Restructure pages on Human data and GDPR compliance

_data/sidebars/data_management.yml

@@ -68,8 +68,8 @@ subitems:
         url: /data_management_plan
       - title: Data organisation
         url: /data_organisation
-      - title: Data protection
-        url: /data_protection
+      - title: Data security
+        url: /data_security
       - title: Data provenance
         url: /data_provenance
       - title: Data publication

_data/tool_and_resource_list.yml

@@ -166,7 +166,7 @@
     at providing practical know-how for responsible research.
   name: BBMRI-ERIC's ELSI Knowledge Base
   related_pages:
-  - data_protection
+  - gdpr_compliance
   - sensitive
   - policy_officer
   - data_manager
@@ -706,7 +706,7 @@
   - it_support
   - policy_officer
   - human_data
-  - data_protection
+  - gdpr_compliance
   - transmed
   url: https://daisy-demo.elixir-luxembourg.org
 - description: It guides you step by step through a DMP and lets you export a pre-filled
@@ -816,7 +816,7 @@
     to facilitate data sharing agreements.
   name: DAWID
   related_pages:
-  - data_protection
+  - gdpr_compliance
   - policy_officer
   - human_data
   url: https://dawid.elixir-luxembourg.org/
@@ -909,7 +909,7 @@
     (DPIA).
   name: DPIA Knowledge Model
   related_pages:
-  - data_protection
+  - gdpr_compliance
   - policy_officer
   - human_data
   url: https://converge.ds-wizard.org/knowledge-models/elixir.lu:dpia-research:0.1.0
@@ -1098,15 +1098,15 @@
   related_pages:
   - policy_officer
   - human_data
-  - data_protection
+  - gdpr_compliance
   url: https://gitlab.sib.swiss/clinbio/erpa-app
 - description: Regulation (eu) 2016/679 of the european parliament and of the council
     on the protection of natural persons with regard to the processing of personal
     data and on the free movement of such data, and repealing directive 95/46/ec (general
     data protection regulation).
   name: EU General Data Protection Regulation
   related_pages:
-  - data_protection
+  - gdpr_compliance
   - policy_officer
   - human_data
   - tsd
@@ -1423,7 +1423,7 @@
 - description: Framework for Responsible Sharing of Genomic and Health-Related Data
   name: GA4GH Regulatory and Ethics toolkit
   related_pages:
-  - data_protection
+  - gdpr_compliance
   - sensitive
   - policy_officer
   - data_manager
@@ -1772,7 +1772,7 @@
 - description: International information security standard
   name: ISO/IEC 27001
   related_pages:
-  - data_protection
+  - gdpr_compliance
   - policy_officer
   - human_data
   url: https://en.wikipedia.org/wiki/ISO/IEC_27001
@@ -2042,7 +2042,7 @@
     Assessments
   name: MONARC
   related_pages:
-  - data_protection
+  - gdpr_compliance
   - policy_officer
   - human_data
   - transmed
@@ -2961,7 +2961,7 @@
   - nels
   - csc
   - tsd
-  - data_protection
+  - gdpr_compliance
   url: https://scilifelab-data-guidelines.readthedocs.io/en/latest/docs/general/sensitive_data.html
 - description: TU Delft costing tool helps to budget for data management personnel
     costs in proposals.

pages/data_life_cycle/planning.md

@@ -4,7 +4,7 @@ page_id: plan
 description: Introduction to data management planning.
 contributors: [Siiri Fuchs, Korbinian Bösl, Minna Ahokas, Federico Bianchini, Flora D'Anna]
 related_pages: 
-  your_tasks: [compliance, costs, dmp, data_protection, dm_coordination, machine_actionability]
+  your_tasks: [compliance, costs, dmp, data_security, dm_coordination, machine_actionability]
 training:
   - name: Training in TeSS
     registry: TeSS

pages/data_life_cycle/preserving.md

@@ -4,7 +4,7 @@ page_id: preserve
 description: Introduction to data preservation.
 contributors: [Siiri Fuchs, Korbinian Bösl, Anastasia Chasapi, Flora D'Anna]
 related_pages: 
-  your_tasks: [data_organisation, data_protection, data_publication, metadata, storage, identifiers, licensing]
+  your_tasks: [data_organisation, data_security, data_publication, metadata, storage, identifiers, licensing]
 training:
   - name: Training in TeSS
     registry: TeSS

pages/data_life_cycle/sharing.md

@@ -4,7 +4,7 @@ page_id: share
 description: Introduction to data sharing.
 contributors: [Flora D'Anna, Bert Droesbeke, Niclas Jareborg, Ulrike Wittig]
 related_pages: 
-  your_tasks: [data_protection, data_brokering, data_publication, transfer, identifiers, licensing, metadata, sensitive]
+  your_tasks: [GDPR_compliance, data_security, data_brokering, data_publication, transfer, identifiers, licensing, metadata, sensitive]
 training:
   - name: Training in TeSS
     registry: TeSS

pages/national_resources/no_resources.md

@@ -132,7 +132,7 @@ national_resources:
     how_to_access: Through Feide, only if you are based at the UiB
     related_pages:
       your_domain: [human_data]
-      your_tasks: [data_protection, sensitive]
+      your_tasks: [data_security, GDPR_compliance, sensitive]
       your_role: [policy_officer, data_manager]
     url: https://rette.app.uib.no/
   - name: DataverseNO

pages/tool_assembly/csc_assembly.md

@@ -5,7 +5,7 @@ description: The Center of Science (CSC) provides high-quality ICT expert servic
 page_id: csc
 affiliations: [FI, CSC, ELIXIR Europe]
 related_pages: 
-  your_tasks: [sensitive, dmp, data_protection, storage, data_publication, data_transfer, data_analysis]
+  your_tasks: [sensitive, dmp, data_security, GDPR_compliance, storage, data_publication, data_transfer, data_analysis]
   your_domain: [human_data]
 training:
   - name: Training in TeSS

pages/tool_assembly/transmed_assembly.md

@@ -5,7 +5,7 @@ description: TransMed tool assembly from ELIXIR Luxembourg supports projects in
 page_id: transmed
 affiliations: [ELIXIR Europe, LU]
 related_pages: 
-  your_tasks: [compliance, storage, metadata, data_organisation, data_analysis, sensitive, data_protection, dmp]
+  your_tasks: [compliance, storage, metadata, data_organisation, data_analysis, sensitive, GDPR_compliance, dmp]
   your_domain: [human_data]
 ---
 

pages/tool_assembly/tsd_assembly.md

@@ -5,7 +5,7 @@ description: The Sensitive Data Service (TSD) provides a platform to store, comp
 page_id: tsd
 affiliations: ["NO", ELIXIR Europe, University of Oslo]
 related_pages: 
-  your_tasks: [dmp, storage, sensitive, data_protection, transfer]
+  your_tasks: [dmp, storage, sensitive, data_security, GDPR_compliance, transfer]
   your_domain: [human_data]
 training:
   - name: Documentation for the HPC cluster

pages/your_domain/human_data.md

@@ -4,7 +4,7 @@ description: Data management solutions for human data.
 contributors: [Niclas Jareborg, Nirupama Benis, Ana Portugal Melo, Pinar Alper, Laura Portell Silva, Wolmar Nyberg Åkerström, Nazeefa Fatima, Teresa D'Altri]
 page_id: human_data
 related_pages:
-  your_tasks: [sensitive]
+  your_tasks: [sensitive, GDPR_compliance]
   tool_assembly: [tsd, covid-19, transmed]
 training:
   - name: Training in TeSS
@@ -55,7 +55,7 @@ When working with human data, you must follow established research ethical guide
   * The [Global Alliance for Genomics and Health (GA4GH)](https://www.ga4gh.org) has recommendations for these issues in their [GA4GH regulatory and ethical toolkit](https://www.ga4gh.org/genomic-data-toolkit/regulatory-ethics-toolkit/), see for instance the [Consent Clauses for Genomic Research](https://drive.google.com/file/d/1O5Ti7g7QJqS3h0ABm-LyTe02Gtq8wlKM/view?usp=sharing).
 * Personal data protection legislation:
   * **Within the EU.** If you are performing human data research in the EU, or your data subjects are located in the EU, then you must adhere to the General Data Protection Regulation - GDPR.
-    * Requirements for research that fall under the GDPR are outlined in the [RDMkit Data protection page](data_protection). 
+    * Requirements for research that fall under the GDPR are outlined in the [RDMkit GDPR compliance page](GDPR_compliance). 
     * Attributes of the data determines data sensitivity and  sensitivity affects the considerations for data handling. The [RDMkit Data Sensitivity page](sensitive_data) provides guidance on determining and reducing data sensitivity.
   * **Outside the EU.** For countries outside the EU, the [International Compilation of Human Research Standards](https://www.hhs.gov/ohrp/sites/default/files/2020-international-compilation-of-human-research-standards.pdf) list relevant legislations.
 

pages/your_role/data_steward_infrastructure.md

@@ -4,7 +4,7 @@ description: Data Steward with focus on tools (software) and IT infrastructure f
 contributors: [Mijke Jetten, Federico Bianchini, Gregoire Rossier, Erik Hjerde, Siiri Fuchs, Minna Ahokas, Priit Adler, Alexander Botzki, Robert Andrews, Celia van Gelder, Daniel Wibberg, Graham Hughes, Marko Vidak, Pedro Fernandes, Pinar Alper, Victoria Dominguez D. Angel, Wolmar Nyberg Åkerström, Alexia Cardona]
 page_id: it_support
 related_pages: 
-  your_tasks: [data_analysis, data_protection, data_brokering, transfer, identifiers, storage, data_organisation, machine_actionability, dm_coordination, data_provenance]
+  your_tasks: [data_analysis, data_security, data_brokering, transfer, identifiers, storage, data_organisation, machine_actionability, dm_coordination, data_provenance]
 training:
   - name: TeSS - ELIXIR’s training portal
     registry: TeSS

pages/your_role/data_steward_policy.md

@@ -4,7 +4,7 @@ description: Data Steward with focus on data policies.
 contributors: [Mijke Jetten, Federico Bianchini, Gregoire Rossier, Erik Hjerde, Siiri Fuchs, Minna Ahokas, Priit Adler, Alexander Botzki, Robert Andrews, Celia van Gelder, Daniel Wibberg, Graham Hughes, Marko Vidak, Pedro Fernandes, Pinar Alper, Victoria Dominguez D. Angel, Wolmar Nyberg Åkerström, Alexia Cardona]
 page_id: policy_officer
 related_pages: 
-  your_tasks: [compliance, licensing, dmp, data_protection, sensitive, dm_coordination]
+  your_tasks: [compliance, licensing, dmp, GDPR_compliance, sensitive, dm_coordination]
 training:
   - name: TeSS - ELIXIR’s training portal
     registry: TeSS

pages/your_role/data_steward_research.md

@@ -4,7 +4,7 @@ description: Data Steward with focus on management of research data.
 contributors: [Mijke Jetten, Federico Bianchini, Gregoire Rossier, Erik Hjerde, Siiri Fuchs, Minna Ahokas, Priit Adler, Alexander Botzki, Robert Andrews, Celia van Gelder, Daniel Wibberg, Graham Hughes, Marko Vidak, Pedro Fernandes, Pinar Alper, Victoria Dominguez D. Angel, Wolmar Nyberg Åkerström, Alexia Cardona]
 page_id: data_manager
 related_pages: 
-  your_tasks: [compliance, dmp, data_organisation, licensing, metadata, data_protection, data_publication, data_quality, transfer, identifiers, machine_actionability, dm_coordination, data_provenance]
+  your_tasks: [compliance, dmp, data_organisation, licensing, metadata, data_securitys, data_publication, data_quality, transfer, identifiers, machine_actionability, dm_coordination, data_provenance]
 training:
   - name: TeSS - ELIXIR’s training portal
     registry: TeSS

pages/your_tasks/GDPR_compliance.md

@@ -0,0 +1,79 @@
+---
+title: GDPR compliance
+contributors: [Pinar Alper, Yvonne Kallberg, Vilem Ded, Eva Csosz, Niclas Jareborg]
+description: How to protect your research data, and how to make research data compliant to GDPR.
+page_id: gdpr_compliance
+related_pages: 
+  tool_assembly: [tsd, transmed]
+  your_tasks: [data_security]
+training:
+  - name: Training in TeSS
+    registry: TeSS
+    url: https://tess.elixir-europe.org/search?q=data+protection#materials
+dsw:
+- name: Will you collect any data connected to a person, "personal data"?
+  uuid: 49c009cb-a38c-4836-9780-8a8b3dd1cbac
+- name: Do you need a Data Protection Impact Assessment?
+  uuid: 8915bd25-db22-4ed6-bcc8-b1bbdc52989e
+faircookbook:
+- name: Licensing Data
+  url: https://w3id.org/faircookbook/FCB034
+- name: Declaring data permitted uses
+  url: https://w3id.org/faircookbook/FCB035
+- name: Data Protection Impact Assessment and Data Privacy
+  url: https://w3id.org/faircookbook/FCB074
+---
+
+## How do you protect research data under GDPR?
+
+### Description
+
+Where scientific research involves the processing of data concerning identifiable people in the European Union (EU), it is subject to the General Data Protection Regulation (GDPR). The GDPR applies a ["special regime"](https://edps.europa.eu/sites/edp/files/publication/20-01-06_opinion_research_en.pdf) to research, providing derogations from some obligations given appropriate criteria are met and safeguards are in place. The criteria is to follow standards in research method and ethics, as well as to aim societal benefit rather than serving private interests in research.
+
+The safeguards are a multitude and include:
+  * data collection with informed consent under ethical oversight and accountability;
+  * ensuring lawful processing and exchange of human-subject information;
+  * putting in place organisational and technical data protection measures such as encryption and pseudonymisation.
+
+The practical impact of the GDPR on research is, then, establishing these safeguards within projects.
+
+### Considerations
+
+Seek expert help for the interpretation of GDPR legal requirements to practicable measures.
+  * Research institutes appoint Data Protection Officers (DPO). Before starting a project you should contact your DPO to be informed of GDPR compliance requirements for your institution.
+  * Each EU country has its own national implementation of the GDPR. If your project involves a multi-national consortium, the requirements of all participating countries need to be met and you should inform the project coordinator of any country-specific requirements.  
+  * Legal offices in research institutes provide model agreements, which cater for various research scenarios and consortia setups. You should inform your local legal office of your project's setup and identify the necessary agreements to be signed.
+
+Assess your project under the GDPR.
+  * Determine your GDPR role. Are you a data controller, who determines the purposes and means of the processing, or, are you a data processor, who acts under instructions from the controller?
+  * If you are a controller, you need to check whether your processing poses high privacy risks for data subjects, and if so, perform a  Data Protection Impact Assessment (DPIA).
+     * The GDPR lists certain data e.g. race, ethnicity, health, genetic, biometric data as [special category](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/how-my-personal-data-protected/how-data-my-religious-beliefs-sexual-orientation-health-political-views-protected_en), requiring it's heightened protection. Your research will be considered high risk processing if it involves special category data or if it includes some specified types of processing.
+     * A DPIA is often a pre-requisite for ethics applications. Your DPO or local ethics advisory board can help determine whether your project requires a DPIA.  
+     * Performing the DPIA while writing the DMP will allow you to reuse information and save time.
+     * An outcome of the DPIA will be a listing of risks and corresponding mitigations. Mitigations identify the data protection measures you'll adopt, both technical organisational.
+
+Apply technical and organisational measures for data protection. These include:
+  * institutional policies and codes of conduct;
+  * staff training;
+  * user authentication, authorisation, data level access control;
+  * data privacy measures such as pseudonymisation, anonymisation and encryption,
+  * arrangements that will enable data subjects to exercise their rights.
+
+Record your data processing. To meet GDPR's accountability requirement you should maintain records on the following:
+  * project stakeholders and their GDPR roles (controller, processor);
+  * purpose of your data processing;
+  * description of data subjects and the data;
+  * description of data recipients, particularly those outside the EU;
+  * logs of data transfers to recipients and the safeguards put in place for transfers, such as data sharing agreements;
+  * time limits for keeping different categories of personal data;
+  * description of organizational and technical data protection measures.
+
+### Solution
+
+  * [EU General Data Protection Regulation](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN).
+  * [European Data Protection Supervisor's "Preliminary opinion on Data Protection and Scientific Research"](https://edps.europa.eu/sites/edp/files/publication/20-01-06_opinion_research_en.pdf)
+  * [GDPR-Carpa - A Luxembourgish certification mechanism according to the GDPR criteria](https://cnpd.public.lu/en/actualites/national/2022/06/adpoption-gdpr-carpa.html)
+  * [BBMRI-ERIC's Ethical Legal Societal Issues (ELSI) Knowledge Base](https://www.bbmri-eric.eu/elsi/knowledge-base/) contains a glossary, agreement templates and guidance.
+  * [Data Information System DAISY](https://daisy-demo.elixir-luxembourg.org/) is software tool from ELIXIR that allows the record keeping of data processing activities in research projects.
+  * [DAWID](https://dawid.elixir-luxembourg.org) is a software tool from ELIXIR that allows generation of tailor-made data sharing agreements
+  * [Tryggve ELSI Checklist](https://scilifelab-data-guidelines.readthedocs.io/en/latest/docs/general/sensitive_data.html) is a list of Ethical, Legal, and Societal Implications (ELSI) to consider for research projects on human subjects.

pages/your_tasks/data_brokering.md

@@ -36,7 +36,7 @@ There are many aspects to consider when getting started as a broker.
 * Identify what kind of processing you will handle as a broker, such as (meta)data curation and validation, data masking/anonymisation.
 * Define the time frame for your commitment and your responsibilities for the data, such as how to handle data loss before delivery, what to do with the data after a successful delivery, how to manage changes to data that has already been delivered, etc.
 * Identify who is responsible for the data before, during and after delivery, such as the data controller/processor (according to GDPR) and/or intellectual property owner/licensee relationships between the provider and recipient
-* Ensure that you will be able to establish contracts/agreements that cover the data and processing that you will handle, such as considerations for [data protection](data_protection), [licensing](licensing), and [compliance](compliance_monitoring).
+* Ensure that you will be able to establish contracts/agreements that cover the data and processing that you will handle, such as considerations for [data security](data_security), [licensing](licensing), [GDPR](GDPR_compliance) and general [compliance](compliance_monitoring).
 * Estimate and secure the resources required to keep your commitment, such as staff with time and necessary skills, accounts, compute, storage and software
 * Refer to the sections below for considerations related to collecting data from data providers and delivering data to public data repositories.
 
@@ -45,7 +45,7 @@ There are many aspects to consider when getting started as a broker.
 
 The solutions that you adopt will vary depending on the agreements you have negotiated with data providers and/or recipients. The following are examples of general solutions that would help you comply with regulations and implement good data management practices.
 * [Data management plan](data_management_plan) – Many questions that you would answer while writing a data management plan can be relevant to answer when you specify the terms of service for your brokering service, such as data storage, data standards, legal and ethical, etc. 
-* [Data protection](data_protection) – If you are working with data concerning people in the EU, you should make sure to comply with both national and international regulations for data protection.
+* [GDPR compliance](GDPR_compliance) – If you are working with data concerning people in the EU, you should make sure to comply with both national and international regulations for data protection.
 * Apply for brokering permissions at the repository where you plan to submit data. For example, you can have a broker account at ENA; in this case, please visit [ENA Documentation](https://ena-docs.readthedocs.io/en/latest/faq/data_brokering.html) for guidelines on how to apply for such an account.
 
 ## Collecting and processing the metadata and data