The document discusses how to properly share personal data according to GDPR regulations. It outlines four key steps: 1) define the purpose for sharing, 2) protect the data being shared through measures like anonymization, 3) inform the individuals behind the data about the processing, and 4) document the sharing and processing to demonstrate compliance. It provides guidance on determining lawful bases for processing, ensuring valid consent is obtained, protecting sensitive data, informing data subjects of their rights, and conducting privacy risk assessments to design a safe data processing procedure.
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Sharing personal data and the GDPR - how can it be done - Francisco Romero Pastrana & Dorien Huijser - SRD23
1. Sharing personal data and
the GDPR
Dorien Huijser & Francisco Romero Pastrana
https://uu.nl/privacyhandbook
https://geo-data-support.sites.uu.nl/personal-data/ 23 May 2023
2. • Data Privacy Handbook
• How to share personal data?
• Privacy scan
• Discussion
Today
3. Data Privacy Handbook
Knowledge base on handling personal data in research
UU Researchers & Support staff
Centralise info & translate for research
Open source, open license: https://uu.nl/privacyhandbook
RDM Support i.c.w. privacy & faculty data stewards
9. ➢ To fulfill a contract or provide a service
• You need the customer home address to deliver a pizza
➢ To comply with a legal obligation
• Obligation to process salary data is mandated by tax law
➢ To protect an individual's vital interests
• The right to life takes precedence over data protection
➢ To perform a task in the public interest
• University interest in conducting research is recognized by Dutch law.
➢ To pursue a legitimate interest
• Balances your interests with the individual's interest – fraud prevention
➢ Because the individual has given consent
• Individuals can exercise their right to informational self-determination
➢ Previously collected data can be further used for other purposes*
• But only for 'compatible' purposes – subject to certain conditions, or
• For scientific research purposes – also subject to conditions
Legal reasons to process
personal data:
Have a clear and legitimate purpose
https://utrechtuniversity.github.io/dataprivacyhandbook/legal-basis.html
10. ➢ To fulfill a contract or provide a service
• You need the customer home address to deliver a pizza
➢ To comply with a legal obligation
• Obligation to process salary data is mandated by tax law
➢ To protect an individual's vital interests
• The right to life takes precedence over data protection
➢ To perform a task in the public interest
• University interest in conducting research is recognized by Dutch law.
➢ To pursue a legitimate interest
• Balances your interests with the individual's interest – fraud prevention
➢ Because the individual has given consent
• Individuals can exercise their right to informational self-determination
➢ Previously collected data can be further used for other purposes*
• But only for 'compatible' purposes – subject to certain conditions, or
• For scientific research purposes – also subject to conditions
Legal reasons to process
personal data:
Have a clear and legitimate purpose
https://utrechtuniversity.github.io/dataprivacyhandbook/legal-basis.html
11. https://utrechtuniversity.github.io/dataprivacyhandbook/share-reuse-legal-basis.html
Example
Organic food preferences of all
students in the Netherlands?
• Data sharing request
• Received data: processed based on
public interest *
Survey: Do UU students like organic
food?
• Survey data collection: public interest*
• Information:
• start of survey
• through the project website
• External data sharing request:
• website is updated
• data is minimized
• data sharing agreement is signed
• Data is shared based on 'further
processing ..."*
* can also be based on consent
12. ✓ Freely given: Real choice and not coerced.
✓ Specific: To specific fully described processes
✓ Informed: Fully informed and updated
✓ Unambiguous and an affirmative action: Keep records
✓ Can be revoked: As easy to withdraw as to give
To ensure that consent is legitimate, it must be:
https://utrechtuniversity.github.io/dataprivacyhandbook/informed-consent-forms.html
Ensuring consent is legitimate
13. ✓ The public interest is identified: specific law/official authority involved. Likely based on the
“Education Act”- Wet op het hoger onderwijs en wetenschappelijk onderzoek)
✓ The necessity of the processing is identified:
- Processing is necessary: no other way to achieve the purpose, or it would require a
disproportionate effort.
- Processing is proportionate: the scope (amount of people), extent (amount of data) and
intrusiveness is kept to a minimum necessary
✓ The interests of the data subjects do not override your stated interest:
- Nature of the interest: individual's expectations and (potential) interests
- Impact and safeguards: positive/negative impact on individuals, implemented measures to
address it.
https://geo-data-support.sites.uu.nl/personal-data/privacy-review/7-privacy-review
Ensuring 'Public Interest' is legitimate
14. ✓ Only for data reuse: Can't be used for newly collected data.
✓ Originally lawfully collected: Originally collected using consent/public interest
✓ Comply with Art 89(1): Safeguards: data minimization, de-identification
✓ Strictly for scientific purposes: Can't be used for anything else
✓ Informed: Provide information to data subjects as much as possible
To ensure 'further processing for scientific research purposes' is legitimate, it
must be:
https://utrechtuniversity.github.io/dataprivacyhandbook/legal-basis.html
Ensuring ‘Further processing' is
legitimate
15. 'Special categories' of personal data have additional restrictions
Genetic, biometric and health data, personal data revealing racial and ethnic origin,
political opinions, religious or ideological convictions, trade union membership
This data can only be used if:
• Explicit consent - an express statement of consent
• Substantial public interest* - necessary for humanitarian purposes, including for
monitoring epidemics
• Archiving, statistical, historical or scientific research purposes* – subject to
strict safeguards
• Manifestly made public by data subject
• Necessary for Employment and Social Security Purposes
• Vital interests
• Defense of legal claims
• Medicinal / health system purposes / public health
https://utrechtuniversity.github.io/dataprivacyhandbook/special-types-personal-data.html#special-categories-of-personal-data
What about sensitive personal data?
16. https://utrechtuniversity.github.io/dataprivacyhandbook/pseudonymisation-anonymisation.html
The importance of Art. 11
• Broadly speaking, 2 types of personal data:
• Identified: Readily attributed to a specific individual - has a name or ID
• De-identified: Can't be readily attributed – has no name or ID. Art 11 applies
• Advantages of de-identified personal data
• Compliance with Art 89 demonstrates data minimization, shows that processing does not
permit the identification of the data subject.
• Some rights no longer apply – Since you can't identify specific individuals, you can't
respond to their data access request, rectification, deletion, etc. – unless they provide
additional information enabling their identification
• Consent withdrawal, right to object will likely have no effect.
• Further processing for scientific research is likely allowed, and providing them
information directly is likely not necessary
• Personal data breach notifications are likely not needed
• It is easier to justify storing data for 10 years or more to safeguard the scientific record
17. • Define purpose for sharing
• Protect data being shared
• Inform people behind data
• Document it
How to share personal data?
19. • Only share minimum necessary amount of data
• Identify the people behind data: who are they, why do data recipients need their data?
• Identify and justify processed data: why do data recipients need each type of data?
• Anonymize/pseudonymize as much as possible
• Restrict data access, Encrypt data, identify who has data access and why
• Keep data safe and accurate – avoid data breaches
• Use safe tools
• Do not keep data unless necessary – justify and enforce storage periods
• Ensure compliance: legally binding transfer agreements
• International data transfers?
https://utrechtuniversity.github.io/dataprivacyhandbook/design-strategies.html
Design a safe processing
21. • Define purpose for sharing
• Protect data being shared
• Inform people behind data
• Document it
How to share personal data?
22. People must be able to determine the scope and consequences of the processing
and must know their data protection rights and how to exercise them.
How to provide information:
✓ Understandable, transparent and clear
✓ Easily accessible and timely
✓ Intelligible and concise → Use different channels and a layered approach
What information to provide:
✓ Why do data recipients need their data – explain their project
✓ Who is responsible for the process, and who has data access – describe the team
✓ Describe the processing – how data is kept safe and minimized. What are the risks?
✓ Describe how data is (re)used by other scientific projects – update as necessary
✓ What rights do they have, and how they can exercise them.
✓ Contact info: Responsible of the process, their DPOs, and the (Dutch) national data protection
authority.
https://utrechtuniversity.github.io/dataprivacyhandbook/privacy-notices.html
Inform people and give them control
23. https://utrechtuniversity.github.io/dataprivacyhandbook/data-subject-rights.html
Inform people and give them control
Passive Data Subject Rights : Always implemented in your project
• Information – Individuals must be provided with information about the process
• Profiling – To not be subject to automated individual decision making, including profiling
• Notification obligation – Notify rectification/erasure/restriction requests to other data
recipients
• Effective remedy – To submit a complaint (to DPO or national) or seek remedy in a law court
• Compensation – to receive compensation for suffered material or non-material damages
Active Data Subject Rights : Individuals take steps to exercise them
• Access – can request copies of their personal data
• Rectification – can request correction of inaccurate/incomplete information
• Erasure – can request erasure of their personal data
• Restrict processing – can request to stop or limit the use of personal data
• Data portability – To have or transfer data in universally machine-readable format
• Object – To object to the collection, use, and storage of personal data
• Withdraw consent – Unconditional stop of processing when consent was the legal basis
24. • Define purpose for sharing
• Protect data being shared
• Inform people behind data
• Document it
How to share personal data?
25. https://utrechtuniversity.github.io/dataprivacyhandbook/privacy-scan.html
Document it!
Ensure that you can demonstrate your compliance efforts – UU Geo faculty Privacy Scan
What is included in the Privacy Scan?
1. The project's purpose
2. Data subjects
3. The categories and purposes of personal data
4. The processing of personal data
5. Information provided to data subjects
6. How data subjects can exercise their data subject rights
7. The lawful basis for processing
8. Measures to ensure compliance by processors and/or joint controllers
9. Planned transfers of personal data to other countries outside the EU
10. How you will obtain and deal with data subjects’ views of the study
11. Preliminary risk assessment
26. https://utrechtuniversity.github.io/dataprivacyhandbook/privacy-scan.html
Document it!
Ensure that you can demonstrate your compliance efforts – UU Geo faculty Privacy Scan
What is included in the Privacy Scan?
1. The project's purpose
2. Data subjects
3. The categories and purposes of personal data
4. The processing of personal data
5. Information provided to data subjects
6. How data subjects can exercise their data subject rights
7. The lawful basis for processing
8. Measures to ensure compliance by processors and/or joint controllers
9. Planned transfers of personal data to other countries outside the EU
10. How you will obtain and deal with data subjects’ views of the study
11. Preliminary risk assessment
27. • Define purpose for sharing
• Protect data being shared
• Inform people behind data
• Document it
How to share personal data?