Your SlideShare is downloading. ×
Christopher Millard   Legally Compliant Use Of Personal Data In E Social Science
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Christopher Millard Legally Compliant Use Of Personal Data In E Social Science

615
views

Published on

Published in: Technology, Education

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
615
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Legally Compliant Use of Personal Data in e-Social Science NCeSS 5th International Conference, Cologne Workshop on Law and Ethics in e-Social Science, 24 June 2009 Professor Christopher Millard Senior Research Fellow, Oxford Internet Institute christopher.millard@oii.ox.ac.uk
  • 2. Why are we looking at ‘personal data’?   Much work remains to be done on the ethical and legal implications of the use of the Internet and related technologies in e-Social Science   Specifically, there are unresolved concerns about the status of various rapidly evolving techniques and processes for collecting, analysing, manipulating, storing, sharing, anonymising (or not), disclosing (voluntarily or not), outsourcing and otherwise handling personal data and sensitive personal data   Personal data has become a hot topic with (often sensational) headlines about the ‘surveillance state’, DNA retention policy, large scale data losses, the impact of social networking, etc   There appears to be significant disquiet, and some confusion, regarding the risks associated with large databases and identity issues in the public sector - this makes it all the more important that appropriate safeguards can be articulated and demonstrated in relation to e-science research
  • 3. Back to basics: what rules govern ‘personal data’?   The main source in the EU is the Data Protection Directive 1995   Does this mean that the rules are now basically harmonised, i.e. standardised, across Europe, and clear?   Sadly … NO! … for two reasons 1.  The Directive is addressed to the EU Member States for them to implement in their national laws. All 27 have now done so but they have done so inconsistently, even at the definitional level. 2.  Local regulators and courts have, in various cases, applied divergent interpretations to the Member State laws.
  • 4. What is ‘personal data’ supposed to cover?   “‘Personal data’ shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”. Data Protection Directive, Article 2 (a)   Complex rules apply to the processing of so-called “special categories of data” [also known as “sensitive personal data”] defined as: “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life” as well as “the processing of data relating to offences, criminal convictions or security measures” and “processing of data relating to administrative sanctions or judgements in civil cases” Data Protection Directive, Article 8 (1), (5).
  • 5. ‘Personal data’: the concept in practice according to the EU privacy regulators Article 29 Data Protection Working Party: Opinion on the concept of personal data Step 1: Is it information?   Objectively or subjectively, eg. creditworthiness / competence   Broad range of formats, including audio, video, biometrics, etc Step 2: Does it relate to a person?   Content (eg. medical records) or   Purpose (eg. evaluating / influencing a person) or   Result (eg. decision that may affect someone’s bonus)
  • 6. ‘Personal data’: the concept in practice according to the EU privacy regulators (cont.) Article 29 Data Protection Working Party: Opinion on the concept of personal data Step 3: Is that person identified or identifiable?   Directly (eg. name) or indirectly (eg. phone no. or combination of distinguishing criteria)   Cookies   Potentially identifiable individuals (eg. graffiti tags)   Pseudonymised, key-coded and anonymous data (reversibility) Step 4: Is the person a living natural person?   Unborn children and frozen embryos   Dead people may still be relevant!   Legal persons (see DP laws of Italy, Austria & Luxembourg)
  • 7. National courts may take a different view…   Eg. the UK Court of Appeal’s ruling in Durant vs. Financial Services Authority [2003]   For information to be ‘personal data’ depends on relevance or proximity to the data subject. Need to consider whether:   the information is biographical in a significant sense   it has the data subject as its focus, and   it affects the privacy of the putative data subject, whether in his personal, business or professional capacity.   Highly controversial decision: probably the main driver for the European Commission’s infraction proceedings vs. UK   UK Information Commissioner has attempted to rationalise Durant with collective EU approach with limited success
  • 8. Moving forward: towards effective and compliant use of personal data in e-science Key compliance issues relating to personal data   Treatment of anonymous and pseudonymous information   Fairness and lawfulness issues (including confidentiality)   Consent issues, especially in relation to sensitive personal data   Scope of specific exemptions for research activities Collaboration and Cross-Border Projects   Relationships between ‘data controllers’ and ‘data processors’   Specific data security obligations   Compliance obligations arising under international research and other arrangements involving transfers of data outside the EEA
  • 9. Possible directions for a practical governance framework for use of personal data in e-Science   Privacy Impact Assessments and / or Data Protection Audits for e-Science projects   Development of online best practice, which might include layered privacy notices and use of Privacy Enhancing Technologies (PETs) such as “privacy-friendly default settings” (see Article 29 Working Party’s June 2009 opinion on social networks)   Guidance on managing risks associated with processing personal data in the Cloud   Use of privacy and data protection eLearning tools in e-Science
  • 10. Legally Compliant Use of Personal Data in e-Social Science NCeSS 5th International Conference, Cologne Workshop on Law and Ethics in e-Social Science, 24 June 2009 Professor Christopher Millard Senior Research Fellow, Oxford Internet Institute christopher.millard@oii.ox.ac.uk