From c0d4584dbdb438eb4b3902e60b783031e6bfdab9 Mon Sep 17 00:00:00 2001 From: Vilem Ded Date: Wed, 24 May 2023 10:25:01 +0200 Subject: [PATCH] GDPR compliance page --- _data/tool_and_resource_list.yml | 20 +++--- pages/data_life_cycle/sharing.md | 2 +- pages/national_resources/no_resources.md | 2 +- pages/tool_assembly/csc_assembly.md | 2 +- pages/tool_assembly/transmed_assembly.md | 2 +- pages/tool_assembly/tsd_assembly.md | 2 +- pages/your_domain/human_data.md | 2 +- pages/your_role/data_steward_policy.md | 2 +- pages/your_role/data_steward_research.md | 2 +- pages/your_tasks/GDPR_compliance.md | 77 ++++++++++++++++++++++++ pages/your_tasks/data_brokering.md | 4 +- pages/your_tasks/data_security.md | 55 ----------------- 12 files changed, 97 insertions(+), 75 deletions(-) create mode 100644 pages/your_tasks/GDPR_compliance.md diff --git a/_data/tool_and_resource_list.yml b/_data/tool_and_resource_list.yml index d2d0b0685..6df194b91 100644 --- a/_data/tool_and_resource_list.yml +++ b/_data/tool_and_resource_list.yml @@ -166,7 +166,7 @@ at providing practical know-how for responsible research. name: BBMRI-ERIC's ELSI Knowledge Base related_pages: - - data_protection + - gdpr_compliance - sensitive - policy_officer - data_manager @@ -706,7 +706,7 @@ - it_support - policy_officer - human_data - - data_protection + - gdpr_compliance - transmed url: https://daisy-demo.elixir-luxembourg.org - description: It guides you step by step through a DMP and lets you export a pre-filled @@ -816,7 +816,7 @@ to facilitate data sharing agreements. name: DAWID related_pages: - - data_protection + - gdpr_compliance - policy_officer - human_data url: https://dawid.elixir-luxembourg.org/ @@ -909,7 +909,7 @@ (DPIA). name: DPIA Knowledge Model related_pages: - - data_protection + - gdpr_compliance - policy_officer - human_data url: https://converge.ds-wizard.org/knowledge-models/elixir.lu:dpia-research:0.1.0 @@ -1098,7 +1098,7 @@ related_pages: - policy_officer - human_data - - data_protection + - gdpr_compliance url: https://gitlab.sib.swiss/clinbio/erpa-app - description: Regulation (eu) 2016/679 of the european parliament and of the council on the protection of natural persons with regard to the processing of personal @@ -1106,7 +1106,7 @@ data protection regulation). name: EU General Data Protection Regulation related_pages: - - data_protection + - gdpr_compliance - policy_officer - human_data - tsd @@ -1423,7 +1423,7 @@ - description: Framework for Responsible Sharing of Genomic and Health-Related Data name: GA4GH Regulatory and Ethics toolkit related_pages: - - data_protection + - gdpr_compliance - sensitive - policy_officer - data_manager @@ -1772,7 +1772,7 @@ - description: International information security standard name: ISO/IEC 27001 related_pages: - - data_protection + - gdpr_compliance - policy_officer - human_data url: https://en.wikipedia.org/wiki/ISO/IEC_27001 @@ -2042,7 +2042,7 @@ Assessments name: MONARC related_pages: - - data_protection + - gdpr_compliance - policy_officer - human_data - transmed @@ -2961,7 +2961,7 @@ - nels - csc - tsd - - data_protection + - gdpr_compliance url: https://scilifelab-data-guidelines.readthedocs.io/en/latest/docs/general/sensitive_data.html - description: TU Delft costing tool helps to budget for data management personnel costs in proposals. diff --git a/pages/data_life_cycle/sharing.md b/pages/data_life_cycle/sharing.md index 3601f00bb..fe258bc9c 100644 --- a/pages/data_life_cycle/sharing.md +++ b/pages/data_life_cycle/sharing.md @@ -4,7 +4,7 @@ page_id: share description: Introduction to data sharing. contributors: [Flora D'Anna, Bert Droesbeke, Niclas Jareborg, Ulrike Wittig] related_pages: - your_tasks: [data_protection, data_brokering, data_publication, transfer, identifiers, licensing, metadata, sensitive] + your_tasks: [GDPR_compliance, data_security, data_brokering, data_publication, transfer, identifiers, licensing, metadata, sensitive] training: - name: Training in TeSS registry: TeSS diff --git a/pages/national_resources/no_resources.md b/pages/national_resources/no_resources.md index 0202b7e94..c8284e85b 100644 --- a/pages/national_resources/no_resources.md +++ b/pages/national_resources/no_resources.md @@ -132,7 +132,7 @@ national_resources: how_to_access: Through Feide, only if you are based at the UiB related_pages: your_domain: [human_data] - your_tasks: [data_protection, sensitive] + your_tasks: [data_security, GDPR_compliance, sensitive] your_role: [policy_officer, data_manager] url: https://rette.app.uib.no/ - name: DataverseNO diff --git a/pages/tool_assembly/csc_assembly.md b/pages/tool_assembly/csc_assembly.md index 576b2e37a..8b0ccd770 100644 --- a/pages/tool_assembly/csc_assembly.md +++ b/pages/tool_assembly/csc_assembly.md @@ -5,7 +5,7 @@ description: The Center of Science (CSC) provides high-quality ICT expert servic page_id: csc affiliations: [FI, CSC, ELIXIR Europe] related_pages: - your_tasks: [sensitive, dmp, data_protection, storage, data_publication, data_transfer, data_analysis] + your_tasks: [sensitive, dmp, data_security, GDPR_compliance, storage, data_publication, data_transfer, data_analysis] your_domain: [human_data] training: - name: Training in TeSS diff --git a/pages/tool_assembly/transmed_assembly.md b/pages/tool_assembly/transmed_assembly.md index 1180cb066..994634b69 100644 --- a/pages/tool_assembly/transmed_assembly.md +++ b/pages/tool_assembly/transmed_assembly.md @@ -5,7 +5,7 @@ description: TransMed tool assembly from ELIXIR Luxembourg supports projects in page_id: transmed affiliations: [ELIXIR Europe, LU] related_pages: - your_tasks: [compliance, storage, metadata, data_organisation, data_analysis, sensitive, data_protection, dmp] + your_tasks: [compliance, storage, metadata, data_organisation, data_analysis, sensitive, GDPR_compliance, dmp] your_domain: [human_data] --- diff --git a/pages/tool_assembly/tsd_assembly.md b/pages/tool_assembly/tsd_assembly.md index 32cfa4ce5..ef997acdc 100644 --- a/pages/tool_assembly/tsd_assembly.md +++ b/pages/tool_assembly/tsd_assembly.md @@ -5,7 +5,7 @@ description: The Sensitive Data Service (TSD) provides a platform to store, comp page_id: tsd affiliations: ["NO", ELIXIR Europe, University of Oslo] related_pages: - your_tasks: [dmp, storage, sensitive, data_protection, transfer] + your_tasks: [dmp, storage, sensitive, data_security, GDPR_compliance, transfer] your_domain: [human_data] training: - name: Documentation for the HPC cluster diff --git a/pages/your_domain/human_data.md b/pages/your_domain/human_data.md index bd4dcedc0..1efe467be 100644 --- a/pages/your_domain/human_data.md +++ b/pages/your_domain/human_data.md @@ -55,7 +55,7 @@ When working with human data, you must follow established research ethical guide * The [Global Alliance for Genomics and Health (GA4GH)](https://www.ga4gh.org) has recommendations for these issues in their [GA4GH regulatory and ethical toolkit](https://www.ga4gh.org/genomic-data-toolkit/regulatory-ethics-toolkit/), see for instance the [Consent Clauses for Genomic Research](https://drive.google.com/file/d/1O5Ti7g7QJqS3h0ABm-LyTe02Gtq8wlKM/view?usp=sharing). * Personal data protection legislation: * **Within the EU.** If you are performing human data research in the EU, or your data subjects are located in the EU, then you must adhere to the General Data Protection Regulation - GDPR. - * Requirements for research that fall under the GDPR are outlined in the [RDMkit Data protection page](data_protection). + * Requirements for research that fall under the GDPR are outlined in the [RDMkit GDPR compliance page](GDPR_compliance). * Attributes of the data determines data sensitivity and sensitivity affects the considerations for data handling. The [RDMkit Data Sensitivity page](sensitive_data) provides guidance on determining and reducing data sensitivity. * **Outside the EU.** For countries outside the EU, the [International Compilation of Human Research Standards](https://www.hhs.gov/ohrp/sites/default/files/2020-international-compilation-of-human-research-standards.pdf) list relevant legislations. diff --git a/pages/your_role/data_steward_policy.md b/pages/your_role/data_steward_policy.md index 726964244..140b18f56 100644 --- a/pages/your_role/data_steward_policy.md +++ b/pages/your_role/data_steward_policy.md @@ -4,7 +4,7 @@ description: Data Steward with focus on data policies. contributors: [Mijke Jetten, Federico Bianchini, Gregoire Rossier, Erik Hjerde, Siiri Fuchs, Minna Ahokas, Priit Adler, Alexander Botzki, Robert Andrews, Celia van Gelder, Daniel Wibberg, Graham Hughes, Marko Vidak, Pedro Fernandes, Pinar Alper, Victoria Dominguez D. Angel, Wolmar Nyberg Åkerström, Alexia Cardona] page_id: policy_officer related_pages: - your_tasks: [compliance, licensing, dmp, data_protection, sensitive, dm_coordination] + your_tasks: [compliance, licensing, dmp, GDPR_compliance, sensitive, dm_coordination] training: - name: TeSS - ELIXIR’s training portal registry: TeSS diff --git a/pages/your_role/data_steward_research.md b/pages/your_role/data_steward_research.md index 48e69f1fc..317d1b5c4 100644 --- a/pages/your_role/data_steward_research.md +++ b/pages/your_role/data_steward_research.md @@ -4,7 +4,7 @@ description: Data Steward with focus on management of research data. contributors: [Mijke Jetten, Federico Bianchini, Gregoire Rossier, Erik Hjerde, Siiri Fuchs, Minna Ahokas, Priit Adler, Alexander Botzki, Robert Andrews, Celia van Gelder, Daniel Wibberg, Graham Hughes, Marko Vidak, Pedro Fernandes, Pinar Alper, Victoria Dominguez D. Angel, Wolmar Nyberg Åkerström, Alexia Cardona] page_id: data_manager related_pages: - your_tasks: [compliance, dmp, data_organisation, licensing, metadata, data_protection, data_publication, data_quality, transfer, identifiers, machine_actionability, dm_coordination, data_provenance] + your_tasks: [compliance, dmp, data_organisation, licensing, metadata, data_securitys, data_publication, data_quality, transfer, identifiers, machine_actionability, dm_coordination, data_provenance] training: - name: TeSS - ELIXIR’s training portal registry: TeSS diff --git a/pages/your_tasks/GDPR_compliance.md b/pages/your_tasks/GDPR_compliance.md new file mode 100644 index 000000000..9a79b8ac9 --- /dev/null +++ b/pages/your_tasks/GDPR_compliance.md @@ -0,0 +1,77 @@ +--- +title: GDPR compliance +contributors: [Pinar Alper, Yvonne Kallberg, Vilem Ded, Eva Csosz, Niclas Jareborg] +description: How to protect your research data, and how to make research data compliant to GDPR. +page_id: gdpr_compliance +related_pages: + tool_assembly: [tsd, transmed] +training: + - name: Training in TeSS + registry: TeSS + url: https://tess.elixir-europe.org/search?q=data+protection#materials +dsw: +- name: Will you collect any data connected to a person, "personal data"? + uuid: 49c009cb-a38c-4836-9780-8a8b3dd1cbac +- name: Do you need a Data Protection Impact Assessment? + uuid: 8915bd25-db22-4ed6-bcc8-b1bbdc52989e +faircookbook: +- name: Licensing Data + url: https://w3id.org/faircookbook/FCB034 +- name: Declaring data permitted uses + url: https://w3id.org/faircookbook/FCB035 +- name: Data Protection Impact Assessment and Data Privacy + url: https://w3id.org/faircookbook/FCB074 +--- + +## How do you protect research data under GDPR? + +### Description + +Where scientific research involves the processing of data concerning people in the European Union (EU), it is subject to the General Data Protection Regulation (GDPR). The GDPR applies a ["special regime"](https://edps.europa.eu/sites/edp/files/publication/20-01-06_opinion_research_en.pdf) to research, providing +derogations from some obligations given appropriate criteria are met and safeguards are in place. The criteria is to follow standards in research method and ethics, as well as to aim societal benefit rather than serving private interests in research. +The safeguards are a multitude and include: + * data collection with informed consent under ethical oversight and accountability; + * ensuring lawful processing and exchange of human-subject information; + * putting in place organisational and technical data protection measures such as encryption and pseudonymisation. + +The practical impact of the GDPR on research is, then, establishing these safeguards within projects. + +### Considerations + +Seek expert help for the interpretation of GDPR legal requirements to practicable measures. + * Research institutes appoint Data Protection Officers (DPO). Before starting a project you should contact your DPO to be informed of GDPR compliance requirements for your institution. + * Each EU country has its own national implementation of the GDPR. If your project involves a multi-national consortium, the requirements of all participating countries need to be met and you should inform the project coordinator of any country-specific requirements. + * Legal offices in research institutes provide model agreements, which cater for various research scenarios and consortia setups. You should inform your local legal office of your project's setup and identify the necessary agreements to be signed. + +Assess your project under the GDPR. + * Determine your GDPR role. Are you a data controller, who determines the purposes and means of the processing, or, are you a data processor, who acts under instructions from the controller? + * If you are a controller, you need to check whether your processing poses high privacy risks for data subjects, and if so, perform a Data Protection Impact Assessment (DPIA). + * The GDPR lists certain data e.g. race, ethnicity, health, genetic, biometric data as [special category](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/how-my-personal-data-protected/how-data-my-religious-beliefs-sexual-orientation-health-political-views-protected_en), requiring it's heightened protection. Your research will be considered high risk processing if it involves special category data or if it includes some specified types of processing. + * A DPIA is often a pre-requisite for ethics applications. Your DPO or local ethics advisory board can help determine whether your project requires a DPIA. + * Performing the DPIA while writing the DMP will allow you to reuse information and save time. + * An outcome of the DPIA will be a listing of risks and corresponding mitigations. Mitigations identify the data protection measures you'll adopt, both technical organisational. + +Apply technical and organisational measures for data protection. These include: + * institutional policies and codes of conduct; + * staff training; + * user authentication, authorisation, data level access control; + * data privacy measures such as pseudonymisation, anonymisation and encryption, + * arrangements that will enable data subjects to exercise their rights. + +Record your data processing. To meet GDPR's accountability requirement you should maintain records on the following: + * project stakeholders and their GDPR roles (controller, processor); + * purpose of your data processing; + * description of data subjects and the data; + * description of data recipients, particularly those outside the EU; + * logs of data transfers to recipients and the safeguards put in place for transfers, such as data sharing agreements; + * time limits for keeping different categories of personal data; + * description of organizational and technical data protection measures. + +### Solution + + * [EU General Data Protection Regulation](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN). + * [European Data Protection Supervisor's "Preliminary opinion on Data Protection and Scientific Research"](https://edps.europa.eu/sites/edp/files/publication/20-01-06_opinion_research_en.pdf) + * [BBMRI-ERIC's Ethical Legal Societal Issues (ELSI) Knowledge Base](https://www.bbmri-eric.eu/elsi/knowledge-base/) contains a glossary, agreement templates and guidance. + * [Data Information System DAISY](https://daisy-demo.elixir-luxembourg.org/) is software tool from ELIXIR that allows the record keeping of data processing activities in research projects. + * [DAWID](https://dawid.elixir-luxembourg.org) is a software tool from ELIXIR that allows generation of tailor-made data sharing agreements + * [Tryggve ELSI Checklist](https://scilifelab-data-guidelines.readthedocs.io/en/latest/docs/general/sensitive_data.html) is a list of Ethical, Legal, and Societal Implications (ELSI) to consider for research projects on human subjects. diff --git a/pages/your_tasks/data_brokering.md b/pages/your_tasks/data_brokering.md index 9dc80aa22..295318c2a 100644 --- a/pages/your_tasks/data_brokering.md +++ b/pages/your_tasks/data_brokering.md @@ -36,7 +36,7 @@ There are many aspects to consider when getting started as a broker. * Identify what kind of processing you will handle as a broker, such as (meta)data curation and validation, data masking/anonymisation. * Define the time frame for your commitment and your responsibilities for the data, such as how to handle data loss before delivery, what to do with the data after a successful delivery, how to manage changes to data that has already been delivered, etc. * Identify who is responsible for the data before, during and after delivery, such as the data controller/processor (according to GDPR) and/or intellectual property owner/licensee relationships between the provider and recipient -* Ensure that you will be able to establish contracts/agreements that cover the data and processing that you will handle, such as considerations for [data protection](data_protection), [licensing](licensing), and [compliance](compliance_monitoring). +* Ensure that you will be able to establish contracts/agreements that cover the data and processing that you will handle, such as considerations for [data security](data_security), [licensing](licensing), [GDPR](GDPR_compliance) and general [compliance](compliance_monitoring). * Estimate and secure the resources required to keep your commitment, such as staff with time and necessary skills, accounts, compute, storage and software * Refer to the sections below for considerations related to collecting data from data providers and delivering data to public data repositories. @@ -45,7 +45,7 @@ There are many aspects to consider when getting started as a broker. The solutions that you adopt will vary depending on the agreements you have negotiated with data providers and/or recipients. The following are examples of general solutions that would help you comply with regulations and implement good data management practices. * [Data management plan](data_management_plan) – Many questions that you would answer while writing a data management plan can be relevant to answer when you specify the terms of service for your brokering service, such as data storage, data standards, legal and ethical, etc. -* [Data protection](data_protection) – If you are working with data concerning people in the EU, you should make sure to comply with both national and international regulations for data protection. +* [GDPR compliance](GDPR_compliance) – If you are working with data concerning people in the EU, you should make sure to comply with both national and international regulations for data protection. * Apply for brokering permissions at the repository where you plan to submit data. For example, you can have a broker account at ENA; in this case, please visit [ENA Documentation](https://ena-docs.readthedocs.io/en/latest/faq/data_brokering.html) for guidelines on how to apply for such an account. ## Collecting and processing the metadata and data diff --git a/pages/your_tasks/data_security.md b/pages/your_tasks/data_security.md index 38c004bfd..051870f09 100644 --- a/pages/your_tasks/data_security.md +++ b/pages/your_tasks/data_security.md @@ -66,58 +66,3 @@ To protect your research data, code, and other information assets you should est * Policies are an important component of data management and they are essential for information security. Organisations use policies to announce to their staff and third parties the expectations, roles and responsibilities in data handling. Policies typically cover data classification, storage/backup, transfer, retention/archival, deletion/destruction, acceptable use of IT platforms and the reporting of security incidents and data breaches. In some cases research data requirements would be addressed in dedicated policies. Therefore, at the planning phase, it is important to understand institutional data policies applicable to the project’s data. If the data is considered sensitive as per the institutional data classification, this will have an impact on the IT platforms that can be used to store and transmit the data as well as the specific procedures to be followed. * Information inventories and documentation is another requirement for projects dealing with sensitive data. At the planning phase you should identify the various categories of data that will be processed in the project e.g. personal health and biomedical data, sensitive habitat data, IP restricted data from the industry. You should document which platforms will be used to process the data and the applicable security measures in case certain measures are applied to restricted classes of data. See the next section for GDPR-specific documentation requirements. See the [Data Sensitivity](/sensitive_data) page for more information on sensitive data. * [ISO/IEC 27001](https://en.wikipedia.org/wiki/ISO/IEC_27001) is an international information security standard adopted by data processing centres worldwide. Some universities and research institutes also acquire an ISO 27001 certification for their IT environments. Such certifications allow institutions to consistently and thoroughly identify information security risks and put in place best practice information security controls. These controls would include all above mentioned technical and organisational safeguards and more. - - -## How do you protect research data under GDPR? - -### Description - -Where scientific research involves the processing of data concerning people in the European Union (EU), it is subject to the General Data Protection Regulation (GDPR). The GDPR applies a ["special regime"](https://edps.europa.eu/sites/edp/files/publication/20-01-06_opinion_research_en.pdf) to research, providing -derogations from some obligations given appropriate criteria are met and safeguards are in place. The criteria is to follow standards in research method and ethics, as well as to aim societal benefit rather than serving private interests in research. -The safeguards are a multitude and include: - * data collection with informed consent under ethical oversight and accountability; - * ensuring lawful processing and exchange of human-subject information; - * putting in place organisational and technical data protection measures such as encryption and pseudonymisation. - -The practical impact of the GDPR on research is, then, establishing these safeguards within projects. - -### Considerations - -Seek expert help for the interpretation of GDPR legal requirements to practicable measures. - * Research institutes appoint Data Protection Officers (DPO). Before starting a project you should contact your DPO to be informed of GDPR compliance requirements for your institution. - * Each EU country has its own national implementation of the GDPR. If your project involves a multi-national consortium, the requirements of all participating countries need to be met and you should inform the project coordinator of any country-specific requirements. - * Legal offices in research institutes provide model agreements, which cater for various research scenarios and consortia setups. You should inform your local legal office of your project's setup and identify the necessary agreements to be signed. - -Assess your project under the GDPR. - * Determine your GDPR role. Are you a data controller, who determines the purposes and means of the processing, or, are you a data processor, who acts under instructions from the controller? - * If you are a controller, you need to check whether your processing poses high privacy risks for data subjects, and if so, perform a Data Protection Impact Assessment (DPIA). - * The GDPR lists certain data e.g. race, ethnicity, health, genetic, biometric data as [special category](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/how-my-personal-data-protected/how-data-my-religious-beliefs-sexual-orientation-health-political-views-protected_en), requiring it's heightened protection. Your research will be considered high risk processing if it involves special category data or if it includes some specified types of processing. - * A DPIA is often a pre-requisite for ethics applications. Your DPO or local ethics advisory board can help determine whether your project requires a DPIA. - * Performing the DPIA while writing the DMP will allow you to reuse information and save time. - * An outcome of the DPIA will be a listing of risks and corresponding mitigations. Mitigations identify the data protection measures you'll adopt, both technical organisational. - -Apply technical and organisational measures for data protection. These include: - * institutional policies and codes of conduct; - * staff training; - * user authentication, authorisation, data level access control; - * data privacy measures such as pseudonymisation, anonymisation and encryption, - * arrangements that will enable data subjects to exercise their rights. - -Record your data processing. To meet GDPR's accountability requirement you should maintain records on the following: - * project stakeholders and their GDPR roles (controller, processor); - * purpose of your data processing; - * description of data subjects and the data; - * description of data recipients, particularly those outside the EU; - * logs of data transfers to recipients and the safeguards put in place for transfers, such as data sharing agreements; - * time limits for keeping different categories of personal data; - * description of organizational and technical data protection measures. - -### Solution - - * [EU General Data Protection Regulation](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN). - * [European Data Protection Supervisor's "Preliminary opinion on Data Protection and Scientific Research"](https://edps.europa.eu/sites/edp/files/publication/20-01-06_opinion_research_en.pdf) - * [BBMRI-ERIC's Ethical Legal Societal Issues (ELSI) Knowledge Base](https://www.bbmri-eric.eu/elsi/knowledge-base/) contains a glossary, agreement templates and guidance. - * [Data Information System DAISY](https://daisy-demo.elixir-luxembourg.org/) is software tool from ELIXIR that allows the record keeping of data processing activities in research projects. - * [DAWID](https://dawid.elixir-luxembourg.org) is a software tool from ELIXIR that allows generation of tailor-made data sharing agreements - * [Tryggve ELSI Checklist](https://scilifelab-data-guidelines.readthedocs.io/en/latest/docs/general/sensitive_data.html) is a list of Ethical, Legal, and Societal Implications (ELSI) to consider for research projects on human subjects. -