An introduction to the General Data Protection Regulation (GDPR) and its implications for research data management. Presentation given by Tim Rodgers of Imperial College London at the London Area Research Data meeting, held at the London School of Hygiene & Tropical Medicine on 17th Nov 2017.
1. An introduction
GDPR and Research Data
Management
Tim Rodgers, Compliance and Information Governance Manager, ICT
November 2017
2. GDPR…what’s new?
• A single set of rules governing all EU nations, and all organisations that
process personal data of EU citizens
• Definitions of data
• Sanctions
• Data protection safeguards
• Privacy by Design
• Consent
• Clarity of rights for data subjects
• Incident reporting
3. Definitions of data
Personal data includes online identifiers and location data (IP addresses, mobile
device IDs, cookie IDs)
Pseudonymous data – personal data subject to technological measures so it no
longer directly identifies an individual without the use of additional information.
Genetic and biometric data – treated as special categories of personal data
3
4. Sanctions
• Isn’t (and has never been) just about loss of data
• For controllers and processors
• Two bands of fine – 2%/€10m or 4%/€20m which ever is greater
4% can apply to processing without consent, violating principles of privacy by
design, unlawful cross-border data transfers, violation of data subject rights
2% can apply for not having records of processing in order, not notifying ICO or
data subject of a breach, or not conducting an impact assessment
15/01/20184
5. Data protection safeguards
“To implement appropriate technical and organisational measures”
These safeguards should be appropriate to the degree of risk associated and
might include :
- pseudonymisation and/or encryption of personal data
- ensuring ongoing CIA and resillience
- restoring availability of and access to data in a timely manner following incident
- introduce regular testing and evaluation of these systems
15/01/20185
6. Privacy by Design
• Essential an organisation ‘shows its working’
• DP concerns should be weaved into the design of all procedures, projects,
systems
• Good DP compliance by default
• PIAs required for new activities and undertakings
• Especially for new activities and undertakings
• Does this, or should this stand part of ethics work for research?
15/01/20186
7. Consent
• Where required it must be :
Any freely given, specific, informed and unambiguous indication of his or
her wishes by which the data subject, either by statement or by a clear
affirmative action, signifies agreement to personal data relating to them
being processed
Organisations need to be able to show how and when consent was obtained.
Not necessarily explicit, but relating to data obtained for specific, explicit and
legitimate purposes.
Individuals must be able to withdraw consent and have a right to be forgotten
(subject to qualification)
15/01/20187
8. Rights for data subjects
• To be informed – for privacy notices to be more robust and transparent
• To have explained purposes & conditions of processing, intended retention,
right
• To erasure
• To data portability
• To restriction
• To rectification
• To access
• To object
• To prevent automated processing
15/01/20188
9. Breach reporting
• Mandatory unless there is no risk to the rights of data subjects
• Articles 33 & 34 indicate pseudonymised data is exempt from this (unless
other information would enable someone to identify individuals)
• Notify ICO within 72 hours (and possibly NHS Digital?) – ensure procedures
set up internally, and with your suppliers
15/01/20189
10.
11. Privacy and Innovation
• Obvious main thrust of GDPR – to bolster privacy rights
• BUT ALSO…
• Harmonising legislation
• Exemptions for scientific, historical and health research
Aim to create a Digital Single Market…
12. Key articles and recitals
• Recital 159 – broad definition of research
• Article 6(4), Recital 50 – organisations processing personal data for research
purposes may avoid restrictions on secondary processing and on processing
sensitive categories of data.
• Article 89 – as long as there are safeguards, organisations may override a
data subjects right to objet to processing and seek erasure of personal data
• Article 6(1)(f), Recitals 47, 157. Organisations to process personal data for
research purposes without the consent of a data subject
• Article 49(h), Recital 113 – for some processing personal data can be
transferred to third countries for research purposes without any other transfer
mechanism in place.
12
13. Research as a basis for processing
• Article 6(1) outlines lawful bases for processing
• Article 6(4) allows data obtained through a lawful basis to be used for a
secondary research purpose.
• Research not a lawful basis in itself, but could be regarded as a legitimate
interest (Article 6(1)(f))
• What if you get consent, but are not clear at the time of collection about the
research? (Recital 33). Article 6(4) talks about purposes that are compatible
• Indeed Article 89 confirms that research in the public interest, for scientific or
historical research purposes would not be considered incompatible – subject
to safeguards set out in the same article
15/01/201813
14. Research as a purpose
• Controllers may process personal data, without consent, when “processing is
necessary for the purposes of the legitimate interests pursued by the
controller or by a third party, except where such interests are overridden by
the interests or fundamental rights and freedoms of the data subject” (Article
6(1)(f)).
Recital 47 discusses this further, based on the reasonable expectations of the
data subject regarding their relationship with the data controller
Recital 157 identifies benefits of personal data research
Remember that legitimate interests requires balance test (against data subject
rights)
15/01/201814
15. Article 89 Appropriate Safeguards
• Controllers that process personal data for research purposes need to have
safeguards
• Need to focus on data minimisation and process the minimum necessary data
• Recital 33 outlines the need for ethical standards for scientific research
• Pseudonymisation (covered by regulation) – use encouraged providing
research unaffected
• Anonymisation (outside of regulation)
15/01/201815
16. Other considerations
• Article 12(1) – Need to inform data subjects of what’s happening to their data
• This should be provided to the data subject at the first contact, and then
updated as purposes are added
• Being explicit and upfront on research might be difficult if research purposes
are not initially known
• Where data obtained from public source there is no need to notify if it would
require disproportionate effort (Recital 62)
15/01/201816
17. Data Subject Rights
• Article 17 discusses the right of erasure when consent is withdrawn, or the
data subject ob However under 17(3)(d) there is no need to accede to that
request if it impairs the achievement of research objectives
• Article 21 discusses the right to object to processing 21(6) says that objection
can be dismissed if there is a wider public interest – though this needs to
consider nation state law (Recital 45)
• All data subject rights can be subject to derogation
• Any derogations applies (under Article 89(2)) need to be proportionate and
regarded as necessary for the fulfilment of [research] purposes
15/01/201817
18. Transfer to third countries for research
• Article 45(1) prohibits transfer of data outside EU unless there is adequate
protection
• Article 46 expects Binding Corporate Rules to be in place or for there to be
explicit consent so that the data subject knows where their data is going
• Article 49(1) permits transfers “necessary for the purposes of compelling
legitimate interests pursued by the controller which are not overridden by the
interests or rights and freedoms of the data subject”
• This can be onerous, with a real focus on safeguards and including
notification to the ICO of which country the data is being sent to
15/01/201818
19. Profiling
• Article 35(2) requires a PIA for :“a systematic and extensive evaluation of
personal aspects relating to…persons which is based on automated
processing, including profiling, and on which decisions are based that
produce legal effects concerning the natural person or similarly significantly
affect the…person.”
• Profiling is “any form of automated processing of personal data consisting of
the use of personal data to evaluate certain personal aspects relating to a…
person, in particular to analyse or predict aspects concerning that… person’s
performance at work, economic situation, health, personal preferences,
interests, reliability, behaviour, location or movements” Article 4(4)). Article
22(1) prohibits controllers from subjecting a data subject to a decision “based
solely on automated processing, including profiling,” as a result of processing
sensitive data, as defined in Article 9, except in limited circumstances
15/01/201819
20. Research sensitive personal data
• Sensitive data can be processed for research – please see Article 9(2)(i)
which says that as long as it’s compliant with Article 89(1) regarding nation
state law then it’s ok
• Recital 52 clarifies that this requires particular safeguards to be in place
• Article 6(4) says data can be used for research as a secondary purpose
(regarded as compatible with the initial purpose that the data was created for)
• Profiling forbidden unless safeguarding in place
15/01/201820
21. Summary of regulation
Exemptions carved out for researchers :
- Researchers can process data for purposes beyond that for which it was
obtained
- Research can be regarded as a legitimate interest
- Data can be shared with 3rd country subject to safeguards
To benefit from these exemptions, researchers must implement appropriate
safeguards, in keeping with recognized ethical standards, that lower the risks of
research for the rights of individuals.
15/01/201821
22. • IAO
• IAA
• Who has access (organisation)
• Categories of data
• How is it secured?
• How often is it backed up?
• Is it taken off site?
• Retention period
• Disposal arrangements
• Purposes for processing
Picklist categories
• Data subjects aware?
• Staff trained in DP?
• Policy awareness
• Incident reporting awareness?
• DPIA completed?
• Media type
• Legal justification for processing
• Business criticality
• Earliest date of recorded data
• How stored
• Where stored
23. DPIA
• All projects/processes require a DPIA – a Data Privacy Impact Assessment
• Being embedded in ICT Project Management methodology
• Looking to establish in other project management approaches (e.g.
Operational Excellence)
• To think, at every stage, about how the privacy of the data subjects is
impacted by the processing of the data.
24. The Governance of Information Governance
The Senior Information Risk Owner – John Neilson
Data Protection Co-ordinators (and their Network)
Information Asset Owners
Information Governance Steering Group (IGSG)
Information Governance Operational Group (IGOG)
Information Security Steering Group (ISSG)
Data Protection Officer (being recruited to)
ICT Governance & Legal Services & ARCU
25. Information Governance Policy Framework
Information Governance Policy Framework – overarching document
Information Security Policy – supported by Codes of Practice
- Information Security Risk Assessment
- Connecting to College Network
- Electronic Messaging
- Inspection of Electronic Communications
- Passwords
Data Protection Policy – supported by Codes of Practice
- covering handling of personal data, patient data, access to personal data,
CCTV, internal registration and security of laptops
Records Retention Schedule