Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

GDPR and Research Data Management

3,562 views

Published on

An introduction to the General Data Protection Regulation (GDPR) and its implications for research data management. Presentation given by Tim Rodgers of Imperial College London at the London Area Research Data meeting, held at the London School of Hygiene & Tropical Medicine on 17th Nov 2017.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

GDPR and Research Data Management

  1. 1. An introduction GDPR and Research Data Management Tim Rodgers, Compliance and Information Governance Manager, ICT November 2017
  2. 2. GDPR…what’s new? • A single set of rules governing all EU nations, and all organisations that process personal data of EU citizens • Definitions of data • Sanctions • Data protection safeguards • Privacy by Design • Consent • Clarity of rights for data subjects • Incident reporting
  3. 3. Definitions of data Personal data includes online identifiers and location data (IP addresses, mobile device IDs, cookie IDs) Pseudonymous data – personal data subject to technological measures so it no longer directly identifies an individual without the use of additional information. Genetic and biometric data – treated as special categories of personal data 3
  4. 4. Sanctions • Isn’t (and has never been) just about loss of data • For controllers and processors • Two bands of fine – 2%/€10m or 4%/€20m which ever is greater 4% can apply to processing without consent, violating principles of privacy by design, unlawful cross-border data transfers, violation of data subject rights 2% can apply for not having records of processing in order, not notifying ICO or data subject of a breach, or not conducting an impact assessment 15/01/20184
  5. 5. Data protection safeguards “To implement appropriate technical and organisational measures” These safeguards should be appropriate to the degree of risk associated and might include : - pseudonymisation and/or encryption of personal data - ensuring ongoing CIA and resillience - restoring availability of and access to data in a timely manner following incident - introduce regular testing and evaluation of these systems 15/01/20185
  6. 6. Privacy by Design • Essential an organisation ‘shows its working’ • DP concerns should be weaved into the design of all procedures, projects, systems • Good DP compliance by default • PIAs required for new activities and undertakings • Especially for new activities and undertakings • Does this, or should this stand part of ethics work for research? 15/01/20186
  7. 7. Consent • Where required it must be : Any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed Organisations need to be able to show how and when consent was obtained. Not necessarily explicit, but relating to data obtained for specific, explicit and legitimate purposes. Individuals must be able to withdraw consent and have a right to be forgotten (subject to qualification) 15/01/20187
  8. 8. Rights for data subjects • To be informed – for privacy notices to be more robust and transparent • To have explained purposes & conditions of processing, intended retention, right • To erasure • To data portability • To restriction • To rectification • To access • To object • To prevent automated processing 15/01/20188
  9. 9. Breach reporting • Mandatory unless there is no risk to the rights of data subjects • Articles 33 & 34 indicate pseudonymised data is exempt from this (unless other information would enable someone to identify individuals) • Notify ICO within 72 hours (and possibly NHS Digital?) – ensure procedures set up internally, and with your suppliers 15/01/20189
  10. 10. Privacy and Innovation • Obvious main thrust of GDPR – to bolster privacy rights • BUT ALSO… • Harmonising legislation • Exemptions for scientific, historical and health research Aim to create a Digital Single Market…
  11. 11. Key articles and recitals • Recital 159 – broad definition of research • Article 6(4), Recital 50 – organisations processing personal data for research purposes may avoid restrictions on secondary processing and on processing sensitive categories of data. • Article 89 – as long as there are safeguards, organisations may override a data subjects right to objet to processing and seek erasure of personal data • Article 6(1)(f), Recitals 47, 157. Organisations to process personal data for research purposes without the consent of a data subject • Article 49(h), Recital 113 – for some processing personal data can be transferred to third countries for research purposes without any other transfer mechanism in place. 12
  12. 12. Research as a basis for processing • Article 6(1) outlines lawful bases for processing • Article 6(4) allows data obtained through a lawful basis to be used for a secondary research purpose. • Research not a lawful basis in itself, but could be regarded as a legitimate interest (Article 6(1)(f)) • What if you get consent, but are not clear at the time of collection about the research? (Recital 33). Article 6(4) talks about purposes that are compatible • Indeed Article 89 confirms that research in the public interest, for scientific or historical research purposes would not be considered incompatible – subject to safeguards set out in the same article 15/01/201813
  13. 13. Research as a purpose • Controllers may process personal data, without consent, when “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject” (Article 6(1)(f)). Recital 47 discusses this further, based on the reasonable expectations of the data subject regarding their relationship with the data controller Recital 157 identifies benefits of personal data research Remember that legitimate interests requires balance test (against data subject rights) 15/01/201814
  14. 14. Article 89 Appropriate Safeguards • Controllers that process personal data for research purposes need to have safeguards • Need to focus on data minimisation and process the minimum necessary data • Recital 33 outlines the need for ethical standards for scientific research • Pseudonymisation (covered by regulation) – use encouraged providing research unaffected • Anonymisation (outside of regulation) 15/01/201815
  15. 15. Other considerations • Article 12(1) – Need to inform data subjects of what’s happening to their data • This should be provided to the data subject at the first contact, and then updated as purposes are added • Being explicit and upfront on research might be difficult if research purposes are not initially known • Where data obtained from public source there is no need to notify if it would require disproportionate effort (Recital 62) 15/01/201816
  16. 16. Data Subject Rights • Article 17 discusses the right of erasure when consent is withdrawn, or the data subject ob However under 17(3)(d) there is no need to accede to that request if it impairs the achievement of research objectives • Article 21 discusses the right to object to processing 21(6) says that objection can be dismissed if there is a wider public interest – though this needs to consider nation state law (Recital 45) • All data subject rights can be subject to derogation • Any derogations applies (under Article 89(2)) need to be proportionate and regarded as necessary for the fulfilment of [research] purposes 15/01/201817
  17. 17. Transfer to third countries for research • Article 45(1) prohibits transfer of data outside EU unless there is adequate protection • Article 46 expects Binding Corporate Rules to be in place or for there to be explicit consent so that the data subject knows where their data is going • Article 49(1) permits transfers “necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject” • This can be onerous, with a real focus on safeguards and including notification to the ICO of which country the data is being sent to 15/01/201818
  18. 18. Profiling • Article 35(2) requires a PIA for :“a systematic and extensive evaluation of personal aspects relating to…persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the…person.” • Profiling is “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a… person, in particular to analyse or predict aspects concerning that… person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements” Article 4(4)). Article 22(1) prohibits controllers from subjecting a data subject to a decision “based solely on automated processing, including profiling,” as a result of processing sensitive data, as defined in Article 9, except in limited circumstances 15/01/201819
  19. 19. Research sensitive personal data • Sensitive data can be processed for research – please see Article 9(2)(i) which says that as long as it’s compliant with Article 89(1) regarding nation state law then it’s ok • Recital 52 clarifies that this requires particular safeguards to be in place • Article 6(4) says data can be used for research as a secondary purpose (regarded as compatible with the initial purpose that the data was created for) • Profiling forbidden unless safeguarding in place 15/01/201820
  20. 20. Summary of regulation Exemptions carved out for researchers : - Researchers can process data for purposes beyond that for which it was obtained - Research can be regarded as a legitimate interest - Data can be shared with 3rd country subject to safeguards To benefit from these exemptions, researchers must implement appropriate safeguards, in keeping with recognized ethical standards, that lower the risks of research for the rights of individuals. 15/01/201821
  21. 21. • IAO • IAA • Who has access (organisation) • Categories of data • How is it secured? • How often is it backed up? • Is it taken off site? • Retention period • Disposal arrangements • Purposes for processing Picklist categories • Data subjects aware? • Staff trained in DP? • Policy awareness • Incident reporting awareness? • DPIA completed? • Media type • Legal justification for processing • Business criticality • Earliest date of recorded data • How stored • Where stored
  22. 22. DPIA • All projects/processes require a DPIA – a Data Privacy Impact Assessment • Being embedded in ICT Project Management methodology • Looking to establish in other project management approaches (e.g. Operational Excellence) • To think, at every stage, about how the privacy of the data subjects is impacted by the processing of the data.
  23. 23. The Governance of Information Governance The Senior Information Risk Owner – John Neilson Data Protection Co-ordinators (and their Network) Information Asset Owners Information Governance Steering Group (IGSG) Information Governance Operational Group (IGOG) Information Security Steering Group (ISSG) Data Protection Officer (being recruited to) ICT Governance & Legal Services & ARCU
  24. 24. Information Governance Policy Framework Information Governance Policy Framework – overarching document Information Security Policy – supported by Codes of Practice - Information Security Risk Assessment - Connecting to College Network - Electronic Messaging - Inspection of Electronic Communications - Passwords Data Protection Policy – supported by Codes of Practice - covering handling of personal data, patient data, access to personal data, CCTV, internal registration and security of laptops Records Retention Schedule
  25. 25. Q&A

×