1 / 33

GDPR and Personal Data: Basic Concepts

GDPR and Personal Data: Basic Concepts. Dr Libby Bishop GESIS – Leibniz-Institute for the Social Sciences Köln Dr Scott Summers UK Data Service University of Essex. 1 1 December 2018 RDM in the Time of GDPR. Overview. Areas to be covered: Ethical Considerations GDPR Data Protection

crosswhite
Download Presentation

GDPR and Personal Data: Basic Concepts

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. GDPR and Personal Data: Basic Concepts Dr Libby Bishop GESIS–Leibniz-Institute for the Social Sciences Köln Dr Scott Summers UK Data Service University of Essex 11 December 2018 RDM in the Time of GDPR

  2. Overview • Areas to be covered: • Ethical Considerations • GDPR • Data Protection • Informed Consent After these sessions, I hope you will: Be respectful, but not afraid, of doing research and sharing data under GDPR Understand roles for both legal duties and ethical responsibilities Know some practical actions for collecting/generating sharable data Be more confident drafting consent forms to accommodate GDPR and data sharing for your research or support work

  3. Disclaimer • The information in this presentation is based on our current interpretation of the legislation and its implications for research and the archiving of research data • There is much written, but little case law, and thus changes will happen • This presentation does not constitute, or should not be construed as, legal advice and / or guidance • Expertise is British and more recently German, and national variations can be significant(e.g., bases for processing)

  4. Ethical Thinking about Data

  5. Ethical Reflection • By definition, ethical questions concern difficult and complex issues, with conflicting courses of action • “Open data” vs. “Protection of participants privacy” • There may be more than one right answer, or no good one • Ethical reflection always necessary, with or without formal Ethical Review (CESSDA Expert Guide focuses on Review) • Many resources Ethics Self Test, checklists, even apps

  6. Ethical Review Process • The principles of good research practice encourage you to consider the wider consequences of your research and the intereste of your participants • Ethics review by a Research Ethics Committee (REC) is often required when (sensitive) personal data are being collected • The role of a REC is to protect the safety, rights and well-being of research participants (and the institution) and to promote ethically sound research • This involves ensuring that research complies with national and international data protection laws regarding the use of personal data collected in research

  7. Ethical Arguments forArchiving Data • Make best use of hard-to-obtain data, e.g. elites, socially excluded, expensive, etc. • Not burden over-researched, vulnerable groups • Extend voices of participants • Improve research integrity by being transparent (and reputation of science could use a little help…)

  8. Data Protection

  9. The General Data Protection Regulation (GDPR) • The GDPR came into full effecton 25 May 2018 • What is it trying to do? • Strengthen rights of data subjects • While also enabling free flow of data within EU • Harmonize data protection laws throughout the EU • Increases responsibilities on entities handling data to demonstrate compliance

  10. The General Data Protection Regulation (GDPR) • The GDPR applies to any data controller or data processor in the EU who collects personal data about a data subject of any country, anywhere in the world • A data controller or data processor that is based outside the EU but collects personal data on EU citizens will also be covered by the GDPR • This means that a researcher (data controller) based within the EU who collects personal data about a participant, from any other country within the EU, or the world, needs to comply with the GDPR • Also means a researcher (data controller) outside the EU who collects personal data about a participant in the EU will be covered when this relates to offering goods/services or the monitoring of their behaviour within the EU

  11. GDPR applies to… • Personal data of ‘living persons’ • Rec.26; Art.4(1) • "Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. • Sensitive data • Rec.10, 34, 35, 51; Art.9(1) • "Sensitive Personal Data" are personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data. • Data which do not count as personal data do not fall under GDPR • There may still be ethical reasons for wanting to protect this information!

  12. Principles Relating to Processing of Personal Data • Process lawfully, fair and transparent • The participant is informed of what will be done with the data and data processing should be done accordingly • Keep to the original purpose  • Data should be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. *Note Article 5(1)(b), Article 89 * • Minimise data size • Personal data that are collected should be adequate, relevant and limited to what is necessary

  13. Principles Relating to Processing of Personal Data • 4. Uphold accuracy • Personal data should be accurate and, where necessary kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified without delay • 5. Remove data which are not used • Personal data should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. * Note Article 5(1)(e), Article 89 * • 6. Ensure data integrity and confidentiality • Personal data are processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

  14. GDPR Archiving and Research Exemption • Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner (Art. 89(1)) • Principle 2. and 5. are less strict • 2. Purpose: further processing allowed • 5. Personal data may be stored for longer periods

  15. The Grounds for Processing Personal Data • There are 6 grounds for the processing of personal data, and one of these must be present in order to process a data subject’s personal data: • 1. Consent of the data subject • 2. Necessary for the performance of a contract • 3. Legal obligation placed upon controller • 4. Necessary to protect the vital interests of the data subject • 5. Carried out in the public interest or is in the exercise of official authority • 6. Legitimate interest pursued by controller

  16. GDPR - Data Subject Rights • The right to be informed • The right of access • The right to rectification • The right to erasure - the ‘right to be forgotten’ • The right to restrict processing • The right to data portability (new) • Rights in relation to automated individual decision-making and profiling • https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/ X = right does not apply

  17. Best Practice for Legal Compliance • Plan early and investigate early which laws apply to your data • Do not collect personal or sensitive data if not essential to your research • Seek advice from you research office • If you must deal with personal or sensitive data • Inform participants about how their data will be used • Remember: not all research data are personal (e.g. anonymised data are not personal)

  18. Informed Consent

  19. Consider Consent Across the Data Lifecycle • Engagement in the research process • What activities are involved in participating in the project? • Dissemination in presentations, publications, the web • Consent for use of quotes for articles and video publicity • Data sharing and archiving • Consider future uses of data • * Consent is always dependent on the research context – special cases of covert research and verbal consent

  20. Informed Consent – Data Sharing (1) • Gaining informed consent for data sharing is often just one more small step to gaining consent from participants to partake in a research project and disseminate outputs • Discussing data sharing and archiving puts the participant in charge of choosing whether they wish their datato be available for use in future research projects

  21. Informed Consent – Data Sharing (2) • The best way to achieve informed consent for data sharing is to explain the possible future uses of their data and offer the participant the option to consent on a granular level • In a qualitative study, this may involve allowing the participant to consent to data sharing of the anonymised transcripts, the non-anonymised audio recordings and the photographs • Many modes of collecting consent are valid: writing, verbal, ticking a box on a web page, by choosing technical settings in an app, or by other conduct which clearly indicates the data subject's acceptance of the proposed processing of their personal data in this context.

  22. Informed Consent & GDPR • Consent needs to be freely given(a real choice),), unambiguous, specific(as to purpose and consequences)informed (granular, but not too) and by a clear affirmative action (no consent as default option) • When special categories data are processed – and the processing grounds for this is consent – there is a further requirement that this must be based on explicit consent • Consent may not actually be more difficult (assuming you were already obtaining it) • But explaining multiple grounds for processing personal data may be complicated • GDPR requires that you collect and store complete records and documentation of consent.

  23. Even More on Consent • Under the GDPR, data can be moved to a third county • 1. if there has been and “adequacy decision” (adequate protection exists), or • 2. with express consent in combination with information about possible risks • Past consent – may still be valid, but only if compliant with GDPR requirements • Where consent is used as the grounds for processing, it must be distinguished from consent for other purposes (e.g., ethical standards) • Withdrawal – example from Understanding Society – UK longitudinal survey • How do I withdrawal from the survey? • You are under no statutory or contractual obligation to provide us with your personal data. You have the right at any time to withdraw from the survey. If you do this, you will no longer be contacted by us. Any survey responses you have given us in the past, and which have already been made available from the UK Data Service will remain, but no additional information about you will be deposited. Your contact details will no longer be used, but will be kept archived to ensure that we do not contact you again on the occasion that there is an additional sample added to the study, or we start a new study. • https://www.understandingsociety.ac.uk/participants/faq

  24. In Practice: Wording in Consent Forms / Information Sheets

  25. Consent Exercises

  26. Strategies for Sharing Data 1. Obtain informed consent, also for data sharing and preservation or curation 2. Protect identities e.g. anonymisation and not collecting personal data 3. Regulate access where needed (all or part of data) e.g. by group, use or time period And always securely store personal or sensitive data

  27. Summary – how well did we do? • Be respectful, but not afraid, of research and sharing under GDPR • GDPR does not prohibit research, or sharing (personal) data • Understand roles for both legal duties and ethical responsibilities • Comply with the law, seek legal expertise, and conduct ethical reflection • (Aunt Carmen test… and keep data subjects’ interests foremost) • Know some practical actions for collecting/generating sharable data • Know your legal basis; obtain valid consent; document all; and use all tools available: consent, data alteration (anonymization), and restricting access • Be more informed about drafting consent forms to accommodate both GDPR and data sharing for your research or support work • Start early; (re)use work of others; share and share alike

  28. Consent Exercise – 3 Options • Data sharing – Handout: Exercise: Consent for data sharing and reuse • 2. GDPR compliance – Handout: Simplified checklist for GDPR-aware consent • Assess a consent form against this checklist. You may use the UK Data Service form, or one from someone in your group. • 3. Both….

  29. Questions • Dr Libby Bishop • ElizabethLea.Bishop@gesis.org

  30. Anonymous and Pseudonymous Data • Anonymous data • Rec.26 • The GDPR does not apply to data that are rendered anonymous in such a way that individuals cannot be identified from the data. • Pseudonymous Data • Rec.26, 28-29, 75, 78, 156; Art.4(5), 6(4)(e), 25(1), 32(1)(a), 40(2)(d), 89(1) • Pseudonymous data are still treated as personal data because they enable the identification of individuals (albeit via a key). However, provided that the "key" that enables re‑identification of individuals is kept separate and secure, the risks associated with pseudonymous data are likely to be lower, and so the levels of protection required for those data are likely to be lower.

  31. What if Anonymisation is Impossible? • Anonymisation should be considered in the context of the whole project and how it can be utilised alongside, informed consent and access controls • Obtain consent for sharing non-anonymised data • Regulate or restrict user access

More Related