Privacy and Data Protection in Research
Download as PPTX, PDF2 likes376 views
The document outlines a summer school itinerary focused on privacy and data protection in research, exploring rights and responsibilities, GDPR principles, and privacy-enhancing technologies. Key topics include the balance between researchers' interests and individual privacy rights, data protection impact assessments, and cross-border data transfer methods. It emphasizes the importance of compliance with legal standards while promoting ethical research practices.
![Balancing the legitimate interests of the researcher
and the privacy rights of the individual
Source: Brendan Van Alsenoy (Belgian Privacy Commission), Balancing the interests of controllers and the rights of the data subject.
Brussels Privacy Hub, VUB Brussel, June 30 2017.
5
“The right to the protection of personal data is not an absolute
right; it must be considered in relation to its function in society
and be balanced against other fundamental rights,
in accordance with the principle of proportionality.”
Recital (4) GDPR
“processing is necessary for the purposes of the legitimate
interests pursued by the controller or by a third party, except
where such interests are overridden by the interests or
fundamental rights and freedoms of the data subject […]”
Article 6(1)f GDPR](https://image.slidesharecdn.com/summerschoolerasmusmcmdomingusjuly2017-170712152805/85/Privacy-and-Data-Protection-in-Research-5-320.jpg)
Privacy and Data Protection in Research
- 1. Privacy & Data Protection in Research Summerschool 9-12 July 2017 Erasmus MC July 12 2017 Marlon Domingus
- 2. Itinerary •rights and responsibilities •privacy by design strategies •privacy principles •privacy enhancing technologies (PETs) •big data concerns •private, shared and public - boundary transitions •data protection impact assessment (DPIA) •cross border data transfers •derogations for research 2
- 3. The General Data Protection Regulation & (Big Data) Research July 12 2017 Marlon Domingus
- 4. Rights and Responsibilities 4 Source: http://www.privacy-regulation.eu/en/index.htm
- 5. Balancing the legitimate interests of the researcher and the privacy rights of the individual Source: Brendan Van Alsenoy (Belgian Privacy Commission), Balancing the interests of controllers and the rights of the data subject. Brussels Privacy Hub, VUB Brussel, June 30 2017. 5 “The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.” Recital (4) GDPR “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject […]” Article 6(1)f GDPR
- 6. Balancing the legitimate interests of the researcher and the privacy rights of the individual Source: Charter of Fundamental Rights of the European Union (2012/C 326/02). Online: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:12012P/TXT&from=EN . 6 Article 8 - Protection of personal data 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority.
- 7. Balancing the legitimate interests of the researcher and the privacy rights of the individual Source: Prof. Dr. Gloria González Fuster: Recent jurisprudence of the European Court of Human Rights and the Court of Justice of the European Union. Brussels Privacy Hub, VUB Brussel, June 30 2017. 7 independent authority individual’s rights legitimate interests
- 8. Balancing. Four Steps. 8 1. Legitimate interests of controller or 3rd party • freedom of expression • direct marketing and other forms of advertisement • enforcement of legal claims • prevention of fraud, misuse of services, or money laundering • physical safety, security, IT and network security • whistle-blowing schemes 2. Impact on data subject Actual and potential repercussions • Nature of the data • How the data are processed • Reasonable expectations data subject • Nature of controller vis-à-vis data subject 3. Make provisional balance “Necessary” • Least intrusive means • Reasonably effective • Balance of interests 4. Safeguards Measures to ensure that the data cannot be used to take decisions or other actions with regard to individuals. • anonymisation techniques, aggregation of data • privacy-enhancing technologies, privacy by design • increased transparency • general and unconditional right to opt-out Source: Article 29 Data Protection Working Party. Opinion 06/2014 on the "Notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC". Adopted on 9 April 2014. Online: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf
- 9. Privacy by Design Strategy (‘traditional’) 9 Source: ENISA report (2015): Privacy By Design In Big Data. Online: https://www.enisa.europa.eu/publications/big-data-protection/at_download/fullReport
- 10. Privacy by Design Strategy (Big Data) 10 Source: ENISA report (2015): Privacy By Design In Big Data. Online: https://www.enisa.europa.eu/publications/big-data-protection/at_download/fullReport
- 11. Privacy Principles 11 1. Consent and choice 2. Purpose legitimacy and specification 3. Collection limitation 4. Data minimisation 5. Use, retention and disclosure limitation 6. Accuracy and quality 7. Openness, transparency and notice 8. Individual participation and access 9. Accountability 10. Information security 11. Privacy compliance Source: Information technology — Security techniques — Privacy framework. ISO/IEC 29100:2011. Online: http://standards.iso.org/ittf/PubliclyAvailableStandards/c045123_ISO_IEC_29100_2011.zip Source: Information technology — Identification of privacy protection requirements pertaining to learning, education and training (LET) — Part 1: Framework and reference model. ISO/IEC 29187-1:2013 Online: http://standards.iso.org/ittf/PubliclyAvailableStandards/c045266_ISO_IEC_29187- 1_2013.zip
- 12. Privacy Enhancing Technologies in Big Data 12 Anonymization in big data (and beyond) Utility and privacy Attack models and disclosure risk Anonymization privacy models Anonymization privacy models and big data Anonymization methods Some current weaknesses of anonymization Centralized vs decentralized anonymization for big data Other specific challenges of anonymization in big data Challenges and future research for anonymization in big data Encryption techniques in big data Database encryption Encrypted search Security and accountability controls Granular access control Privacy policy enforcement Accountability and audit mechanisms Data provenance Transparency and access Consent, ownership and control Consent mechanisms Privacy preferences and sticky policies Personal data stores Source: ENISA report (2015): Privacy By Design In Big Data. Online: https://www.enisa.europa.eu/publications/big-data-protection/at_download/fullReport
- 13. WP Art 29: Big Data Concerns: 13 - the sheer scale of data collection, tracking and profiling, also taking into account the variety and detail of the data collected and the fact that data are often combined from many different sources; - the security of data, with levels of protection shown to be lagging behind the expansion in volume; - transparency: unless they are provided with sufficient information, individuals will be subject to decisions that they do not understand and have no control over; - inaccuracy, discrimination, exclusion and economic imbalance; - increased possibilities of government surveillance. Source: Article 29 Data Protection Working Party. Opinion 03/2013 on purpose limitation. Adopted on 2 April 2013. Online: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp203_en.pdf
- 14. Data Protection Impact Assessment Source: Dr. Paul Quinn and István Böröcz, How to do a PIA – practical session. Brussels Privacy Hub, VUB Brussel, June 27 2017. 14 Addresses: • societal concerns • technical concerns • ethical concerns • legal concerns
- 15. Our Research Assessment 1. Is the research project conducted in an international partnership? 2. Is this partnership a public-private collaboration? 3. Is personal data or confidential data used in the research? 4. Will the research project result in information and/or products that will become open access available, or commercially or both? 5. Is an infrastructure required for the processing / analysis / storage of the research data beyond which is available at the EUR workplace? 6. Will the data processing be a manual activity, or is it automated and executed by scripts? IPR, Applicable Law IPR, Valorisation Data Protection, Privacy IPR, Valorisation Research Infra, HPC IPR, Database Law 15
- 17. Private, Shared and Public - Boundary Transitions 17 Source: Personal website Andrew Treloar. Online: http://andrew.treloar.net/research/diagrams/index.shtml
- 18. Cross Border Data Transfers Source: Prof. Christopher Kuner, International Transfers of Personal Data Post-GDPR. Brussels Privacy Hub, VUB Brussel, June 29 2017. 18 Three methods to transfer data internationally: • Adequacy decisions adopted by EC (Art. 45 GDPR). • In the absence of an adequacy decision, appropriate safeguards (data transfer instruments, Art. 46 GDPR), meaning: BCRs; SCCs; approved codes of conduct and certification mechanisms with binding commitments; “ad hoc” contractual clauses authorized by DPAs. • In the absence of an adequacy decision or appropriate safeguards, derogations (Art. 49 GDPR), e.g. consent; performance of a contract; public interest under EU or Member State law; legitimate interests of a controller (with limitations).
- 19. Cross Border Data Transfers Source: Prof. Christopher Kuner, International Transfers of Personal Data Post-GDPR. Brussels Privacy Hub, VUB Brussel, June 29 2017. 19
- 20. Exemptions or Derogations for Research Source: General Data Protection Regulation. Online: http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf 20
- 21. Questions? drs. Marlon Domingus Research Services coordinator Community Research Data Management T +31 10 4088006 E researchsupport@eur.nl W https://www.eur.nl/researchmatters/research_data_management/ (services and templates) Stay in touch via: https://www.linkedin.com/in/domingus/ 21
- 22. Case July 12 2017 Marlon Domingus
- 23. Take Aways July 12 2017 Marlon Domingus
- 24. Privacy: infographics Source: EUR Research Matters website. Online: https://www.eur.nl/researchmatters/research_data_management/services/rdm_legal_services/ 24
- 26. 26 How to use the compass In the core, the four Denscombe principles, serve as a starting point. In the next layer, the aspects related to these principles are listed. In the outer layer, the actions for faculty and/or research support staff are listed. The arrow aligns the principles with the corresponding aspects and actions Thus four quadrants appear, with a focus on the distinct aspects of research integrity. Traditionally ethics committees look at the aspects of the lower left quadrant. How to address the aspects in the rest of the compass? Suggestion: work together with the Data Protection Officer and the Legal Department for a new governing approach to assessing proper academic practices.