Presentation by Jacques Flores Dourojeanni (Research Data Management Consultant Utrecht University Library), as delivered during the OpenAIRE Legal Policy Webinar series on May 4th 2020. More information and recordings: https://www.openaire.eu/item/openaire-legal-policy-webinars

1. GDPR and Sharing Data
Dr. Jacques Flores Dourojeanni
Research Data Management Consultant
RDM Support -Utrecht University Library
https://www.uu.nl/en/research/research-data-management

2. Legal Basis
How can I legally collect personal data?

3. Personal data may only be processed if at least one of the following applies:
o Informed Consent
o Legitimate interest of the controller
o Legal Obligation
o Contractual
o Vital interest of the data subject
o Public Interest
Lawfulness of Processing (Art. 6)
Collecting information from social media that was meant for the
public domain
…The EDPB considers that the fight against COVID-19 has been
recognized by the EU and most of its Member States as an
important public interest which may require urgent action in the
field of scientific research…
(63) Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak
Used to meet the Legal and Ethical obligations a researcher holds
towards their participants

4. Informed Consent
Freely given
Must be a real choice and not influenced by external factors
Specific
Bound to several specified purposes which are sufficiently explained
Informed
What kind of data; How it will be used; With what purpose; Right to withdraw
Unambiguous
A clear affirmative statement

5. Data subjects must be (at the very least) provided with
• The controller’s identity and contact details
• DPO’s contact details (if there is one)
• Purpose and legal basis for collecting their personal data
• Categories of personal data
• Data Subject Rights
Other requirements may be in place for
• Third country transfers
• Multiple controllers
• Automated Decision-making processes
Right to Information

6. Purpose Limitation
How can I share/reuse data compliantly?

7. Purpose limitation and Data Reuse
The GDPR distinguishes between two types of data use:
1. Research on personal (health) data which consists in the use of
data directly collected for the purpose of scientific studies
(“primary use”) Initial data collection
2. Research on personal (health) data which consists of the further
processing of data initially collected for another purpose
(“secondary use”) Reusing Data

8. Data Reuse and GDPR
The GDPR allows for the secondary use of data (further
processing) if it is for “research purposes” only if:
Appropriate technical and organizational measures are in place to
ensure the privacy of the data subjects is been adequately and
protected
Recital 50 and Article (89)

9. Encryption
Anonymization
Pseudonymization
Technical and Organizational measures
Minimization Aggregation/Abstraction

10. Further processing for research purposes is considered to be a
compatible purpose as long as appropriate safeguards are in place
(Recital 50 GDPR)
Purpose limitation (Art. 6)
Personal Data collected for
Epidemiological Research
Reused for
Epidemiological Research
GDPR

11. Purpose limitation (Art. 6)
Personal Data collected for
Epidemological Research
Reused for
Cancer Immunology Research
GDPR
Further processing for research purposes is considered to be a
compatible purpose as long as appropriate safeguards are in place
(Recital 50 GDPR)

12. Purpose limitation (Art. 6)
Personal Data collected for
Hormone Research
Reused for
Gender Studies
GDPR
Further processing for research purposes is considered to be a
compatible purpose as long as appropriate safeguards are in place
(Recital 50 GDPR)

13. Just because it is Legal does not mean it
is Ethical
Ethical vs Legal

14. Right to Information still applies when reusing data!
Even if re-consent is not required to further process the data, the data subjects still have a right to be
informed about the new processes!
This may be achieved via individual contact if possible or public announcements (websites,
newsletters)
In some cases the right to inform may be waived if it involves a “disproportionate effort” to comply…
It falls upon the controller to prove this and show that a legitimate effort has been made to explore
why it is “disproportionate”
i.e.: A dataset that has
• No contact information
• Data has been heavily pseudonymized
• Poses low risk to the individuals
• No central forum/platform where information can be made available

15. Sharing Personal
Data
How should I formulate an informed consent form to
facilitate data sharing?

16. “DO’S” of Sharing Data and Informed
Consent
 Provide information on the intent to share the data and the
conditions for sharing
Make it clear to the participant [ in the information section] that one of the goals
is to share the data collected with the research community.
i.e. Other researchers may request access to data in the future. Access will only
be granted if they agree to preserve the confidentiality of the information as
requested in this form. Their access will also require approval from the original
research team.

17. “DO’S” of Sharing Data and Informed
Consent
 Be transparent about which information you will make
available
Be granular about which data will be deposited
I give permission to deposit my impulsivity test scores, weight, age
and gender data in a repository

18. “DO’S” of Sharing Data and Informed
Consent
 State the methods you will apply to reduce the risks of
identification
Be specific about the methods employed to improve security and privacy
i.e. I give permission to deposit my pseudonymized impulsivity test scores,
weight, age and gender data in a…
i.e. The principal investigator will keep a link that identifies you to your coded
information, but this link will be kept secure and available only to the principal
investigator or selected members of the research team. Any information that can
directly identify you will remain confidential. Your age and weight will be
grouped into ranges (i.e. 20-30yo, 60-70kg) to reduce the risk of re-identification.

19. DON’TS
Informed Consent: Sharing Data

20. “DON’TS” of Sharing Data and
Informed Consent
 Avoid terms such as fully anonymous
Very difficult to achieve
To be truly anonymous, it should not be possible to re-identify an
individual by any means. Including using external databases,
even if such databases are unknown to the researcher.

21. “DON’TS” of Sharing Data and
Informed Consent
 Avoid promises to destroy all the data
Unless absolutely certain it will be done
Have good reasons for destroying data such as
• The information has been transcribed (audio files)
• No longer needed for verification and re-use no longer expected
Be specific about which data you plan to destroy

22. “DON’TS” of Sharing Data and
Informed Consent
 Avoid promises that all the data will only be accessed by the
research team
Instead describe explicitly which parts of the data will indeed
only be accessed by the research teams and which will be
available to others (after proper measures are taken to increase
privacy).

23. How to Share personal data
Share the metadata and place the data under restricted access
• When requested for the data only share it if requesters fill out a
Data transfer agreement and meet the legal requirements

24. Key points
• The GDPR asks researchers to be transparent towards their participants as to how
their data will be handled and for what purpose.
• Personal data collected for research purposes holds a privileged spot within the
legislation which softens restrictions so long as proper safeguard and measures
are adopted.

25. Q1: What is the best way to deal with international research consortia? Can you govern the
rules of personal data exchange in the consortium agreement and/or do you always need to
setup standard contractual clauses in case the consortium contains partners outside the EEA?
Q2: Does GDPR applies for European Union only or it covers other countries?
Q3: When are patient data sufficiently de-identified to be able to share datasets publicly
online? What should be in place? What to take into account?
Q4: What do you think of the privacy conditions of online meeting applications such as
Zoom?

26. Q5: How to manage published, but controlled access datasets for the long-term?
Should participants be receiving updates about how the data are being used ?
And who will be determining whether a third party gets access (since most PhDs don't stay on at
the same institution)?
Q6: Ideally when sharing data that falls under the GDPR purview, we want to have third parties
sign a data sharing agreement: can we set up standard models for such an agreement?
Q7: For data that doesn't meet the standards of what is anonymous, but would be quite difficult
to re-identify, is there an option to control access solely by requiring the re-user to digitally sign
a list of Terms and Conditions for re-use, e.g. as part of a license on the data? Then there isn't
someone at the institution determining access, but access is somewhat controlled by a legal
document. If so, can we come up with some models for these Terms and Conditions?