Skip to content

Commit

Permalink
GDPR compliance page
Browse files Browse the repository at this point in the history
  • Loading branch information
vildead committed May 24, 2023
1 parent 45e4294 commit 7fbd76a
Show file tree
Hide file tree
Showing 12 changed files with 97 additions and 75 deletions.
20 changes: 10 additions & 10 deletions _data/tool_and_resource_list.yml
Original file line number Diff line number Diff line change
Expand Up @@ -166,7 +166,7 @@
at providing practical know-how for responsible research.
name: BBMRI-ERIC's ELSI Knowledge Base
related_pages:
- data_protection
- gdpr_compliance
- sensitive
- policy_officer
- data_manager
Expand Down Expand Up @@ -706,7 +706,7 @@
- it_support
- policy_officer
- human_data
- data_protection
- gdpr_compliance
- transmed
url: https://daisy-demo.elixir-luxembourg.org
- description: It guides you step by step through a DMP and lets you export a pre-filled
Expand Down Expand Up @@ -816,7 +816,7 @@
to facilitate data sharing agreements.
name: DAWID
related_pages:
- data_protection
- gdpr_compliance
- policy_officer
- human_data
url: https://dawid.elixir-luxembourg.org/
Expand Down Expand Up @@ -909,7 +909,7 @@
(DPIA).
name: DPIA Knowledge Model
related_pages:
- data_protection
- gdpr_compliance
- policy_officer
- human_data
url: https://converge.ds-wizard.org/knowledge-models/elixir.lu:dpia-research:0.1.0
Expand Down Expand Up @@ -1098,15 +1098,15 @@
related_pages:
- policy_officer
- human_data
- data_protection
- gdpr_compliance
url: https://gitlab.sib.swiss/clinbio/erpa-app
- description: Regulation (eu) 2016/679 of the european parliament and of the council
on the protection of natural persons with regard to the processing of personal
data and on the free movement of such data, and repealing directive 95/46/ec (general
data protection regulation).
name: EU General Data Protection Regulation
related_pages:
- data_protection
- gdpr_compliance
- policy_officer
- human_data
- tsd
Expand Down Expand Up @@ -1423,7 +1423,7 @@
- description: Framework for Responsible Sharing of Genomic and Health-Related Data
name: GA4GH Regulatory and Ethics toolkit
related_pages:
- data_protection
- gdpr_compliance
- sensitive
- policy_officer
- data_manager
Expand Down Expand Up @@ -1772,7 +1772,7 @@
- description: International information security standard
name: ISO/IEC 27001
related_pages:
- data_protection
- gdpr_compliance
- policy_officer
- human_data
url: https://en.wikipedia.org/wiki/ISO/IEC_27001
Expand Down Expand Up @@ -2042,7 +2042,7 @@
Assessments
name: MONARC
related_pages:
- data_protection
- gdpr_compliance
- policy_officer
- human_data
- transmed
Expand Down Expand Up @@ -2961,7 +2961,7 @@
- nels
- csc
- tsd
- data_protection
- gdpr_compliance
url: https://scilifelab-data-guidelines.readthedocs.io/en/latest/docs/general/sensitive_data.html
- description: TU Delft costing tool helps to budget for data management personnel
costs in proposals.
Expand Down
2 changes: 1 addition & 1 deletion pages/data_life_cycle/sharing.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ page_id: share
description: Introduction to data sharing.
contributors: [Flora D'Anna, Bert Droesbeke, Niclas Jareborg, Ulrike Wittig]
related_pages:
your_tasks: [data_protection, data_brokering, data_publication, transfer, identifiers, licensing, metadata, sensitive]
your_tasks: [GDPR_compliance, data_security, data_brokering, data_publication, transfer, identifiers, licensing, metadata, sensitive]
training:
- name: Training in TeSS
registry: TeSS
Expand Down
2 changes: 1 addition & 1 deletion pages/national_resources/no_resources.md
Original file line number Diff line number Diff line change
Expand Up @@ -132,7 +132,7 @@ national_resources:
how_to_access: Through Feide, only if you are based at the UiB
related_pages:
your_domain: [human_data]
your_tasks: [data_protection, sensitive]
your_tasks: [data_security, GDPR_compliance, sensitive]
your_role: [policy_officer, data_manager]
url: https://rette.app.uib.no/
- name: DataverseNO
Expand Down
2 changes: 1 addition & 1 deletion pages/tool_assembly/csc_assembly.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ description: The Center of Science (CSC) provides high-quality ICT expert servic
page_id: csc
affiliations: [FI, CSC, ELIXIR Europe]
related_pages:
your_tasks: [sensitive, dmp, data_protection, storage, data_publication, data_transfer, data_analysis]
your_tasks: [sensitive, dmp, data_security, GDPR_compliance, storage, data_publication, data_transfer, data_analysis]
your_domain: [human_data]
training:
- name: Training in TeSS
Expand Down
2 changes: 1 addition & 1 deletion pages/tool_assembly/transmed_assembly.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ description: TransMed tool assembly from ELIXIR Luxembourg supports projects in
page_id: transmed
affiliations: [ELIXIR Europe, LU]
related_pages:
your_tasks: [compliance, storage, metadata, data_organisation, data_analysis, sensitive, data_protection, dmp]
your_tasks: [compliance, storage, metadata, data_organisation, data_analysis, sensitive, GDPR_compliance, dmp]
your_domain: [human_data]
---

Expand Down
2 changes: 1 addition & 1 deletion pages/tool_assembly/tsd_assembly.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ description: The Sensitive Data Service (TSD) provides a platform to store, comp
page_id: tsd
affiliations: ["NO", ELIXIR Europe, University of Oslo]
related_pages:
your_tasks: [dmp, storage, sensitive, data_protection, transfer]
your_tasks: [dmp, storage, sensitive, data_security, GDPR_compliance, transfer]
your_domain: [human_data]
training:
- name: Documentation for the HPC cluster
Expand Down
2 changes: 1 addition & 1 deletion pages/your_domain/human_data.md
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ When working with human data, you must follow established research ethical guide
* The [Global Alliance for Genomics and Health (GA4GH)](https://www.ga4gh.org) has recommendations for these issues in their [GA4GH regulatory and ethical toolkit](https://www.ga4gh.org/genomic-data-toolkit/regulatory-ethics-toolkit/), see for instance the [Consent Clauses for Genomic Research](https://drive.google.com/file/d/1O5Ti7g7QJqS3h0ABm-LyTe02Gtq8wlKM/view?usp=sharing).
* Personal data protection legislation:
* **Within the EU.** If you are performing human data research in the EU, or your data subjects are located in the EU, then you must adhere to the General Data Protection Regulation - GDPR.
* Requirements for research that fall under the GDPR are outlined in the [RDMkit Data protection page](data_protection).
* Requirements for research that fall under the GDPR are outlined in the [RDMkit GDPR compliance page](GDPR_compliance).
* Attributes of the data determines data sensitivity and sensitivity affects the considerations for data handling. The [RDMkit Data Sensitivity page](sensitive_data) provides guidance on determining and reducing data sensitivity.
* **Outside the EU.** For countries outside the EU, the [International Compilation of Human Research Standards](https://www.hhs.gov/ohrp/sites/default/files/2020-international-compilation-of-human-research-standards.pdf) list relevant legislations.

Expand Down
2 changes: 1 addition & 1 deletion pages/your_role/data_steward_policy.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ description: Data Steward with focus on data policies.
contributors: [Mijke Jetten, Federico Bianchini, Gregoire Rossier, Erik Hjerde, Siiri Fuchs, Minna Ahokas, Priit Adler, Alexander Botzki, Robert Andrews, Celia van Gelder, Daniel Wibberg, Graham Hughes, Marko Vidak, Pedro Fernandes, Pinar Alper, Victoria Dominguez D. Angel, Wolmar Nyberg Åkerström, Alexia Cardona]
page_id: policy_officer
related_pages:
your_tasks: [compliance, licensing, dmp, data_protection, sensitive, dm_coordination]
your_tasks: [compliance, licensing, dmp, GDPR_compliance, sensitive, dm_coordination]
training:
- name: TeSS - ELIXIR’s training portal
registry: TeSS
Expand Down
2 changes: 1 addition & 1 deletion pages/your_role/data_steward_research.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ description: Data Steward with focus on management of research data.
contributors: [Mijke Jetten, Federico Bianchini, Gregoire Rossier, Erik Hjerde, Siiri Fuchs, Minna Ahokas, Priit Adler, Alexander Botzki, Robert Andrews, Celia van Gelder, Daniel Wibberg, Graham Hughes, Marko Vidak, Pedro Fernandes, Pinar Alper, Victoria Dominguez D. Angel, Wolmar Nyberg Åkerström, Alexia Cardona]
page_id: data_manager
related_pages:
your_tasks: [compliance, dmp, data_organisation, licensing, metadata, data_protection, data_publication, data_quality, transfer, identifiers, machine_actionability, dm_coordination, data_provenance]
your_tasks: [compliance, dmp, data_organisation, licensing, metadata, data_security, data_publication, data_quality, transfer, identifiers, machine_actionability, dm_coordination, data_provenance]
training:
- name: TeSS - ELIXIR’s training portal
registry: TeSS
Expand Down
77 changes: 77 additions & 0 deletions pages/your_tasks/GDPR_compliance.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
---
title: GDPR compliance
contributors: [Pinar Alper, Yvonne Kallberg, Vilem Ded, Eva Csosz, Niclas Jareborg]
description: How to protect your research data, and how to make research data compliant to GDPR.
page_id: gdpr_compliance
related_pages:
tool_assembly: [tsd, transmed]
training:
- name: Training in TeSS
registry: TeSS
url: https://tess.elixir-europe.org/search?q=data+protection#materials
dsw:
- name: Will you collect any data connected to a person, "personal data"?
uuid: 49c009cb-a38c-4836-9780-8a8b3dd1cbac
- name: Do you need a Data Protection Impact Assessment?
uuid: 8915bd25-db22-4ed6-bcc8-b1bbdc52989e
faircookbook:
- name: Licensing Data
url: https://w3id.org/faircookbook/FCB034
- name: Declaring data permitted uses
url: https://w3id.org/faircookbook/FCB035
- name: Data Protection Impact Assessment and Data Privacy
url: https://w3id.org/faircookbook/FCB074
---

## How do you protect research data under GDPR?

### Description

Where scientific research involves the processing of data concerning people in the European Union (EU), it is subject to the General Data Protection Regulation (GDPR). The GDPR applies a ["special regime"](https://edps.europa.eu/sites/edp/files/publication/20-01-06_opinion_research_en.pdf) to research, providing
derogations from some obligations given appropriate criteria are met and safeguards are in place. The criteria is to follow standards in research method and ethics, as well as to aim societal benefit rather than serving private interests in research.
The safeguards are a multitude and include:
* data collection with informed consent under ethical oversight and accountability;
* ensuring lawful processing and exchange of human-subject information;
* putting in place organisational and technical data protection measures such as encryption and pseudonymisation.

The practical impact of the GDPR on research is, then, establishing these safeguards within projects.

### Considerations

Seek expert help for the interpretation of GDPR legal requirements to practicable measures.
* Research institutes appoint Data Protection Officers (DPO). Before starting a project you should contact your DPO to be informed of GDPR compliance requirements for your institution.
* Each EU country has its own national implementation of the GDPR. If your project involves a multi-national consortium, the requirements of all participating countries need to be met and you should inform the project coordinator of any country-specific requirements.
* Legal offices in research institutes provide model agreements, which cater for various research scenarios and consortia setups. You should inform your local legal office of your project's setup and identify the necessary agreements to be signed.

Assess your project under the GDPR.
* Determine your GDPR role. Are you a data controller, who determines the purposes and means of the processing, or, are you a data processor, who acts under instructions from the controller?
* If you are a controller, you need to check whether your processing poses high privacy risks for data subjects, and if so, perform a Data Protection Impact Assessment (DPIA).
* The GDPR lists certain data e.g. race, ethnicity, health, genetic, biometric data as [special category](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/how-my-personal-data-protected/how-data-my-religious-beliefs-sexual-orientation-health-political-views-protected_en), requiring it's heightened protection. Your research will be considered high risk processing if it involves special category data or if it includes some specified types of processing.
* A DPIA is often a pre-requisite for ethics applications. Your DPO or local ethics advisory board can help determine whether your project requires a DPIA.
* Performing the DPIA while writing the DMP will allow you to reuse information and save time.
* An outcome of the DPIA will be a listing of risks and corresponding mitigations. Mitigations identify the data protection measures you'll adopt, both technical organisational.

Apply technical and organisational measures for data protection. These include:
* institutional policies and codes of conduct;
* staff training;
* user authentication, authorisation, data level access control;
* data privacy measures such as pseudonymisation, anonymisation and encryption,
* arrangements that will enable data subjects to exercise their rights.

Record your data processing. To meet GDPR's accountability requirement you should maintain records on the following:
* project stakeholders and their GDPR roles (controller, processor);
* purpose of your data processing;
* description of data subjects and the data;
* description of data recipients, particularly those outside the EU;
* logs of data transfers to recipients and the safeguards put in place for transfers, such as data sharing agreements;
* time limits for keeping different categories of personal data;
* description of organizational and technical data protection measures.

### Solution

* [EU General Data Protection Regulation](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN).
* [European Data Protection Supervisor's "Preliminary opinion on Data Protection and Scientific Research"](https://edps.europa.eu/sites/edp/files/publication/20-01-06_opinion_research_en.pdf)
* [BBMRI-ERIC's Ethical Legal Societal Issues (ELSI) Knowledge Base](https://www.bbmri-eric.eu/elsi/knowledge-base/) contains a glossary, agreement templates and guidance.
* [Data Information System DAISY](https://daisy-demo.elixir-luxembourg.org/) is software tool from ELIXIR that allows the record keeping of data processing activities in research projects.
* [DAWID](https://dawid.elixir-luxembourg.org) is a software tool from ELIXIR that allows generation of tailor-made data sharing agreements
* [Tryggve ELSI Checklist](https://scilifelab-data-guidelines.readthedocs.io/en/latest/docs/general/sensitive_data.html) is a list of Ethical, Legal, and Societal Implications (ELSI) to consider for research projects on human subjects.
4 changes: 2 additions & 2 deletions pages/your_tasks/data_brokering.md
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ There are many aspects to consider when getting started as a broker.
* Identify what kind of processing you will handle as a broker, such as (meta)data curation and validation, data masking/anonymisation.
* Define the time frame for your commitment and your responsibilities for the data, such as how to handle data loss before delivery, what to do with the data after a successful delivery, how to manage changes to data that has already been delivered, etc.
* Identify who is responsible for the data before, during and after delivery, such as the data controller/processor (according to GDPR) and/or intellectual property owner/licensee relationships between the provider and recipient
* Ensure that you will be able to establish contracts/agreements that cover the data and processing that you will handle, such as considerations for [data protection](data_protection), [licensing](licensing), and [compliance](compliance_monitoring).
* Ensure that you will be able to establish contracts/agreements that cover the data and processing that you will handle, such as considerations for [data security](data_security), [licensing](licensing), [GDPR](GDPR_compliance) and general [compliance](compliance_monitoring).
* Estimate and secure the resources required to keep your commitment, such as staff with time and necessary skills, accounts, compute, storage and software
* Refer to the sections below for considerations related to collecting data from data providers and delivering data to public data repositories.

Expand All @@ -45,7 +45,7 @@ There are many aspects to consider when getting started as a broker.

The solutions that you adopt will vary depending on the agreements you have negotiated with data providers and/or recipients. The following are examples of general solutions that would help you comply with regulations and implement good data management practices.
* [Data management plan](data_management_plan) – Many questions that you would answer while writing a data management plan can be relevant to answer when you specify the terms of service for your brokering service, such as data storage, data standards, legal and ethical, etc.
* [Data protection](data_protection) – If you are working with data concerning people in the EU, you should make sure to comply with both national and international regulations for data protection.
* [GDPR compliance](GDPR_compliance) – If you are working with data concerning people in the EU, you should make sure to comply with both national and international regulations for data protection.
* Apply for brokering permissions at the repository where you plan to submit data. For example, you can have a broker account at ENA; in this case, please visit [ENA Documentation](https://ena-docs.readthedocs.io/en/latest/faq/data_brokering.html) for guidelines on how to apply for such an account.

## Collecting and processing the metadata and data
Expand Down
Loading

0 comments on commit 7fbd76a

Please sign in to comment.