SlideShare ist ein Scribd-Unternehmen logo
1 von 26
An introduction
GDPR and Research Data
Management
Tim Rodgers, Compliance and Information Governance Manager, ICT
November 2017
GDPR…what’s new?
• A single set of rules governing all EU nations, and all organisations that
process personal data of EU citizens
• Definitions of data
• Sanctions
• Data protection safeguards
• Privacy by Design
• Consent
• Clarity of rights for data subjects
• Incident reporting
Definitions of data
Personal data includes online identifiers and location data (IP addresses, mobile
device IDs, cookie IDs)
Pseudonymous data – personal data subject to technological measures so it no
longer directly identifies an individual without the use of additional information.
Genetic and biometric data – treated as special categories of personal data
3
Sanctions
• Isn’t (and has never been) just about loss of data
• For controllers and processors
• Two bands of fine – 2%/€10m or 4%/€20m which ever is greater
4% can apply to processing without consent, violating principles of privacy by
design, unlawful cross-border data transfers, violation of data subject rights
2% can apply for not having records of processing in order, not notifying ICO or
data subject of a breach, or not conducting an impact assessment
15/01/20184
Data protection safeguards
“To implement appropriate technical and organisational measures”
These safeguards should be appropriate to the degree of risk associated and
might include :
- pseudonymisation and/or encryption of personal data
- ensuring ongoing CIA and resillience
- restoring availability of and access to data in a timely manner following incident
- introduce regular testing and evaluation of these systems
15/01/20185
Privacy by Design
• Essential an organisation ‘shows its working’
• DP concerns should be weaved into the design of all procedures, projects,
systems
• Good DP compliance by default
• PIAs required for new activities and undertakings
• Especially for new activities and undertakings
• Does this, or should this stand part of ethics work for research?
15/01/20186
Consent
• Where required it must be :
Any freely given, specific, informed and unambiguous indication of his or
her wishes by which the data subject, either by statement or by a clear
affirmative action, signifies agreement to personal data relating to them
being processed
Organisations need to be able to show how and when consent was obtained.
Not necessarily explicit, but relating to data obtained for specific, explicit and
legitimate purposes.
Individuals must be able to withdraw consent and have a right to be forgotten
(subject to qualification)
15/01/20187
Rights for data subjects
• To be informed – for privacy notices to be more robust and transparent
• To have explained purposes & conditions of processing, intended retention,
right
• To erasure
• To data portability
• To restriction
• To rectification
• To access
• To object
• To prevent automated processing
15/01/20188
Breach reporting
• Mandatory unless there is no risk to the rights of data subjects
• Articles 33 & 34 indicate pseudonymised data is exempt from this (unless
other information would enable someone to identify individuals)
• Notify ICO within 72 hours (and possibly NHS Digital?) – ensure procedures
set up internally, and with your suppliers
15/01/20189
GDPR and Research Data Management
Privacy and Innovation
• Obvious main thrust of GDPR – to bolster privacy rights
• BUT ALSO…
• Harmonising legislation
• Exemptions for scientific, historical and health research
Aim to create a Digital Single Market…
Key articles and recitals
• Recital 159 – broad definition of research
• Article 6(4), Recital 50 – organisations processing personal data for research
purposes may avoid restrictions on secondary processing and on processing
sensitive categories of data.
• Article 89 – as long as there are safeguards, organisations may override a
data subjects right to objet to processing and seek erasure of personal data
• Article 6(1)(f), Recitals 47, 157. Organisations to process personal data for
research purposes without the consent of a data subject
• Article 49(h), Recital 113 – for some processing personal data can be
transferred to third countries for research purposes without any other transfer
mechanism in place.
12
Research as a basis for processing
• Article 6(1) outlines lawful bases for processing
• Article 6(4) allows data obtained through a lawful basis to be used for a
secondary research purpose.
• Research not a lawful basis in itself, but could be regarded as a legitimate
interest (Article 6(1)(f))
• What if you get consent, but are not clear at the time of collection about the
research? (Recital 33). Article 6(4) talks about purposes that are compatible
• Indeed Article 89 confirms that research in the public interest, for scientific or
historical research purposes would not be considered incompatible – subject
to safeguards set out in the same article
15/01/201813
Research as a purpose
• Controllers may process personal data, without consent, when “processing is
necessary for the purposes of the legitimate interests pursued by the
controller or by a third party, except where such interests are overridden by
the interests or fundamental rights and freedoms of the data subject” (Article
6(1)(f)).
Recital 47 discusses this further, based on the reasonable expectations of the
data subject regarding their relationship with the data controller
Recital 157 identifies benefits of personal data research
Remember that legitimate interests requires balance test (against data subject
rights)
15/01/201814
Article 89 Appropriate Safeguards
• Controllers that process personal data for research purposes need to have
safeguards
• Need to focus on data minimisation and process the minimum necessary data
• Recital 33 outlines the need for ethical standards for scientific research
• Pseudonymisation (covered by regulation) – use encouraged providing
research unaffected
• Anonymisation (outside of regulation)
15/01/201815
Other considerations
• Article 12(1) – Need to inform data subjects of what’s happening to their data
• This should be provided to the data subject at the first contact, and then
updated as purposes are added
• Being explicit and upfront on research might be difficult if research purposes
are not initially known
• Where data obtained from public source there is no need to notify if it would
require disproportionate effort (Recital 62)
15/01/201816
Data Subject Rights
• Article 17 discusses the right of erasure when consent is withdrawn, or the
data subject ob However under 17(3)(d) there is no need to accede to that
request if it impairs the achievement of research objectives
• Article 21 discusses the right to object to processing 21(6) says that objection
can be dismissed if there is a wider public interest – though this needs to
consider nation state law (Recital 45)
• All data subject rights can be subject to derogation
• Any derogations applies (under Article 89(2)) need to be proportionate and
regarded as necessary for the fulfilment of [research] purposes
15/01/201817
Transfer to third countries for research
• Article 45(1) prohibits transfer of data outside EU unless there is adequate
protection
• Article 46 expects Binding Corporate Rules to be in place or for there to be
explicit consent so that the data subject knows where their data is going
• Article 49(1) permits transfers “necessary for the purposes of compelling
legitimate interests pursued by the controller which are not overridden by the
interests or rights and freedoms of the data subject”
• This can be onerous, with a real focus on safeguards and including
notification to the ICO of which country the data is being sent to
15/01/201818
Profiling
• Article 35(2) requires a PIA for :“a systematic and extensive evaluation of
personal aspects relating to…persons which is based on automated
processing, including profiling, and on which decisions are based that
produce legal effects concerning the natural person or similarly significantly
affect the…person.”
• Profiling is “any form of automated processing of personal data consisting of
the use of personal data to evaluate certain personal aspects relating to a…
person, in particular to analyse or predict aspects concerning that… person’s
performance at work, economic situation, health, personal preferences,
interests, reliability, behaviour, location or movements” Article 4(4)). Article
22(1) prohibits controllers from subjecting a data subject to a decision “based
solely on automated processing, including profiling,” as a result of processing
sensitive data, as defined in Article 9, except in limited circumstances
15/01/201819
Research sensitive personal data
• Sensitive data can be processed for research – please see Article 9(2)(i)
which says that as long as it’s compliant with Article 89(1) regarding nation
state law then it’s ok
• Recital 52 clarifies that this requires particular safeguards to be in place
• Article 6(4) says data can be used for research as a secondary purpose
(regarded as compatible with the initial purpose that the data was created for)
• Profiling forbidden unless safeguarding in place
15/01/201820
Summary of regulation
Exemptions carved out for researchers :
- Researchers can process data for purposes beyond that for which it was
obtained
- Research can be regarded as a legitimate interest
- Data can be shared with 3rd country subject to safeguards
To benefit from these exemptions, researchers must implement appropriate
safeguards, in keeping with recognized ethical standards, that lower the risks of
research for the rights of individuals.
15/01/201821
• IAO
• IAA
• Who has access (organisation)
• Categories of data
• How is it secured?
• How often is it backed up?
• Is it taken off site?
• Retention period
• Disposal arrangements
• Purposes for processing
Picklist categories
• Data subjects aware?
• Staff trained in DP?
• Policy awareness
• Incident reporting awareness?
• DPIA completed?
• Media type
• Legal justification for processing
• Business criticality
• Earliest date of recorded data
• How stored
• Where stored
DPIA
• All projects/processes require a DPIA – a Data Privacy Impact Assessment
• Being embedded in ICT Project Management methodology
• Looking to establish in other project management approaches (e.g.
Operational Excellence)
• To think, at every stage, about how the privacy of the data subjects is
impacted by the processing of the data.
The Governance of Information Governance
The Senior Information Risk Owner – John Neilson
Data Protection Co-ordinators (and their Network)
Information Asset Owners
Information Governance Steering Group (IGSG)
Information Governance Operational Group (IGOG)
Information Security Steering Group (ISSG)
Data Protection Officer (being recruited to)
ICT Governance & Legal Services & ARCU
Information Governance Policy Framework
Information Governance Policy Framework – overarching document
Information Security Policy – supported by Codes of Practice
- Information Security Risk Assessment
- Connecting to College Network
- Electronic Messaging
- Inspection of Electronic Communications
- Passwords
Data Protection Policy – supported by Codes of Practice
- covering handling of personal data, patient data, access to personal data,
CCTV, internal registration and security of laptops
Records Retention Schedule
Q&A

Más contenido relacionado

Was ist angesagt?

Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPRDipanjanDey12
 
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...Harrison Clark Rickerbys
 
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17Michael Adamberry
 
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...Harrison Clark Rickerbys
 
Public sector breakfast club - October 2017, Exeter
Public sector breakfast club - October 2017, ExeterPublic sector breakfast club - October 2017, Exeter
Public sector breakfast club - October 2017, ExeterBrowne Jacobson LLP
 
Public sector breakfast club, October 2016, Exeter
Public sector breakfast club, October 2016, ExeterPublic sector breakfast club, October 2016, Exeter
Public sector breakfast club, October 2016, ExeterBrowne Jacobson LLP
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...Cvent
 
GDPR master class accountable research organisations (january 2018)
GDPR master class   accountable research organisations (january 2018)GDPR master class   accountable research organisations (january 2018)
GDPR master class accountable research organisations (january 2018)MRS
 
The principles of the Data Protection Act in detail - uk
The principles of the Data Protection Act in detail - ukThe principles of the Data Protection Act in detail - uk
The principles of the Data Protection Act in detail - uk- Mark - Fullbright
 
Gdpr powerpoint 15.01.18
Gdpr powerpoint 15.01.18Gdpr powerpoint 15.01.18
Gdpr powerpoint 15.01.18Jon Rathbone
 
Smart grid - report
Smart grid - reportSmart grid - report
Smart grid - reportSwetha Kaza
 
GDPR webinar presentation | LawBite
GDPR webinar presentation | LawBiteGDPR webinar presentation | LawBite
GDPR webinar presentation | LawBiteClive Rich
 

Was ist angesagt? (20)

DPIA template
DPIA templateDPIA template
DPIA template
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPR
 
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
 
GDPR for your Payroll Bureau
GDPR for your Payroll BureauGDPR for your Payroll Bureau
GDPR for your Payroll Bureau
 
What does GDPR mean for your business?
What does GDPR mean for your business?What does GDPR mean for your business?
What does GDPR mean for your business?
 
GDPR Presentation
GDPR PresentationGDPR Presentation
GDPR Presentation
 
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17
 
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
 
Public sector breakfast club - October 2017, Exeter
Public sector breakfast club - October 2017, ExeterPublic sector breakfast club - October 2017, Exeter
Public sector breakfast club - October 2017, Exeter
 
Overview on data privacy
Overview on data privacy Overview on data privacy
Overview on data privacy
 
Public sector breakfast club, October 2016, Exeter
Public sector breakfast club, October 2016, ExeterPublic sector breakfast club, October 2016, Exeter
Public sector breakfast club, October 2016, Exeter
 
GDPR: 3 Months On | Guest Speaker: Data Protection Commissioners
GDPR: 3 Months On | Guest Speaker: Data Protection CommissionersGDPR: 3 Months On | Guest Speaker: Data Protection Commissioners
GDPR: 3 Months On | Guest Speaker: Data Protection Commissioners
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
 
GDPR master class accountable research organisations (january 2018)
GDPR master class   accountable research organisations (january 2018)GDPR master class   accountable research organisations (january 2018)
GDPR master class accountable research organisations (january 2018)
 
The principles of the Data Protection Act in detail - uk
The principles of the Data Protection Act in detail - ukThe principles of the Data Protection Act in detail - uk
The principles of the Data Protection Act in detail - uk
 
Gdpr powerpoint 15.01.18
Gdpr powerpoint 15.01.18Gdpr powerpoint 15.01.18
Gdpr powerpoint 15.01.18
 
Smart grid - report
Smart grid - reportSmart grid - report
Smart grid - report
 
GDPR webinar presentation | LawBite
GDPR webinar presentation | LawBiteGDPR webinar presentation | LawBite
GDPR webinar presentation | LawBite
 
GDPR: What does it mean for your business?
GDPR: What does it mean for your business?GDPR: What does it mean for your business?
GDPR: What does it mean for your business?
 
GDPR: What does it mean for your business?
GDPR: What does it mean for your business?GDPR: What does it mean for your business?
GDPR: What does it mean for your business?
 

Ähnlich wie GDPR and Research Data Management

20200504_Research Data & the GDPR: How Open is Open?
20200504_Research Data & the GDPR: How Open is Open?20200504_Research Data & the GDPR: How Open is Open?
20200504_Research Data & the GDPR: How Open is Open?OpenAIRE
 
EU General Data Protection Regulation top 8 operational impacts in personal c...
EU General Data Protection Regulation top 8 operational impacts in personal c...EU General Data Protection Regulation top 8 operational impacts in personal c...
EU General Data Protection Regulation top 8 operational impacts in personal c...Erik Vollebregt
 
EU data protection and security update COCIR annual meeting 2016
EU data protection and security update COCIR annual meeting 2016EU data protection and security update COCIR annual meeting 2016
EU data protection and security update COCIR annual meeting 2016Erik Vollebregt
 
GDPR and eHealth for the pharma industry (VFenR presentation)
GDPR and eHealth for the pharma industry (VFenR presentation)GDPR and eHealth for the pharma industry (VFenR presentation)
GDPR and eHealth for the pharma industry (VFenR presentation)Erik Vollebregt
 
20200429_Research Data & the GDPR: How Open is Open? (updated version)
20200429_Research Data & the GDPR: How Open is Open? (updated version)20200429_Research Data & the GDPR: How Open is Open? (updated version)
20200429_Research Data & the GDPR: How Open is Open? (updated version)OpenAIRE
 
Niall Rooney FD Event 05.09.19
Niall Rooney FD Event 05.09.19Niall Rooney FD Event 05.09.19
Niall Rooney FD Event 05.09.19Niall Rooney
 
Use of left over samples under the IVDR and GDPR
Use of left over samples under the IVDR and GDPRUse of left over samples under the IVDR and GDPR
Use of left over samples under the IVDR and GDPRErik Vollebregt
 
GDPR clinic - CloudWATCH at Cloud Security Expo 2017
GDPR clinic - CloudWATCH at Cloud Security Expo 2017GDPR clinic - CloudWATCH at Cloud Security Expo 2017
GDPR clinic - CloudWATCH at Cloud Security Expo 2017CloudWATCH Consortium
 
Data Protection (Download for slideshow)
Data Protection (Download for slideshow)Data Protection (Download for slideshow)
Data Protection (Download for slideshow)Andrew Sharpe
 
Adjusting to the GDPR: The Impact on Data Scientists and Behavioral Researchers
Adjusting to the GDPR: The Impact on Data Scientists and Behavioral ResearchersAdjusting to the GDPR: The Impact on Data Scientists and Behavioral Researchers
Adjusting to the GDPR: The Impact on Data Scientists and Behavioral ResearchersTravis Greene
 
Part 3 - Data Protection Principles.pdf
Part 3 - Data Protection Principles.pdfPart 3 - Data Protection Principles.pdf
Part 3 - Data Protection Principles.pdfkiruthigajawahar6
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsHarrison Clark Rickerbys
 
Data Protection Seminar_GDPR_ISOLAS_26-06-17
Data Protection Seminar_GDPR_ISOLAS_26-06-17Data Protection Seminar_GDPR_ISOLAS_26-06-17
Data Protection Seminar_GDPR_ISOLAS_26-06-17Michael Adamberry
 
May 6 evolving international privacy regulations and cross border data tran...
May 6   evolving international privacy regulations and cross border data tran...May 6   evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...Ulf Mattsson
 
General Data Protection Regulation or GDPR
General Data Protection Regulation or GDPRGeneral Data Protection Regulation or GDPR
General Data Protection Regulation or GDPRNupur Samaddar
 
GDPR - New European Union Legislation
GDPR - New European Union LegislationGDPR - New European Union Legislation
GDPR - New European Union LegislationTekwill
 

Ähnlich wie GDPR and Research Data Management (20)

20200504_Research Data & the GDPR: How Open is Open?
20200504_Research Data & the GDPR: How Open is Open?20200504_Research Data & the GDPR: How Open is Open?
20200504_Research Data & the GDPR: How Open is Open?
 
EU General Data Protection Regulation top 8 operational impacts in personal c...
EU General Data Protection Regulation top 8 operational impacts in personal c...EU General Data Protection Regulation top 8 operational impacts in personal c...
EU General Data Protection Regulation top 8 operational impacts in personal c...
 
EU data protection and security update COCIR annual meeting 2016
EU data protection and security update COCIR annual meeting 2016EU data protection and security update COCIR annual meeting 2016
EU data protection and security update COCIR annual meeting 2016
 
GDPR and eHealth for the pharma industry (VFenR presentation)
GDPR and eHealth for the pharma industry (VFenR presentation)GDPR and eHealth for the pharma industry (VFenR presentation)
GDPR and eHealth for the pharma industry (VFenR presentation)
 
GDPR 11/1/2017
GDPR 11/1/2017GDPR 11/1/2017
GDPR 11/1/2017
 
20200429_Research Data & the GDPR: How Open is Open? (updated version)
20200429_Research Data & the GDPR: How Open is Open? (updated version)20200429_Research Data & the GDPR: How Open is Open? (updated version)
20200429_Research Data & the GDPR: How Open is Open? (updated version)
 
Niall Rooney FD Event 05.09.19
Niall Rooney FD Event 05.09.19Niall Rooney FD Event 05.09.19
Niall Rooney FD Event 05.09.19
 
VIAF GDPR
VIAF GDPRVIAF GDPR
VIAF GDPR
 
Use of left over samples under the IVDR and GDPR
Use of left over samples under the IVDR and GDPRUse of left over samples under the IVDR and GDPR
Use of left over samples under the IVDR and GDPR
 
GDPR clinic - CloudWATCH at Cloud Security Expo 2017
GDPR clinic - CloudWATCH at Cloud Security Expo 2017GDPR clinic - CloudWATCH at Cloud Security Expo 2017
GDPR clinic - CloudWATCH at Cloud Security Expo 2017
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR Overview
 
Data Protection (Download for slideshow)
Data Protection (Download for slideshow)Data Protection (Download for slideshow)
Data Protection (Download for slideshow)
 
Adjusting to the GDPR: The Impact on Data Scientists and Behavioral Researchers
Adjusting to the GDPR: The Impact on Data Scientists and Behavioral ResearchersAdjusting to the GDPR: The Impact on Data Scientists and Behavioral Researchers
Adjusting to the GDPR: The Impact on Data Scientists and Behavioral Researchers
 
Part 3 - Data Protection Principles.pdf
Part 3 - Data Protection Principles.pdfPart 3 - Data Protection Principles.pdf
Part 3 - Data Protection Principles.pdf
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business Advisors
 
Data Protection Seminar_GDPR_ISOLAS_26-06-17
Data Protection Seminar_GDPR_ISOLAS_26-06-17Data Protection Seminar_GDPR_ISOLAS_26-06-17
Data Protection Seminar_GDPR_ISOLAS_26-06-17
 
Prepare Your Firm for GDPR
Prepare Your Firm for GDPRPrepare Your Firm for GDPR
Prepare Your Firm for GDPR
 
May 6 evolving international privacy regulations and cross border data tran...
May 6   evolving international privacy regulations and cross border data tran...May 6   evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...
 
General Data Protection Regulation or GDPR
General Data Protection Regulation or GDPRGeneral Data Protection Regulation or GDPR
General Data Protection Regulation or GDPR
 
GDPR - New European Union Legislation
GDPR - New European Union LegislationGDPR - New European Union Legislation
GDPR - New European Union Legislation
 

Mehr von London School of Hygiene and Tropical Medicine

Mehr von London School of Hygiene and Tropical Medicine (20)

Preparing to submit your thesis at LSHTM
Preparing to submit your thesis at LSHTMPreparing to submit your thesis at LSHTM
Preparing to submit your thesis at LSHTM
 
Your research is more than a thesis: Make the most of research data and other...
Your research is more than a thesis: Make the most of research data and other...Your research is more than a thesis: Make the most of research data and other...
Your research is more than a thesis: Make the most of research data and other...
 
Enhance your rese​arch impact through open science
Enhance your rese​arch impact through open scienceEnhance your rese​arch impact through open science
Enhance your rese​arch impact through open science
 
Information Security and GDPR
Information Security and GDPRInformation Security and GDPR
Information Security and GDPR
 
Towards Open Research: practices, experiences, barriers and opportunities
Towards Open Research: practices, experiences, barriers and opportunitiesTowards Open Research: practices, experiences, barriers and opportunities
Towards Open Research: practices, experiences, barriers and opportunities
 
Data Journals and repositories: Getting academic credit for data sharing
Data Journals and repositories: Getting academic credit for data sharingData Journals and repositories: Getting academic credit for data sharing
Data Journals and repositories: Getting academic credit for data sharing
 
Crowd sourcing and high resolution satellite imagery in public health
Crowd sourcing and high resolution satellite imagery in public healthCrowd sourcing and high resolution satellite imagery in public health
Crowd sourcing and high resolution satellite imagery in public health
 
Determining the relationship between physical environment and weight status u...
Determining the relationship between physical environment and weight status u...Determining the relationship between physical environment and weight status u...
Determining the relationship between physical environment and weight status u...
 
i-Sense: an early-warning sensing systems for infectious diseases
i-Sense: an early-warning sensing systems for infectious diseasesi-Sense: an early-warning sensing systems for infectious diseases
i-Sense: an early-warning sensing systems for infectious diseases
 
Internet-based surveillance of illness: the FluSurvey platform
Internet-based surveillance of illness: the FluSurvey platformInternet-based surveillance of illness: the FluSurvey platform
Internet-based surveillance of illness: the FluSurvey platform
 
An overview of the MyHeart Counts app
An overview of the MyHeart Counts appAn overview of the MyHeart Counts app
An overview of the MyHeart Counts app
 
Electronic data collection for a modular household survey in Ethiopia
Electronic data collection for a modular household survey in EthiopiaElectronic data collection for a modular household survey in Ethiopia
Electronic data collection for a modular household survey in Ethiopia
 
Mobile-Based Experience Sampling for Behaviour Research
Mobile-Based Experience Sampling for Behaviour ResearchMobile-Based Experience Sampling for Behaviour Research
Mobile-Based Experience Sampling for Behaviour Research
 
Preparing Data for Sharing: The FAIR Principles
Preparing Data for Sharing: The FAIR PrinciplesPreparing Data for Sharing: The FAIR Principles
Preparing Data for Sharing: The FAIR Principles
 
RDM Training for health researchers: An institutional perspective
RDM Training for health researchers: An institutional perspectiveRDM Training for health researchers: An institutional perspective
RDM Training for health researchers: An institutional perspective
 
Research Data Readiness in UK Institutions: Digital Curation Centre’s 2015 Su...
Research Data Readiness in UK Institutions: Digital Curation Centre’s 2015 Su...Research Data Readiness in UK Institutions: Digital Curation Centre’s 2015 Su...
Research Data Readiness in UK Institutions: Digital Curation Centre’s 2015 Su...
 
Research data services at the University of Oxford
Research data services at the University of OxfordResearch data services at the University of Oxford
Research data services at the University of Oxford
 
Research Data Management at The University of Edinburgh
Research Data Management at The University of EdinburghResearch Data Management at The University of Edinburgh
Research Data Management at The University of Edinburgh
 
Research data management at UAL
Research data management at UALResearch data management at UAL
Research data management at UAL
 
RDM at UEL: agile, fragile or feral?
RDM at UEL: agile, fragile or feral?RDM at UEL: agile, fragile or feral?
RDM at UEL: agile, fragile or feral?
 

Último

Top 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTop 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTopCSSGallery
 
The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)codyslingerland1
 
UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3DianaGray10
 
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxEmil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxNeo4j
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
 
3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud DataEric D. Schabell
 
Graphene Quantum Dots-Based Composites for Biomedical Applications
Graphene Quantum Dots-Based Composites for  Biomedical ApplicationsGraphene Quantum Dots-Based Composites for  Biomedical Applications
Graphene Quantum Dots-Based Composites for Biomedical Applicationsnooralam814309
 
UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4DianaGray10
 
Where developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingWhere developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingFrancesco Corti
 
AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024Brian Pichman
 
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxGraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxNeo4j
 
IT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingIT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingMAGNIntelligence
 
LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0DanBrown980551
 
Technical SEO for Improved Accessibility WTS FEST
Technical SEO for Improved Accessibility  WTS FESTTechnical SEO for Improved Accessibility  WTS FEST
Technical SEO for Improved Accessibility WTS FESTBillieHyde
 
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInOutage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInThousandEyes
 
March Patch Tuesday
March Patch TuesdayMarch Patch Tuesday
March Patch TuesdayIvanti
 
2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdf2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdfThe Good Food Institute
 
CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024Brian Pichman
 
Oracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxOracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxSatishbabu Gunukula
 

Último (20)

Top 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTop 10 Squarespace Development Companies
Top 10 Squarespace Development Companies
 
The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)
 
UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3
 
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxEmil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data
 
Graphene Quantum Dots-Based Composites for Biomedical Applications
Graphene Quantum Dots-Based Composites for  Biomedical ApplicationsGraphene Quantum Dots-Based Composites for  Biomedical Applications
Graphene Quantum Dots-Based Composites for Biomedical Applications
 
UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4
 
Where developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingWhere developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is going
 
AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024
 
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxGraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
 
IT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingIT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced Computing
 
LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0
 
Technical SEO for Improved Accessibility WTS FEST
Technical SEO for Improved Accessibility  WTS FESTTechnical SEO for Improved Accessibility  WTS FEST
Technical SEO for Improved Accessibility WTS FEST
 
SheDev 2024
SheDev 2024SheDev 2024
SheDev 2024
 
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInOutage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
 
March Patch Tuesday
March Patch TuesdayMarch Patch Tuesday
March Patch Tuesday
 
2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdf2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdf
 
CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024
 
Oracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxOracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptx
 

GDPR and Research Data Management

  • 1. An introduction GDPR and Research Data Management Tim Rodgers, Compliance and Information Governance Manager, ICT November 2017
  • 2. GDPR…what’s new? • A single set of rules governing all EU nations, and all organisations that process personal data of EU citizens • Definitions of data • Sanctions • Data protection safeguards • Privacy by Design • Consent • Clarity of rights for data subjects • Incident reporting
  • 3. Definitions of data Personal data includes online identifiers and location data (IP addresses, mobile device IDs, cookie IDs) Pseudonymous data – personal data subject to technological measures so it no longer directly identifies an individual without the use of additional information. Genetic and biometric data – treated as special categories of personal data 3
  • 4. Sanctions • Isn’t (and has never been) just about loss of data • For controllers and processors • Two bands of fine – 2%/€10m or 4%/€20m which ever is greater 4% can apply to processing without consent, violating principles of privacy by design, unlawful cross-border data transfers, violation of data subject rights 2% can apply for not having records of processing in order, not notifying ICO or data subject of a breach, or not conducting an impact assessment 15/01/20184
  • 5. Data protection safeguards “To implement appropriate technical and organisational measures” These safeguards should be appropriate to the degree of risk associated and might include : - pseudonymisation and/or encryption of personal data - ensuring ongoing CIA and resillience - restoring availability of and access to data in a timely manner following incident - introduce regular testing and evaluation of these systems 15/01/20185
  • 6. Privacy by Design • Essential an organisation ‘shows its working’ • DP concerns should be weaved into the design of all procedures, projects, systems • Good DP compliance by default • PIAs required for new activities and undertakings • Especially for new activities and undertakings • Does this, or should this stand part of ethics work for research? 15/01/20186
  • 7. Consent • Where required it must be : Any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed Organisations need to be able to show how and when consent was obtained. Not necessarily explicit, but relating to data obtained for specific, explicit and legitimate purposes. Individuals must be able to withdraw consent and have a right to be forgotten (subject to qualification) 15/01/20187
  • 8. Rights for data subjects • To be informed – for privacy notices to be more robust and transparent • To have explained purposes & conditions of processing, intended retention, right • To erasure • To data portability • To restriction • To rectification • To access • To object • To prevent automated processing 15/01/20188
  • 9. Breach reporting • Mandatory unless there is no risk to the rights of data subjects • Articles 33 & 34 indicate pseudonymised data is exempt from this (unless other information would enable someone to identify individuals) • Notify ICO within 72 hours (and possibly NHS Digital?) – ensure procedures set up internally, and with your suppliers 15/01/20189
  • 11. Privacy and Innovation • Obvious main thrust of GDPR – to bolster privacy rights • BUT ALSO… • Harmonising legislation • Exemptions for scientific, historical and health research Aim to create a Digital Single Market…
  • 12. Key articles and recitals • Recital 159 – broad definition of research • Article 6(4), Recital 50 – organisations processing personal data for research purposes may avoid restrictions on secondary processing and on processing sensitive categories of data. • Article 89 – as long as there are safeguards, organisations may override a data subjects right to objet to processing and seek erasure of personal data • Article 6(1)(f), Recitals 47, 157. Organisations to process personal data for research purposes without the consent of a data subject • Article 49(h), Recital 113 – for some processing personal data can be transferred to third countries for research purposes without any other transfer mechanism in place. 12
  • 13. Research as a basis for processing • Article 6(1) outlines lawful bases for processing • Article 6(4) allows data obtained through a lawful basis to be used for a secondary research purpose. • Research not a lawful basis in itself, but could be regarded as a legitimate interest (Article 6(1)(f)) • What if you get consent, but are not clear at the time of collection about the research? (Recital 33). Article 6(4) talks about purposes that are compatible • Indeed Article 89 confirms that research in the public interest, for scientific or historical research purposes would not be considered incompatible – subject to safeguards set out in the same article 15/01/201813
  • 14. Research as a purpose • Controllers may process personal data, without consent, when “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject” (Article 6(1)(f)). Recital 47 discusses this further, based on the reasonable expectations of the data subject regarding their relationship with the data controller Recital 157 identifies benefits of personal data research Remember that legitimate interests requires balance test (against data subject rights) 15/01/201814
  • 15. Article 89 Appropriate Safeguards • Controllers that process personal data for research purposes need to have safeguards • Need to focus on data minimisation and process the minimum necessary data • Recital 33 outlines the need for ethical standards for scientific research • Pseudonymisation (covered by regulation) – use encouraged providing research unaffected • Anonymisation (outside of regulation) 15/01/201815
  • 16. Other considerations • Article 12(1) – Need to inform data subjects of what’s happening to their data • This should be provided to the data subject at the first contact, and then updated as purposes are added • Being explicit and upfront on research might be difficult if research purposes are not initially known • Where data obtained from public source there is no need to notify if it would require disproportionate effort (Recital 62) 15/01/201816
  • 17. Data Subject Rights • Article 17 discusses the right of erasure when consent is withdrawn, or the data subject ob However under 17(3)(d) there is no need to accede to that request if it impairs the achievement of research objectives • Article 21 discusses the right to object to processing 21(6) says that objection can be dismissed if there is a wider public interest – though this needs to consider nation state law (Recital 45) • All data subject rights can be subject to derogation • Any derogations applies (under Article 89(2)) need to be proportionate and regarded as necessary for the fulfilment of [research] purposes 15/01/201817
  • 18. Transfer to third countries for research • Article 45(1) prohibits transfer of data outside EU unless there is adequate protection • Article 46 expects Binding Corporate Rules to be in place or for there to be explicit consent so that the data subject knows where their data is going • Article 49(1) permits transfers “necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject” • This can be onerous, with a real focus on safeguards and including notification to the ICO of which country the data is being sent to 15/01/201818
  • 19. Profiling • Article 35(2) requires a PIA for :“a systematic and extensive evaluation of personal aspects relating to…persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the…person.” • Profiling is “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a… person, in particular to analyse or predict aspects concerning that… person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements” Article 4(4)). Article 22(1) prohibits controllers from subjecting a data subject to a decision “based solely on automated processing, including profiling,” as a result of processing sensitive data, as defined in Article 9, except in limited circumstances 15/01/201819
  • 20. Research sensitive personal data • Sensitive data can be processed for research – please see Article 9(2)(i) which says that as long as it’s compliant with Article 89(1) regarding nation state law then it’s ok • Recital 52 clarifies that this requires particular safeguards to be in place • Article 6(4) says data can be used for research as a secondary purpose (regarded as compatible with the initial purpose that the data was created for) • Profiling forbidden unless safeguarding in place 15/01/201820
  • 21. Summary of regulation Exemptions carved out for researchers : - Researchers can process data for purposes beyond that for which it was obtained - Research can be regarded as a legitimate interest - Data can be shared with 3rd country subject to safeguards To benefit from these exemptions, researchers must implement appropriate safeguards, in keeping with recognized ethical standards, that lower the risks of research for the rights of individuals. 15/01/201821
  • 22. • IAO • IAA • Who has access (organisation) • Categories of data • How is it secured? • How often is it backed up? • Is it taken off site? • Retention period • Disposal arrangements • Purposes for processing Picklist categories • Data subjects aware? • Staff trained in DP? • Policy awareness • Incident reporting awareness? • DPIA completed? • Media type • Legal justification for processing • Business criticality • Earliest date of recorded data • How stored • Where stored
  • 23. DPIA • All projects/processes require a DPIA – a Data Privacy Impact Assessment • Being embedded in ICT Project Management methodology • Looking to establish in other project management approaches (e.g. Operational Excellence) • To think, at every stage, about how the privacy of the data subjects is impacted by the processing of the data.
  • 24. The Governance of Information Governance The Senior Information Risk Owner – John Neilson Data Protection Co-ordinators (and their Network) Information Asset Owners Information Governance Steering Group (IGSG) Information Governance Operational Group (IGOG) Information Security Steering Group (ISSG) Data Protection Officer (being recruited to) ICT Governance & Legal Services & ARCU
  • 25. Information Governance Policy Framework Information Governance Policy Framework – overarching document Information Security Policy – supported by Codes of Practice - Information Security Risk Assessment - Connecting to College Network - Electronic Messaging - Inspection of Electronic Communications - Passwords Data Protection Policy – supported by Codes of Practice - covering handling of personal data, patient data, access to personal data, CCTV, internal registration and security of laptops Records Retention Schedule
  • 26. Q&A