The Open Research Data Pilot: Personal Data and PSI Rules, Andreas Wiebe and Nils Dietrich, University of Göttingen (8th OpenAIRE workshop)

The Open Research Data Pilot and Personal Data Rules

OpenAIRE task 7.1

Concept of the study• Title: The Open Research Data Pilot: Personal Data and PSI Rules

(focus at this workshop is on personal data rules)

• Period: January 2015 – December 2016

• Aim of the study: Analyse data protection barriers to data

sharing in the context of the Open Research Data Pilot.

• Methodology: The relevant European legal framework, esp. the

Data Protection Directive and the General Data Protection

Regulation are analysed and explored how those rules influence

the use of data as it is intended under the Pilot.

OpenAIRE Workshop – Barcelona, 4 April 2017

Object: The Open Research Data Pilot• Within Horizon2020 the Commission is running the Open

Research Data Pilot. The Pilot aims at improving and maximising

access to and re-use of research data generated by projects.

• Projects taking part in the Pilot are obliged to:

• deposit the research data in a research data repository and

• take measures to enable third parties to access, mine, exploit,

reproduce and disseminate this research data.

This means Open Access use.


Rules: Data Protection framework • The European Charter of Fundamental Rights guarantees the

protection of personal data. According to its Art. 8 (1): “Everyone

has the right to the protection of personal data concerning him.”

• The Data Protection Directive from 1995 harmonises the data

protection legislation in the Member States.

• Those largely harmonised rules will be replaced by the General

Data Protection Regulation (GDPR) which will come into force in

May 2018.


Scope of application • Data protection rules apply to such information, which qualifies

as personal data.

• Personal data is defined as: “any information relating to an

identified or identifiable natural person (data subject); (Art. 4 (1)

GDPR; Art. 2 (a) Data Protection Directive).

• Key element is the possible identification of a person.

• Examples: Name, address, images, voice recordings, information

on diseases, ethnicity, biological traits or behavioral or usage

data


Scope of application • Within the Pilot research data shall be made openly available

and reusable.

• The commission defines research data as information, in

particular facts or numbers, collected to be examined and

considered as a basis for reasoning, discussion, or calculation.

• Examples include statistics, results of experiments,

measurements, observations resulting from fieldwork, survey

results, interview recordings and images.

• This definition is very broad.


Scope of application • It is not possible to determine in a general way whether such

research data include personal data or not.

• Whether this is the case needs to be evaluated on a case by case

basis.

• A careful evaluation is necessary, especially in cases where the

research involves in any way natural persons.

• E.g. in the fields of medicine, biotechnology and social sciences,

research data often contain information traceable to individuals

that can qualify as personal data.


Processing of personal data • Data protection rules restrict the processing of personal data.

• Processing means “any operation or set of operations which is

performed upon personal data or sets of personal data […], such as

collection, recording, organization, structuring, storage, adaptation or

alteration, retrieval, consultation, use, disclosure by transmission,

dissemination or otherwise making available, alignment or

combination, restriction, erasure or destruction” (Art. 4 (2) GDPR).

Processing basically means any operation in connection with

personal data.


Processing of personal data • Within the Pilot, research data shall be deposited in a research

data repository.

• The data must be uploaded into an online research data archive

and third parties shall be enabled to access and re-use this

research data.

• Such actions, the uploading of data into a repository as well as

the reuse of the data qualify as processing within the meaning of

data protection law.


Data protection principles • The basic rule is that personal data may not be processed, unless the

data subject has consented to the processing or another legal

provision permits the processing (see Art. 8 (2) EU Charter).

• Principle of purpose limitation: Personal data should be collected for

specified, legitimate purposes and not further processed in a way

incompatible with those purposes (see Art. 6 (1) (c) Data Protection

Directive; Art. 5 (1) (b) GDPR).

After the collection, the personal data must be used for the

intended purpose and not for any other purpose.


Data protection principles • Principle of data minimisation: Personal data must be adequate,

relevant and limited to what is necessary in relation to the

purposes for which they are processed (Art. 5 (1) (c) GDPR).

The processing of personal data should be limited to the

minimum amount necessary.

Personal data should only be processed if the purpose of the

processing could not reasonably be fulfilled by other means.


Data protection principles • The Pilot aims at enabling third parties to access and re-use the

deposited data without any restrictions; the data shall be

available without a time limit and useable beyond the original

purpose for which the data were collected.

• These extensive permissions are clearly at odds with the

fundamental data protection principles of purpose limitation

and data minimisation.

Personal data cannot be made available on an open access

basis as is required by the Open Research Data Pilot.


Research exceptions • The European legislative acts contain some special provisions on

further processing and longer storage of personal data for

scientific purposes (Art. 6 (1) (b) Directive, Art. 5 (1) (b) GDPR).

• For the scientific research exemptions to apply, the intended use

has to be bound on a specific purpose of research and appro-

priate safeguards, in particular to ensure respect for the principle

of data minimisation, have to be in place (Art. 89 (1) GDPR).


Research exceptions • Within the Pilot, the deposition of the research data in an open

access repository is not connected to a specific purpose of

research and not even to research purposes at all.

• Data are made available for any purposes, scientific or not.

• Appropriate safeguards to ensure leading data protection

principles are not in place.

The open access use of personal data and thus the

participation in the Pilot cannot be legitimised through the

research exemptions.


Consent • The most important legitimisation for the processing of personal

data is consent of the data subject.

• To have legal effect, consent of the data subject to processing his

personal data must be freely given, specific, informed and

unambiguous (Art. 4 (11) GDPR).

• Specific and informed consent requires a clear and precise

definition of the purposes of processing as well as the recipients.


Consent • Within the Open Research Data Pilot, the purposes of the

further use of the data and the recipients are unclear.

• Any uses –and not just specific ones– of the deposited data shall be

allowed.

• The data are transferred to all third parties retrieving them.

• Under these circumstances it is impossible to fulfil the

requirement of a specific and informed consent.

The open access use of personal data and thus the

participation in the Pilot cannot be legitimised by consent.


Anonymisation • Data protection law should not apply to anonymous information.

• This is information which does not relate to an identified or

identifiable natural person or personal data rendered anonymous in

such a manner that the data subject is not or no longer identifiable

(Recital 26 GDPR).

• Whether personal data are sufficiently anonymised needs to be

evaluated on a case by case basis. It depends on e.g. what data is

freely available in public registers, what information is hold by other

institutions, how those data can be combined at what costs etc.


Summary • The Pilot aims at making research data generated by projects freely

available and reusable on open access basis.

• If such research data include personal data, data protection rules are

applicable.

• The use of personal data within the Pilot is at odds with leading data

protection principles.

• The open access use of personal data cannot be legitimised by a

research exception or consent of the data subject.

• Data protection risks can be excluded by effective anonymisation of

the data.


Future Outlook • The requirements for effective anonymisation should be harmonised.

Common European wide standards for anonymisation of (research)

data are needed.

• The requirements for consent for specific research purposes could be

lowered, such as allowing for a general consent of the data subject to

all kind of research related purposes.

• The research privileges could be extended to allow a broader use of

personal data at least for research purposes.

• Than the Commission could change its open research data policy and

require projects not to open up research data including personal data

on open access basis but at least for scientific research purposes.


THANK YOU FOR YOUR ATTENTION!


Science

The Open Research Data Pilot: Personal Data and PSI Rules, Andreas Wiebe and Nils Dietrich, University of Göttingen (8th OpenAIRE workshop)