This 20-minute presentation provides participants with a case study on data protection issues exposed by research partners awarded with a fictional Horizon 2020/Horizon Europe grant. Participants will follow the work of data controller and processors, committed to handle and store personal data of EU and Non-EU citizens for research purposes.
Participants will be engaged to evaluate the compliance of research activities with the General Data Protection Regulation (GDPR), which defines principles relating to processing of personal data, the lawfulness of such processing and modalities to ensure transparent information, communication and rights of the data subjects.
Rules and best practices in data processing are part of the essential toolbox for Research Managers and Administrators, answering the growing call of GDPR compliance along with Data Protection Officers. Beyond the understanding of accountability, privacy by design and by default principles, professionals are testing themselves with the constant update of data protection guidelines from the European Data Protection Board.
This session is targeted to an audience of intermediate level, aware of the topic of data protection/GDPR and willing to engage with other professionals on a case study analysis. The session will benefit from a short Q&A and a follow-up survey to gather best practices in data management put in place by participants in their day-to-day work.
GDPR and personal data protection in EU research projects
1. GDPR and Protection of Personal Data in Horizon 2020 and
Horizon Europe: a Case Study for Research Managers and
Administrators
Lorenzo Mannella
2. My profile
• Project manager at UNIBO
• Focus on post-award, ethics
Current
Position
• Proposal writing (SC2, BBI)
• Freelance science writer
Past
experience
• MA in Science Communication
• MSc in Plant Biotechnology
Background
Lorenzo Mannella
@Loremann
3. Heading 1
text
Our goals
Explore a fictional H2020/HEU
project with research activities
processing personal data
Check compliance of research
activities with the General Data
Protection Regulation (GDPR)
Beyond the case study: discuss
best practices (Q&A) and collect
feedback from participants
4. CrimeWords
(a fictional project)
9 international partners analysing
stereotypes in criminal trials and
related news media
Research based on algorithms
analysing language nuances of media
products and confidential criminal
record
Third parties provide access to
datasets and confidential records
We are the Coordinator’s
project manager
5. The Consortium
Partners storing
research data IE, UK
Project
Coordinator
Partners processing
personal data
Partners handling
web/social media data
FI, PL
DE, ES,
FR, DK
IT
6. The manager’s checklist
Read and understand the DoA
Meet with the research team
Comply with H2020/HEU rules
Contact Legal Office and DPO
Draft and submit deliverables
Monitor activities
Draft and submit reports
Predict the future
7. The best case scenario
Data subjects will give consent
Police and Court will mail
confidential information
Personal data collected,
digitalized, stored and
processed on University’s
premises despite COVID-19
Only anonymous data will be
published
Handling personal data
9. Data management plan
No personal data to
external cloud services
Data Storage Access
Original criminal
records
Locked cabinet Each PI has keys
Scanned criminal
records
University servers
(LAN)
Restricted to
research group
Transcription of
criminal records
Researchers’
Laptop/Tablet
Restricted to
device owner
Pseudonymised
criminal records
Consortium
private network
Restricted to
project partners
Aggregated data Public Public
10. Everything goes well
Rights of data subjects are
enforced
Project partners deliver great
results and make an impact
Researchers and manager
successfully archive the project
and look forward to new
opportunities
CrimeWords succeeds
11. The worst case scenario
Brexit disrupts data flow: what if
the UK partner needs to test
algorithms on criminal records
instead of anonymous data?
Cloud services at partner level
are located in the US: what if the
Privacy Shield is not valid
anymore?
A partner leaves the consortium:
what if data is lost?
Issues with personal data
12. From: researcher@uni.edu
Sent: 23/12/2020
To: manager@uni.edu
Subject: FW:
Just recalled this email. Shall we answer that?
From: reg.office@police.gov
Sent: 10/11/2020
To: researcher1@uni.edu
Subject: R: Request for additional information
Dear Researcher,
our office reminds you that sharing sensitive personal data through an
unencrypted email account may expose individuals to risks
(unauthorized access to personal data). Concerning your request…
13. From: researcher@uni.edu
Sent: 08/11/2020
To: reg.office@police.gov
Subject: Request for additional information
Hi, could you provide further information on criminal
records? Some detail of Court documentation is
missing. See attached documents as an example.
Crime_record_MrOrange_scan.pdf
14. From: manager@uni.edu
Sent: 03/01/2021
To: reg.office@police.gov
Subject: Clarifications on previous requests
To whom it may concern,
our University ensures researchers employed on its
premises adhere to internal regulation on data
protection, section on criminal records (see pag. 134)…
UniversityPrivacyRegulation.pdf
15. Audit by Data Protection
Authority and fining
Findings go under
the lens of the
Authority
The researcher
exposed personal
data by using email
and third party
cloud services
The University is fined for 54.000 €
16. GPDR infringement in the case study
The Data Protection Authority states that our University:
has sent sensitive personal data through unencrypted email and via open network to the
Police. The university has therefore processed personal data in contrary to Article 5 (1) (f)
and Article 32 (1) and (2) of GDPR by failing to take appropriate technical measures to
ensure an appropriate level of safety in relation to the risk.
has not reported the personal data incident to the Data Protection Authority and not
documented the circumstances surrounding the incident as the university became aware
of it. The university has therefore acted in breach of Article 33 (1) and (5) of GDPR.
in the processing of sensitive and privacy-sensitive personal data in a third party cloud
service, not have taken appropriate technical and organizational measures to prevent
unauthorized disclosure of or unauthorized access to personal data. The university has
therefore treated personal data in breach of Article 5 (1) (f) and Article 32 (1) and (2) of
GDPR.
20. Privacy issues are
(un)predictable
it is hard to spot all of them in
advance
it is hard to convince
researchers to pay attention
other issues often prevail and
privacy is deranked
we think they will stay frozen
and forget them
…until they explode
21. Gear up before the
project begins
Team up with legal and data
protection officers
Establish a set of common
guidelines for data protection
Apply privacy-by-design
principles
Set the boundary of your
responsibility and know when
to escalate issues
is that enough?
22. Let’s collect best practices
Provide your feedback by filling
out a short online survey
check this link:
https://forms.office.com/r/tU103t3Q78
or scan the QR code below
23. Sources
Images and icons: pixabay.com
EDPB news #1: University failed to sufficiently protect sensitive
personal data
EDPB news #2: Polish DPA: University Fined for the lack of Data
Breach Notifications
EDPB news #3: Swedish DPA: Police unlawfully used facial
recognition app
Hello, welcome to this session. My name is Lorenzo Mannella and I am going to present a case study for Research Managers and Administrators involved in personal data protection under post-award Horizon 2020 and Horizon Europe projects.
Let me introduce myself. I work as Horizon 2020 project manager at the University of Bologna, where I focus on broad post-award topics such as reporting, internal communication and ethics. Before that, I have been writing H2020 proposals with researchers. I have also wrote about researchers, as I was a freelance journalist too. That’s why I am going to use a bit of imagination here in my presentation.
And jump direclty to our goals within this presentation. We are going to talk about personal data protection in a fictional research project. That’s were imagination is going to work for us, setting fictional research activities and validating them in terms of compliance with the General Data Protection Regulation (2016/679 GDPR) – I guess you are familiar with GDPR. If not, I hope this presentation will push you to read it. If you are familiar with GDPR—well, there is no need for explanation. Let’s say you are just curious about other managers’ sorrows. Let’s help each other: I would really like to have a discussion with you on best practices to manage personal data and share some feedback with EARMA.
Let’s introduce our fictional project: CrimeWords. Nine international partners will analyse stereotypes in criminal trials and the news. They will collect a set of research data, including personal data, and analyse them trought algorithms. Third parties will share confidential data, such as criminal records, with researchers and let them draw a broader picture of common perception of justice in Europe, considering nuances and prejudices against minorities, etc. A bold, ambitious project. And we are the Coordinator’s project manager called to keep an eye on the whole thing.
Let’s focus on the Consortium. I have summarised some roles for partners and assigned them different nationalities. Let’s assume the coordinator is Italian, just to help us empathize. The coordinator will coordinate and perform research as other partners do. A group will process personal data in different countries by collecting criminal records. A second group will process data available on the web and social media, while the third one will store research data collected by others, analyse them through algortihms and generate public results.
Considering the consortium I have presented you, we as managers will follow a checklist and make sure everything is set and perfectly working. [LIST]… you see – rules, clearances, indicators and deadlines: it is all written there on the checklist. We stick to it but we cannot tick the last box: the real world is out there. Issues happen and our project is not immune to them.
You know, we are managers and of course we can predict a little bit of the future ahead. In my experience, I play a «what if» game based on the DoA. What if we have to run a project that collects personal data related to criminal convictions and offences? Well, personal data processing will be based on consent, confidential data will travel by mail and once in the hands of researchers we will make sure they are handled with care despite COVID-19. At the end, only anonymous data will be published. Nice. Let’s call it «What if everything is going to be ok?».
Everything is going to be ok if we do some background work. This is the planned data flow for our research. It is just a sketch, showing the elements we need to put together in order to deliver results and achieve goals. We have criminal records, compared to data collected from web news. Then, a set of algorithms is performing the hard work: generating results that have an impact on society. We learn something more on nuances and prejudice in the way we speak about crimes.
Behind the previous sketch stands a complex structure, almost invisible outside of the project consortium. We help establish a data management plan shared among partners that ensures hard copies of personal data are stored securely, digital copies are stored on local servers, so researchers from each beneficiary can process data, pseudonymise it, collect it together at project level and have it analysed by algortihms before going public with aggregated data.
Eventually, our work is successful. This is the obvious outcome of the «what if» scenario we are talking about. The research is good. The data management is good. We can turn the next page and work on something new. […] I call this: daydreaming. A positve thinking telling me what to do, like reading instructions. But, in a remote corner of my mind, stands another question: «what if everything goes wrong?».
Yes, what if everything goes wrong? We start thinking of all possible issue out there. [LIST] Have you noticed this detail? In the best case scenario we have a checklist of to-do actions. Here in the worst case scenario we have a list of questions. A set of «what if…» nested in a wider «what if everything goes wrong?». It can go wrong this way, the other way, or the other way. So we rush to think of possible back-up plans for Brexit, US Privacy Shield and other major events. It is stressful: not because these problems are bigger than the project, but because they drain our time and attention. That is the precise moment when an unexpected issue hits us.
Like this one. Out of the blue, possibly nearby Christmas time, a researcher from our University forwards us an email. Let’s take a look at it [EMAIL]. Why is the police writing about sharing criminal records via email? We established a mail only protocol to get those documents. The frame is not that clear, so we need some time to scroll to previous messages on the bottom and find this…
[EMAIL] … an email from our researcher containing a scan of confidential criminal records sent to the Police in November, on a Sunday, without any encription, probably from a home or public connection. Really? I mean, the researcher was not supposed to do that. But, as managers do we really need to worry? I am sharing this question with you right now.
Ok, so let’s assume we just do this. We struggle during Christmas time, find some time to check our internal regulations and try to explain the situation to the Police. Our University cares about privacy, we have a set of rules to ensure data subjects’ rights are enforced, our storage protocols are strong, this was a single mistake, we sincerely apologise. It will not happen again. We promise. Done? Is that enough? No, it is not. We are missing the bigger picture. Our University is in breach and we didn’t do nothing to inform the Data Protection Authority.
This negligence in handling personal data noticed by the Police is forwarded to the Data Protection Authority itself. The Authorithy organizes inspections and finds out the researcher violated GDPR by sending criminal records via unencrypted email, but also used a third party cloud service to manage the transfer of criminal records from the workstation to laptop at home. Our University is fined for 54.000 €. Come on, really?
Let’s focus on the infringement of GDPR articles in detail. Our researcher potentially exposed personal data. Our University discovered the violation but failed to report to the Authority and ignored risks. The audit finds out the researcher also used a third party cloud service, which was not allowed by our protocol. This «what if…» looks too bad? Is this a worst case scenario that could not possibly happen in real life? What if this is true?
In fact, this case study is inspired by a true story. A research group at Umeå University (Sweden) requested from the police preliminary investigation reports concerning cases of male rape. When the research group sent an e-mail to the police requesting further information, one of the scanned reports was attached as a reference. The event triggered an investigation of the Swedish Data Protection Authority, showing that the research group stored over a hundred scanned preliminary investigation reports in American cloud service Box, despite the University internal guidelines said special categories of data should not be stored in the cloud service in question. An administrative fine of 54.000 € was issued against the University.
I invite you to follow the National News section of the European Data Protection Board. You will find many detailed cases of data protection issues across European companies, hospitals and research centres. It happens all the time, like to this Polish University disclosing video recording of students showing their IDs during exams...
… or the Swedish police – some of their personnel unlawfully used a facial recognition app. No one is flawless. So, what can we learn from this case study?
We can say privacy issues are both predictable and unpredictable at the same time. Predicatable, as we know what can go possibly wrong (data is exposed, cloud service is insecure, data collections are lost). Unpredictable, as we are not able to notice all issues or lose track of them until they are exposed by a critical event. So, what can we do?
We shall be ready even before the project begins. We are not alone in enforcing data protection, so we might want to team up with legal and data protection officers to establish guidelines in advance and explain reasearchers that privacy comes first. Since we make this clear, we shall also be able to set the boundary of our responsibility and know when to escalate and involve others. It doesn’t mean «I don’t care», but «I really care a lot, and you shall too». I know, what if this slide is not telling enough? Well, what if you tell your part of the story?
Let’s go beyond the case study, share the benefit of participating in EARMA 2021 and collect our individual best practices. We can spread our experience and knowledge, while discussing feedback from other colleagues. In a face-to-face convention we would had a coffee together and had a chat. On this virtual session, you can take your time and visit the link published in this slide. I look forward to your questions.