Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
The Open Research Data Pilot and
Personal Data Rules
OpenAIRE task 7.1
Concept of the study
• Title: The Open Research Data Pilot: Personal Data and PSI Rules
(focus at this workshop is on pers...
Object: The Open Research Data Pilot
• Within Horizon2020 the Commission is running the Open
Research Data Pilot. The Pilo...
Rules: Data Protection framework
• The European Charter of Fundamental Rights guarantees the
protection of personal data. ...
Scope of application
• Data protection rules apply to such information, which qualifies
as personal data.
• Personal data ...
Scope of application
• Within the Pilot research data shall be made openly available
and reusable.
• The commission define...
Scope of application
• It is not possible to determine in a general way whether such
research data include personal data o...
Processing of personal data
• Data protection rules restrict the processing of personal data.
• Processing means “any oper...
Processing of personal data
• Within the Pilot, research data shall be deposited in a research
data repository.
• The data...
Data protection principles
• The basic rule is that personal data may not be processed, unless the
data subject has consen...
Data protection principles
• Principle of data minimisation: Personal data must be adequate,
relevant and limited to what ...
Data protection principles
• The Pilot aims at enabling third parties to access and re-use the
deposited data without any ...
Research exceptions
• The European legislative acts contain some special provisions on
further processing and longer stora...
Research exceptions
• Within the Pilot, the deposition of the research data in an open
access repository is not connected ...
Consent
• The most important legitimisation for the processing of personal
data is consent of the data subject.
• To have ...
Consent
• Within the Open Research Data Pilot, the purposes of the
further use of the data and the recipients are unclear....
Anonymisation
• Data protection law should not apply to anonymous information.
• This is information which does not relate...
Summary
• The Pilot aims at making research data generated by projects freely
available and reusable on open access basis....
Future Outlook
• The requirements for effective anonymisation should be harmonised.
Common European wide standards for ano...
THANK YOU FOR
YOUR ATTENTION!
OpenAIRE Workshop – Barcelona, 4 April 2017
Upcoming SlideShare
Loading in …5
×

The Open Research Data Pilot: Personal Data and PSI Rules, Andreas Wiebe and Nils Dietrich, University of Göttingen (8th OpenAIRE workshop)

837 views

Published on

Presentation at the 8th OpenAIRE workshop on legal issues in Open Research Data

Published in: Science
  • Be the first to comment

The Open Research Data Pilot: Personal Data and PSI Rules, Andreas Wiebe and Nils Dietrich, University of Göttingen (8th OpenAIRE workshop)

  1. 1. The Open Research Data Pilot and Personal Data Rules OpenAIRE task 7.1
  2. 2. Concept of the study • Title: The Open Research Data Pilot: Personal Data and PSI Rules (focus at this workshop is on personal data rules) • Period: January 2015 – December 2016 • Aim of the study: Analyse data protection barriers to data sharing in the context of the Open Research Data Pilot. • Methodology: The relevant European legal framework, esp. the Data Protection Directive and the General Data Protection Regulation are analysed and explored how those rules influence the use of data as it is intended under the Pilot. OpenAIRE Workshop – Barcelona, 4 April 2017
  3. 3. Object: The Open Research Data Pilot • Within Horizon2020 the Commission is running the Open Research Data Pilot. The Pilot aims at improving and maximising access to and re-use of research data generated by projects. • Projects taking part in the Pilot are obliged to: • deposit the research data in a research data repository and • take measures to enable third parties to access, mine, exploit, reproduce and disseminate this research data.  This means Open Access use. OpenAIRE Workshop – Barcelona, 4 April 2017
  4. 4. Rules: Data Protection framework • The European Charter of Fundamental Rights guarantees the protection of personal data. According to its Art. 8 (1): “Everyone has the right to the protection of personal data concerning him.” • The Data Protection Directive from 1995 harmonises the data protection legislation in the Member States. • Those largely harmonised rules will be replaced by the General Data Protection Regulation (GDPR) which will come into force in May 2018. OpenAIRE Workshop – Barcelona, 4 April 2017
  5. 5. Scope of application • Data protection rules apply to such information, which qualifies as personal data. • Personal data is defined as: “any information relating to an identified or identifiable natural person (data subject); (Art. 4 (1) GDPR; Art. 2 (a) Data Protection Directive). • Key element is the possible identification of a person. • Examples: Name, address, images, voice recordings, information on diseases, ethnicity, biological traits or behavioral or usage data OpenAIRE Workshop – Barcelona, 4 April 2017
  6. 6. Scope of application • Within the Pilot research data shall be made openly available and reusable. • The commission defines research data as information, in particular facts or numbers, collected to be examined and considered as a basis for reasoning, discussion, or calculation. • Examples include statistics, results of experiments, measurements, observations resulting from fieldwork, survey results, interview recordings and images. • This definition is very broad. OpenAIRE Workshop – Barcelona, 4 April 2017
  7. 7. Scope of application • It is not possible to determine in a general way whether such research data include personal data or not. • Whether this is the case needs to be evaluated on a case by case basis. • A careful evaluation is necessary, especially in cases where the research involves in any way natural persons. • E.g. in the fields of medicine, biotechnology and social sciences, research data often contain information traceable to individuals that can qualify as personal data. OpenAIRE Workshop – Barcelona, 4 April 2017
  8. 8. Processing of personal data • Data protection rules restrict the processing of personal data. • Processing means “any operation or set of operations which is performed upon personal data or sets of personal data […], such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” (Art. 4 (2) GDPR).  Processing basically means any operation in connection with personal data. OpenAIRE Workshop – Barcelona, 4 April 2017
  9. 9. Processing of personal data • Within the Pilot, research data shall be deposited in a research data repository. • The data must be uploaded into an online research data archive and third parties shall be enabled to access and re-use this research data. • Such actions, the uploading of data into a repository as well as the reuse of the data qualify as processing within the meaning of data protection law. OpenAIRE Workshop – Barcelona, 4 April 2017
  10. 10. Data protection principles • The basic rule is that personal data may not be processed, unless the data subject has consented to the processing or another legal provision permits the processing (see Art. 8 (2) EU Charter). • Principle of purpose limitation: Personal data should be collected for specified, legitimate purposes and not further processed in a way incompatible with those purposes (see Art. 6 (1) (c) Data Protection Directive; Art. 5 (1) (b) GDPR).  After the collection, the personal data must be used for the intended purpose and not for any other purpose. OpenAIRE Workshop – Barcelona, 4 April 2017
  11. 11. Data protection principles • Principle of data minimisation: Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (Art. 5 (1) (c) GDPR).  The processing of personal data should be limited to the minimum amount necessary.  Personal data should only be processed if the purpose of the processing could not reasonably be fulfilled by other means. OpenAIRE Workshop – Barcelona, 4 April 2017
  12. 12. Data protection principles • The Pilot aims at enabling third parties to access and re-use the deposited data without any restrictions; the data shall be available without a time limit and useable beyond the original purpose for which the data were collected. • These extensive permissions are clearly at odds with the fundamental data protection principles of purpose limitation and data minimisation.  Personal data cannot be made available on an open access basis as is required by the Open Research Data Pilot. OpenAIRE Workshop – Barcelona, 4 April 2017
  13. 13. Research exceptions • The European legislative acts contain some special provisions on further processing and longer storage of personal data for scientific purposes (Art. 6 (1) (b) Directive, Art. 5 (1) (b) GDPR). • For the scientific research exemptions to apply, the intended use has to be bound on a specific purpose of research and appro- priate safeguards, in particular to ensure respect for the principle of data minimisation, have to be in place (Art. 89 (1) GDPR). OpenAIRE Workshop – Barcelona, 4 April 2017
  14. 14. Research exceptions • Within the Pilot, the deposition of the research data in an open access repository is not connected to a specific purpose of research and not even to research purposes at all. • Data are made available for any purposes, scientific or not. • Appropriate safeguards to ensure leading data protection principles are not in place.  The open access use of personal data and thus the participation in the Pilot cannot be legitimised through the research exemptions. OpenAIRE Workshop – Barcelona, 4 April 2017
  15. 15. Consent • The most important legitimisation for the processing of personal data is consent of the data subject. • To have legal effect, consent of the data subject to processing his personal data must be freely given, specific, informed and unambiguous (Art. 4 (11) GDPR). • Specific and informed consent requires a clear and precise definition of the purposes of processing as well as the recipients. OpenAIRE Workshop – Barcelona, 4 April 2017
  16. 16. Consent • Within the Open Research Data Pilot, the purposes of the further use of the data and the recipients are unclear. • Any uses –and not just specific ones– of the deposited data shall be allowed. • The data are transferred to all third parties retrieving them. • Under these circumstances it is impossible to fulfil the requirement of a specific and informed consent.  The open access use of personal data and thus the participation in the Pilot cannot be legitimised by consent. OpenAIRE Workshop – Barcelona, 4 April 2017
  17. 17. Anonymisation • Data protection law should not apply to anonymous information. • This is information which does not relate to an identified or identifiable natural person or personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable (Recital 26 GDPR). • Whether personal data are sufficiently anonymised needs to be evaluated on a case by case basis. It depends on e.g. what data is freely available in public registers, what information is hold by other institutions, how those data can be combined at what costs etc. OpenAIRE Workshop – Barcelona, 4 April 2017
  18. 18. Summary • The Pilot aims at making research data generated by projects freely available and reusable on open access basis. • If such research data include personal data, data protection rules are applicable. • The use of personal data within the Pilot is at odds with leading data protection principles. • The open access use of personal data cannot be legitimised by a research exception or consent of the data subject. • Data protection risks can be excluded by effective anonymisation of the data. OpenAIRE Workshop – Barcelona, 4 April 2017
  19. 19. Future Outlook • The requirements for effective anonymisation should be harmonised. Common European wide standards for anonymisation of (research) data are needed. • The requirements for consent for specific research purposes could be lowered, such as allowing for a general consent of the data subject to all kind of research related purposes. • The research privileges could be extended to allow a broader use of personal data at least for research purposes. • Than the Commission could change its open research data policy and require projects not to open up research data including personal data on open access basis but at least for scientific research purposes. OpenAIRE Workshop – Barcelona, 4 April 2017
  20. 20. THANK YOU FOR YOUR ATTENTION! OpenAIRE Workshop – Barcelona, 4 April 2017

×