to UK and EU Law, 58
65. DPA, sch. 1, pt. 2, para. 2.
66. Great Britain Information Commissioner's Office, Data Protection Act 1998 - Legal Guidance, 32
67. DPA 1984, para 2, sch. 1, pt. 2.
68. Don Sapatkin, "Was This Ethical? Scientists Dare to Decieve," The Philadelphia Inquirer, 24.05.2010.
69. Nigel Fielding, "Observational Research on the National Front," in Social Research Ethics: An Examination of the Merits of Covert Participant Observation, ed. Martin Bulmer (London: Macmillan, 1982).
70. Simon Holdaway, Inside the British Police: A Force At Work, (Oxford: Basil Blackwell, 1983), 81
71. For example, during the less than fully covert interview part of his seminal work on the National Front, Fielding still gave a "purposely bland" description of his study in order to ensure that National Front officials would be cooperative: Fielding, "Observational Research on the National Front" 86
72. Anne Barlow, "New Ethical Challenges for Socio-Legal Researchers: SLSA One-Day Conference," Socio-Legal Newsletter, no. 44 (2004).
73. A similar analysis of the law is provided by Karen Rosier and Isabelle Vereecken, "Data Protection Aspects within the Framework of Socio-Economic Research"(Brighton: Insitute for Employment Studies (2003)), http://www.respectproject.org/data/415data.pdf (accessed 12 December 2010).
74. Rosier and Vereecken, "Data Protection Aspects within the Framework of Socio-Economic Research"
75. Kevin Haggerty, "Ethics Creep: Governing Social Science Research in the Name of Ethics," Qualitative Sociology 27(4) (2004): 406
76. In particular, the tribunal noted that, apparently without serious consequence, "many [commercial] advertisers" did "give notice in ordinary language in their advertisements that they may trade in names and addresses": Innovations, at 30
77. It is also necessary that the data subject has not already made a prior request to be provided with the information: Data Protection (Conditions Under Paragraph 3 of Part II of Schedule 1) Order, 2000, S.I. 2000/185.
78. Great Britain Information Commissioner's Office, Data Protection Act 1998 - Legal Guidance, 34
79. See Society of Archivists. "Code of Pratice for Archivists and Record Managers under Section 51(4) of the Data Protection Act 1998." ed Susan Healy. (London: National Archives, 2007), http://www.archives.org.uk/resources/DP_code%20of%20practice_Oct_2007.pdf (accessed 12 December 2010).
80. Great Britain Information Commissioner's Office, Data Protection Act 1998 - Legal Guidance, 34
81. For example, to return to our previous example, Fielding's book on the National Front even included in a non-anonymous form "[s]ensitive detail, such as that pertaining to court appearances": Fielding, "Observational Research on the National Front," 92
82. For example, the University of Edinburgh appears to argue that any non-anonymous and potentially controversial research will require data subject notification even if it uses data already in the public domain. In sum, it states: "if you were doing research into the medal achievements of Olympic athletes (provided that your research was not controversial in any way) it might involve disproportionate effort to contact all the athletes to tell them about your research because there are many Olympic athletes, medal information is in the public domain, and the athletes are unlikely to be distressed by your use of their information.
83. However if you were doing research using information about individuals' sex lives it is likely that the effort it would take you to notify those individuals would not be disproportionate to their interest in receiving the information" University of Edinburgh, "Reseacher's Guide to the Data Protection Act" http://www.recordsmanagement.ed.ac.uk/InfoStaff/DPstaff/DP_Research/ResearchAnnexA.htm (accessed 12 December 2010).
84. Rosier and Vereecken, "Data Protection Aspects within the Framework of Socio-Economic Research"
85. DPA, para. 2, sch. 1, pt. 2.
86. See Data Protection Directive, art. 10.
87. Thus, the London School of Economics simply states that "at the time the data is being collected [y]ou need to tell the individuals concerned why you are collecting the information and what you will be doing with it as clearly as possible. This is called a fair processing and/or privacy notice[.]": London School of Economics, "Data Protection Research Data," http://www2.lse.ac.uk/aboutLSE/dataProtection/researchData.aspx (accessed 12 December 2010).
88. Similarly, the University of Edinburgh states that "[y]ou are only relieved of a duty to provide a fair information notice" if the disproportionate effort criteria are made out: University of Edinburgh, "Guidance: Research and the Data Protection Act."
89. The Oxford English Dictionary Online (2010), http://www.oed.com/ (accessed 12 December 2010), defines "practicable" as "able to be done or put in to practice successfully; feasible; able to be used; useful, practical, effective".
90. For example, an archive might hold enough data (e.g. a name, place of birth and photograph) by which to definitively identify a particular individual but not provide a mechanism for currently contacting them. Replying on the impracticability limitation the data could nevertheless be processed without provision of the fair processing information to the data subject.
91. For example, assuming that a digital photograph of identifiable people in a crowd scene did constitute their "personal data", it would clearly be technically infeasible to ensure that all individuals were provided with the specified information. Perhaps in the light of this, the ICO's current CCTV Code of Practice states that in lieu of individualized notification CCTV operators can use "prominently placed signs at the entrance to the CCTV zone... reinforcing this with further signs inside the area": Information Commissioner's Office. "CCTV Code of Practice."
92. DPA, §§ 7-14
93. Case EA/2006/0015 (2007). This case which ordered the release of travel expenses details of Members of Parliament under the Freedom of Information Act, 2000 stressed that the phrase "as far as practicable" meant that "there is no absolute requirement" to provide the fair processing information (at 75). The claim by the Corporate Officer of the House of Commons was that such information could not be released because MPs had not been informed of such purposes at the time the data was collected including, in particular, that such information might be disclosed to the public (at 53-5). The Tribunal rejected the first of these claims holding that the data was already used to compile certain statistics releasable through the House of Commons' Freedom of Information Scheme and, therefore, the further use of the data in a Freedom of Information context was not for a new purpose (at 97). The Tribunal also held that the disclosure to MPs of the existence of the Scheme constituted sufficient provision of the fair processing information including possible disclosures (at 76).
94. [2008] EWHC 1908 (Ch) at 74
95. Section 2 (3) of the DPA 1984 did provide that the Secretary of State could "by order modify or supplement" the data protection principles "for the purpose of providing additional safeguards" in relation to the processing of certain specified categories of data. These were more limited that currently designated as sensitive in the DPA 1998. In any case, no such Order was ever made under the 1984 Act.
96. Jay, Data Protection Law and Practice, 549
97. Arguably, condition 5 and, more specifically, that part which legitimates processing which is "necessary.. .for the exercise of any functions conferred by or under enactment" may also have relevance. The Statutes of many, if not all, UK universities commit them to primary object of "the advancement of learning by teaching and research". They may also formally provide that the "University has the power to do all things permitted by law which are necessary or desirable to promote its objects".
98. See, for example (University of Oxford, "University Statutes and Regulations," http://www.admin.ox.ac.uk/statutes/.) (accessed 7 march 2011).
99. Finally, these Statutes generally derive their authority from a UK-wide enactment (e.g., the Oxford and Cambridge Act, 1923). Necessary activities by servants and agents in pursuit of these objects could arguably be said to constitute such an authorized "function". (On the other hand it may be argued that "function" has a more limited definition). Interestingly exactly the same wording reoccurs as a legitimating condition for processing sensitive personal data (DPA, para 7(1) (b), sch. 3). Therefore, if this argument were valid, academics within certain institutions could process sensitive personal data for research purposes even if they could not comply with the restrictive conditions set out in the other legitimizing conditions under this heading.
100. DPA, para. 1, sch. 3.
101. Data Protection Directive, art 2(h)
102. Great Britain Information Commissioner's Office, Data Protection Act 1998 - Legal Guidance, 29
103. DPA, para. 6, sch. 2.
104. Great Britain Information Commissioner's Office, Data Protection Act 1998 - Legal Guidance, 30
105. DPA, § 2
106. Great Britain Economic and Social Research Council, Research Ethics Framework, 8
107. Data Protection Act, sch. 3, as supplemented by the Data Protection (Processing of Sensitive Personal Data) Order, 2000 the Data Protection (Processing of Sensitive Personal Data) (Elected Representatives) Order, 2002 and the Data Protection (Processing of Sensitive Personal Data) Order, 2006.
108. Note, however, a further condition which in terms equivalent to that provided for in the general legitimizing conditions schedule (sch. 2) allows for processing which "is necessary.. .for the exercise of any functions conferred on any person by or under enactment" (DPA, para 7(1)(b), sch. 3). If the argument above in note 77 is valid, then this would provide a basis for processing sensitive personal data for scholarly purposes in certain universities without the need for any specific limitations. Given the roots of the legislation in the Data Protection Directive, however, it is likely that the concept of "functions" would be given a narrower construction.
109. DPA para. 1, sch. 3.
110. DPA para. 5, sch. 3.
111. Fielding, "Observational Research on the National Front" 92
112. Data Protection (Processing of Sensitive Personal Data etc.) Order, 2000, para 9. Separately, the Data Protection Act, 1998 also legitimizes the processing of sensitive personal for the purposes of "medical research" where this is firstly necessary and secondly undertaken by a "health professional" or by "a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional" (para. 8, sch. 2). This latter provision, however, is clearly not applicable to the type of social research under consideration here.
113. On occasion, academics themselves may appropriately decide to advocate for a certain measure or decision being taken against a particular individual. This could include, for example, support for the criminal prosecution of a genocide leader, deselection of a corrupt politician or disciplinary action against a violent police officer. However, even if the academic in question refrains from drawing such an explicit connection, publishing (or even republishing) incriminating evidence may be constructed to "support" some kind of negative measure or decision. In this context it should be noted that the Data Protection Directive codifies the issue in much more overarching language stating that the safeguards in this area "must in particular rule out the use of the data in support of measures or decisions regarding any particular individual" (Data Protection Directive, recital 29 (emphasis added)). However, if information is to be published in identified form worldwide it is difficult to see how such a guarantee can be given.
114. Worryingly the Council of Europe have produced a recommendation on scientific research under Convention 108 that states that "[p]ersonal data used for research should not be published in identifiable form unless the persons concerned have given their consent": Council of Europe Committee of Ministers, "Recommendation No. R (83) 10 on the Protection of Personal Data Used for Scientific Research and Statistics," (Strasbourg: Council of Europe, 1983), https://wcd.coe.int/wcd/com.instranet.InstraServlet?command=com.instranet.CmdBlobGet&InstranetImage=602986&SecMode=1&DocId=680204&;Usage=2. (accessed 12 December 2010).
115. Such a requirement for anonymity, however, would make contemporary history impossible. In some tension with this, the Code of Practice for Archivists and Record Managers states: "[I]f researchers breach the terms of any access conditions and publish name-identifiable information, the exemption from section 7 [on subject access] will be lost but not the general exemption for processing for research purposes" (Society of Archivists. "Code of Pratice for Archivists and Record Managers under Section 51(4) of the Data Protection Act 1998" 38).
116. 45 C.F.R. pt. 46 (2009).
117. Linda Shopes, "Oral History, Human Subjects and Institutional Review Boards" (?2009), http://www.oralhistory.org/do-oral-history/oral-history-and-irb-review/ (accessed 12 December 2010).
118. Linda Shopes, "Institutional Review Boards Have a Chilling Effect on Oral History" (2000) http://www.historians.org/perspectives/issues/2000/0009/0009vie1.cfm (accessed 12 December 2010).
119. The term is not defined further in the DPA 1998 itself. Nor does the dictionary definition resolve the matter as, for example, the Oxford English Dictionary Online (2010) variously describes the term as referring to things "of considerable importance, size or worth", "strongly built or made", "concerning the essentials of things" or "real and tangible rather than imaginary".
120. For example, the ICO's 2001 Legal Guidance stated that, in the context of damage and distress, "substantial" related to any processing that "has caused, or is likely to cause, someone to suffer loss or harm, or upset and anguish of a real nature, over and above annoyance level": Great Britain Information Commissioner's Office, Data Protection Act 1998 - Legal Guidance, 54
121. Similarly, in the case of Brett v. Information Commissioner, Case EA/2008/0098 (2009) concerning when the disclosure of personal data would serve a "substantial" public interest, the only direct ruling the First-Tier Tribunal (Information Rights) made was that certain public interests were "so minor or marginal" as to fail to surpass this hurdle (57).
122. Thus, the London School of Economics states the collection of sensitive personal data "require explicit consent for processing, and you will need to get a form signed by the individuals involved in the research as proof of this, or if collecting the information electronically and remotely, use a tick box to show that people have agreed for their data to be used in your research": London School of Economics, "Data Protection Research Data."
123. For example, Cardiff University states that such conditions will only be satisfied if the research is in the substantial public interest and the processing "will not affect the individual data subjects": Cardiff University, "Corporate Compliance: Introduction to the Data Protection Act" (2004) http://www.cardiff.ac.uk/govrn/cocom/resources/5307.doc (accessed 12 December 2010).
124. It is difficult to see how it can be guaranteed that any non-anonymous write-up in today's digital age will have no effect at all on any named data subject
125. Robert Dingwall, "The Ethical Case against Ethical Regulation of Humanities and Social Science Research," 21st Century Society 3(1) (2008): 3
126. DPA, § 32
127. For an overview of the doctrinal and human rights case in favor of social research benefiting from the same data protection provisions as that of non-academic 'journalism, literature and art' see David Erdos, "Freedom of Expression Turned On Its Head? Academic Inquiry, Journalism and the Data Protection Framework" (forthcoming)
128. Even if some insuperable interpretive barrier ultimately prevents such inclusion, it is also critical that the various issues raised in this article are systematically addressed in the review of the DPA 1998 and the EU Data Protection Directive which is now underway