Upload
openaire
View
330
Download
5
Embed Size (px)
Citation preview
Concept of the study• Title: The Open Research Data Pilot: Personal Data and PSI Rules
(focus at this workshop is on personal data rules)
• Period: January 2015 – December 2016
• Aim of the study: Analyse data protection barriers to data
sharing in the context of the Open Research Data Pilot.
• Methodology: The relevant European legal framework, esp. the
Data Protection Directive and the General Data Protection
Regulation are analysed and explored how those rules influence
the use of data as it is intended under the Pilot.
OpenAIRE Workshop – Barcelona, 4 April 2017
Object: The Open Research Data Pilot• Within Horizon2020 the Commission is running the Open
Research Data Pilot. The Pilot aims at improving and maximising
access to and re-use of research data generated by projects.
• Projects taking part in the Pilot are obliged to:
• deposit the research data in a research data repository and
• take measures to enable third parties to access, mine, exploit,
reproduce and disseminate this research data.
This means Open Access use.
OpenAIRE Workshop – Barcelona, 4 April 2017
Rules: Data Protection framework • The European Charter of Fundamental Rights guarantees the
protection of personal data. According to its Art. 8 (1): “Everyone
has the right to the protection of personal data concerning him.”
• The Data Protection Directive from 1995 harmonises the data
protection legislation in the Member States.
• Those largely harmonised rules will be replaced by the General
Data Protection Regulation (GDPR) which will come into force in
May 2018.
OpenAIRE Workshop – Barcelona, 4 April 2017
Scope of application • Data protection rules apply to such information, which qualifies
as personal data.
• Personal data is defined as: “any information relating to an
identified or identifiable natural person (data subject); (Art. 4 (1)
GDPR; Art. 2 (a) Data Protection Directive).
• Key element is the possible identification of a person.
• Examples: Name, address, images, voice recordings, information
on diseases, ethnicity, biological traits or behavioral or usage
data
OpenAIRE Workshop – Barcelona, 4 April 2017
Scope of application • Within the Pilot research data shall be made openly available
and reusable.
• The commission defines research data as information, in
particular facts or numbers, collected to be examined and
considered as a basis for reasoning, discussion, or calculation.
• Examples include statistics, results of experiments,
measurements, observations resulting from fieldwork, survey
results, interview recordings and images.
• This definition is very broad.
OpenAIRE Workshop – Barcelona, 4 April 2017
Scope of application • It is not possible to determine in a general way whether such
research data include personal data or not.
• Whether this is the case needs to be evaluated on a case by case
basis.
• A careful evaluation is necessary, especially in cases where the
research involves in any way natural persons.
• E.g. in the fields of medicine, biotechnology and social sciences,
research data often contain information traceable to individuals
that can qualify as personal data.
OpenAIRE Workshop – Barcelona, 4 April 2017
Processing of personal data • Data protection rules restrict the processing of personal data.
• Processing means “any operation or set of operations which is
performed upon personal data or sets of personal data […], such as
collection, recording, organization, structuring, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment or
combination, restriction, erasure or destruction” (Art. 4 (2) GDPR).
Processing basically means any operation in connection with
personal data.
OpenAIRE Workshop – Barcelona, 4 April 2017
Processing of personal data • Within the Pilot, research data shall be deposited in a research
data repository.
• The data must be uploaded into an online research data archive
and third parties shall be enabled to access and re-use this
research data.
• Such actions, the uploading of data into a repository as well as
the reuse of the data qualify as processing within the meaning of
data protection law.
OpenAIRE Workshop – Barcelona, 4 April 2017
Data protection principles • The basic rule is that personal data may not be processed, unless the
data subject has consented to the processing or another legal
provision permits the processing (see Art. 8 (2) EU Charter).
• Principle of purpose limitation: Personal data should be collected for
specified, legitimate purposes and not further processed in a way
incompatible with those purposes (see Art. 6 (1) (c) Data Protection
Directive; Art. 5 (1) (b) GDPR).
After the collection, the personal data must be used for the
intended purpose and not for any other purpose.
OpenAIRE Workshop – Barcelona, 4 April 2017
Data protection principles • Principle of data minimisation: Personal data must be adequate,
relevant and limited to what is necessary in relation to the
purposes for which they are processed (Art. 5 (1) (c) GDPR).
The processing of personal data should be limited to the
minimum amount necessary.
Personal data should only be processed if the purpose of the
processing could not reasonably be fulfilled by other means.
OpenAIRE Workshop – Barcelona, 4 April 2017
Data protection principles • The Pilot aims at enabling third parties to access and re-use the
deposited data without any restrictions; the data shall be
available without a time limit and useable beyond the original
purpose for which the data were collected.
• These extensive permissions are clearly at odds with the
fundamental data protection principles of purpose limitation
and data minimisation.
Personal data cannot be made available on an open access
basis as is required by the Open Research Data Pilot.
OpenAIRE Workshop – Barcelona, 4 April 2017
Research exceptions • The European legislative acts contain some special provisions on
further processing and longer storage of personal data for
scientific purposes (Art. 6 (1) (b) Directive, Art. 5 (1) (b) GDPR).
• For the scientific research exemptions to apply, the intended use
has to be bound on a specific purpose of research and appro-
priate safeguards, in particular to ensure respect for the principle
of data minimisation, have to be in place (Art. 89 (1) GDPR).
OpenAIRE Workshop – Barcelona, 4 April 2017
Research exceptions • Within the Pilot, the deposition of the research data in an open
access repository is not connected to a specific purpose of
research and not even to research purposes at all.
• Data are made available for any purposes, scientific or not.
• Appropriate safeguards to ensure leading data protection
principles are not in place.
The open access use of personal data and thus the
participation in the Pilot cannot be legitimised through the
research exemptions.
OpenAIRE Workshop – Barcelona, 4 April 2017
Consent • The most important legitimisation for the processing of personal
data is consent of the data subject.
• To have legal effect, consent of the data subject to processing his
personal data must be freely given, specific, informed and
unambiguous (Art. 4 (11) GDPR).
• Specific and informed consent requires a clear and precise
definition of the purposes of processing as well as the recipients.
OpenAIRE Workshop – Barcelona, 4 April 2017
Consent • Within the Open Research Data Pilot, the purposes of the
further use of the data and the recipients are unclear.
• Any uses –and not just specific ones– of the deposited data shall be
allowed.
• The data are transferred to all third parties retrieving them.
• Under these circumstances it is impossible to fulfil the
requirement of a specific and informed consent.
The open access use of personal data and thus the
participation in the Pilot cannot be legitimised by consent.
OpenAIRE Workshop – Barcelona, 4 April 2017
Anonymisation • Data protection law should not apply to anonymous information.
• This is information which does not relate to an identified or
identifiable natural person or personal data rendered anonymous in
such a manner that the data subject is not or no longer identifiable
(Recital 26 GDPR).
• Whether personal data are sufficiently anonymised needs to be
evaluated on a case by case basis. It depends on e.g. what data is
freely available in public registers, what information is hold by other
institutions, how those data can be combined at what costs etc.
OpenAIRE Workshop – Barcelona, 4 April 2017
Summary • The Pilot aims at making research data generated by projects freely
available and reusable on open access basis.
• If such research data include personal data, data protection rules are
applicable.
• The use of personal data within the Pilot is at odds with leading data
protection principles.
• The open access use of personal data cannot be legitimised by a
research exception or consent of the data subject.
• Data protection risks can be excluded by effective anonymisation of
the data.
OpenAIRE Workshop – Barcelona, 4 April 2017
Future Outlook • The requirements for effective anonymisation should be harmonised.
Common European wide standards for anonymisation of (research)
data are needed.
• The requirements for consent for specific research purposes could be
lowered, such as allowing for a general consent of the data subject to
all kind of research related purposes.
• The research privileges could be extended to allow a broader use of
personal data at least for research purposes.
• Than the Commission could change its open research data policy and
require projects not to open up research data including personal data
on open access basis but at least for scientific research purposes.
OpenAIRE Workshop – Barcelona, 4 April 2017