O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

20200504_OpenAIRE Legal Policy Webinar: GDPR and Sharing Data

Presentation by Jacques Flores Dourojeanni (Research Data Management Consultant Utrecht University Library), as delivered during the OpenAIRE Legal Policy Webinar series on May 4th 2020.
More information and recordings: https://www.openaire.eu/item/openaire-legal-policy-webinars

  • Seja o primeiro a comentar

  • Seja a primeira pessoa a gostar disto

20200504_OpenAIRE Legal Policy Webinar: GDPR and Sharing Data

  1. 1. GDPR and Sharing Data Dr. Jacques Flores Dourojeanni Research Data Management Consultant RDM Support -Utrecht University Library https://www.uu.nl/en/research/research-data-management
  2. 2. Legal Basis How can I legally collect personal data?
  3. 3. Personal data may only be processed if at least one of the following applies: o Informed Consent o Legitimate interest of the controller o Legal Obligation o Contractual o Vital interest of the data subject o Public Interest Lawfulness of Processing (Art. 6) Collecting information from social media that was meant for the public domain …The EDPB considers that the fight against COVID-19 has been recognized by the EU and most of its Member States as an important public interest which may require urgent action in the field of scientific research… (63) Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak Used to meet the Legal and Ethical obligations a researcher holds towards their participants
  4. 4. Informed Consent Freely given Must be a real choice and not influenced by external factors Specific Bound to several specified purposes which are sufficiently explained Informed What kind of data; How it will be used; With what purpose; Right to withdraw Unambiguous A clear affirmative statement
  5. 5. Data subjects must be (at the very least) provided with • The controller’s identity and contact details • DPO’s contact details (if there is one) • Purpose and legal basis for collecting their personal data • Categories of personal data • Data Subject Rights Other requirements may be in place for • Third country transfers • Multiple controllers • Automated Decision-making processes Right to Information
  6. 6. Purpose Limitation How can I share/reuse data compliantly?
  7. 7. Purpose limitation and Data Reuse The GDPR distinguishes between two types of data use: 1. Research on personal (health) data which consists in the use of data directly collected for the purpose of scientific studies (“primary use”) Initial data collection 2. Research on personal (health) data which consists of the further processing of data initially collected for another purpose (“secondary use”) Reusing Data
  8. 8. Data Reuse and GDPR The GDPR allows for the secondary use of data (further processing) if it is for “research purposes” only if: Appropriate technical and organizational measures are in place to ensure the privacy of the data subjects is been adequately and protected Recital 50 and Article (89)
  9. 9. Encryption Anonymization Pseudonymization Technical and Organizational measures Minimization Aggregation/Abstraction
  10. 10. Further processing for research purposes is considered to be a compatible purpose as long as appropriate safeguards are in place (Recital 50 GDPR) Purpose limitation (Art. 6) Personal Data collected for Epidemiological Research Reused for Epidemiological Research GDPR
  11. 11. Purpose limitation (Art. 6) Personal Data collected for Epidemological Research Reused for Cancer Immunology Research GDPR Further processing for research purposes is considered to be a compatible purpose as long as appropriate safeguards are in place (Recital 50 GDPR)
  12. 12. Purpose limitation (Art. 6) Personal Data collected for Hormone Research Reused for Gender Studies GDPR Further processing for research purposes is considered to be a compatible purpose as long as appropriate safeguards are in place (Recital 50 GDPR)
  13. 13. Just because it is Legal does not mean it is Ethical Ethical vs Legal
  14. 14. Right to Information still applies when reusing data! Even if re-consent is not required to further process the data, the data subjects still have a right to be informed about the new processes! This may be achieved via individual contact if possible or public announcements (websites, newsletters) In some cases the right to inform may be waived if it involves a “disproportionate effort” to comply… It falls upon the controller to prove this and show that a legitimate effort has been made to explore why it is “disproportionate” i.e.: A dataset that has • No contact information • Data has been heavily pseudonymized • Poses low risk to the individuals • No central forum/platform where information can be made available
  15. 15. Sharing Personal Data How should I formulate an informed consent form to facilitate data sharing?
  16. 16. “DO’S” of Sharing Data and Informed Consent  Provide information on the intent to share the data and the conditions for sharing Make it clear to the participant [ in the information section] that one of the goals is to share the data collected with the research community. i.e. Other researchers may request access to data in the future. Access will only be granted if they agree to preserve the confidentiality of the information as requested in this form. Their access will also require approval from the original research team.
  17. 17. “DO’S” of Sharing Data and Informed Consent  Be transparent about which information you will make available Be granular about which data will be deposited I give permission to deposit my impulsivity test scores, weight, age and gender data in a repository
  18. 18. “DO’S” of Sharing Data and Informed Consent  State the methods you will apply to reduce the risks of identification Be specific about the methods employed to improve security and privacy i.e. I give permission to deposit my pseudonymized impulsivity test scores, weight, age and gender data in a… i.e. The principal investigator will keep a link that identifies you to your coded information, but this link will be kept secure and available only to the principal investigator or selected members of the research team. Any information that can directly identify you will remain confidential. Your age and weight will be grouped into ranges (i.e. 20-30yo, 60-70kg) to reduce the risk of re-identification.
  19. 19. DON’TS Informed Consent: Sharing Data
  20. 20. “DON’TS” of Sharing Data and Informed Consent  Avoid terms such as fully anonymous Very difficult to achieve To be truly anonymous, it should not be possible to re-identify an individual by any means. Including using external databases, even if such databases are unknown to the researcher.
  21. 21. “DON’TS” of Sharing Data and Informed Consent  Avoid promises to destroy all the data Unless absolutely certain it will be done Have good reasons for destroying data such as • The information has been transcribed (audio files) • No longer needed for verification and re-use no longer expected Be specific about which data you plan to destroy
  22. 22. “DON’TS” of Sharing Data and Informed Consent  Avoid promises that all the data will only be accessed by the research team Instead describe explicitly which parts of the data will indeed only be accessed by the research teams and which will be available to others (after proper measures are taken to increase privacy).
  23. 23. How to Share personal data Share the metadata and place the data under restricted access • When requested for the data only share it if requesters fill out a Data transfer agreement and meet the legal requirements
  24. 24. Key points • The GDPR asks researchers to be transparent towards their participants as to how their data will be handled and for what purpose. • Personal data collected for research purposes holds a privileged spot within the legislation which softens restrictions so long as proper safeguard and measures are adopted.
  25. 25. Q1: What is the best way to deal with international research consortia? Can you govern the rules of personal data exchange in the consortium agreement and/or do you always need to setup standard contractual clauses in case the consortium contains partners outside the EEA? Q2: Does GDPR applies for European Union only or it covers other countries? Q3: When are patient data sufficiently de-identified to be able to share datasets publicly online? What should be in place? What to take into account? Q4: What do you think of the privacy conditions of online meeting applications such as Zoom?
  26. 26. Q5: How to manage published, but controlled access datasets for the long-term? Should participants be receiving updates about how the data are being used ? And who will be determining whether a third party gets access (since most PhDs don't stay on at the same institution)? Q6: Ideally when sharing data that falls under the GDPR purview, we want to have third parties sign a data sharing agreement: can we set up standard models for such an agreement? Q7: For data that doesn't meet the standards of what is anonymous, but would be quite difficult to re-identify, is there an option to control access solely by requiring the re-user to digitally sign a list of Terms and Conditions for re-use, e.g. as part of a license on the data? Then there isn't someone at the institution determining access, but access is somewhat controlled by a legal document. If so, can we come up with some models for these Terms and Conditions?