Privacy & Cybersecurity Law Blog

On February 27, 2026, the UK Information Commissioner’s Office (“ICO”) announced a public consultation on proposed updates to its guidance concerning the Research, Archiving and Statistics Provisions (the “Guidance”). The updates reflect the changes introduced by the Data (Use and Access) Act 2025 (the “DUAA”). In particular, the Guidance revises the ICO’s criteria for scientific research and introduces the new “disproportionate effort” exemption related to informing data subjects about the reuse of previously collected data for research, as set out under Section 77 of the DUAA.

Scientific Research

The DUAA introduces a statutory definition of what constitutes “scientific research” under the UK General Data Protection Regulation. Namely, “scientific research” is defined as “any research that can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity.” In response to the updates introduced by the DUAA, the UK ICO has revised its criteria for scientific research, focussing on four elements: (i) scientific objective, (ii) scientific method, (iii) uncertainty and (iv) transferability. Each criterion is supported by indicative evidence (such as involvement of skilled professionals or use of recognized research methods) and exclusionary evidence (such as research causing harm or merely replicating existing technology). According to an example given by the ICO, a research project aiming to reduce bias in facial recognition algorithms by a technology company would be considered scientific research if it seeks genuine improvement, follows ethical standards, and documents its process.

Disproportionate Effort Exemption

Among setting out other exemptions, the Guidance clarifies the “disproportionate effort” exemption to the right to be informed, as introduced by the DUAA. This exemption permits organizations to refrain from directly providing notice to individuals when reusing personal data for research, archiving, or statistical purposes, but only where doing so would be impossible or would require disproportionate effort. The Guidance notes that in assessing whether the exemption applies, organizations should carefully weigh the effort involved against the potential impact on individuals, considering factors such as the number of people affected, the age of the information, and any safeguards in place. Importantly, even where this exemption is relied upon, organizations must still make privacy information accessible to the public (for example, via their website) and carry out a data protection impact assessment to ensure appropriate protection of individuals’ rights and interests.

The ICO consultation on the Guidance is open until April 27, 2026, and may be completed via an online survey here.

Read the ICO press release here. Read the Guidance here.