personal data: legal issues in research data collection and sharing by eudat
DESCRIPTION
v1.0, June 2014 - Protection of personal data is a major concern of many. The EU Data Protection Directive (95/46/EC) identifies it as any information relating to an identified or identifiable natural person. However, what exactly do we mean by processing of personal data? When is it lawful? Are there any special categories of personal data? What is consent? What are the obligations of the data controller? Download this presentation and find out. Who is it for?: Researchers, Data Managers, General public.TRANSCRIPT
Exp
on
en
tia
l gro
wth
Legal Issues in Research Data Collection and Sharing: Personal Data
www.eudat.eu1
Exp
on
en
tia
l gro
wth
Part of an EUDAT series on Legal Issues www.eudat.eu
Content generated by
Pawel Kamocki, IDS Mannheim
V1.0 – June 2014
Table of ContentsI. Personal Data
What is personal data?What is processing?What are special categories of personal data?When is processing of personal data lawful?What is consent?
www.eudat.eu2
II. Personal Data - New regulationIII. About EUDAT
What is consent?What are the obligations of the data controller?What are the rights of the data subject?Are there any exceptions?
I. Personal Data
• Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
• National implementations
www.eudat.eu 3
• National implementations
• General Data Protection Regulation 2014?
I. Personal Data• What is personal data?• What is processing?• What are special categories of personal data?• When is processing of personal data lawful?• What is consent?
www.eudat.eu 4
• What is consent?• What are the obligations of the data
controller?• What are the rights of the data subject?• Are there any exceptions?
I. Personal Data• What is personal data?
• any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to
www.eudat.eu 5
by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
• to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used (recital 26)
I. Personal Data• What is personal data?
• What is processing?• any operation or set of operations which is performed upon
personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission,
www.eudat.eu 6
retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction = everything
I. Personal Data• What is personal data?
• What is processing?
• What are special categories of personal data?• personal data revealing racial or ethnic origin,
political opinions, religious or philosophical beliefs, trade-union membership, and the
www.eudat.eu 7
beliefs, trade-union membership, and the processing of data concerning health or sex life.
• processing prohibited unless the data subject has given explicit consent or makes the data manifestly public.
I. Personal Data• What is personal data?
• What is processing?
• What are special categories of personal data?
• When is processing of personal data lawful?• the data subject has unambiguously given his consent• necessary for the performance of a contract to which the
www.eudat.eu 8
• necessary for the performance of a contract to which the data subject is party
• necessary for the compliance with a legal obligation to which the data controller is subject
I. Personal Data• What is personal data?
• What is processing?
• What are special categories of personal data?
• When is processing of personal data lawful?
• What is consent?• any freely given specific and informed
(a) the identity of the controller and of his
representative, if any;
(b) the purposes of the processing for
which the data are intended;
www.eudat.eu 9
• any freely given specific and informedindication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed
• writing recommended (if not obligatory)
• the consent for processing of special categories of personal data must be explicit
which the data are intended;
(c) any further information such as
- the recipients or categories of recipients
of the data,
- whether replies to the questions are
obligatory or voluntary, as well as the
possible consequences of failure to reply,
- the existence of the right of access to and
the right to rectify the data concerning him
in so far as such further information is
necessary, having regard to the specific
circumstances in which the data are
collected, to guarantee fair processing in
respect of the data subject.
I. Personal Data• What is personal data?
• What is processing?
• What are special categories of personal data?
• When is processing of personal data lawful?
• What is consent?
• What are the obligations of the data controller?
Data economy
Data security
www.eudat.eu 10
• data economy: adequate, relevant and not excessive data collected for specified, explicit and legitimate purposes and no further processed in a way incompatible with those purposes; data which is no longer necessary should at least be anonymized
• data security: must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access
I. Personal Data• What is personal data?
• What is processing?
• What are special categories of personal data?
• When is processing of personal data lawful?
• What is consent?
• What are the obligations of the data controller?
• What are the rights of the data subject?
www.eudat.eu 11
• What are the rights of the data subject?• information• access to data (rectification, erasure, blocking of
unlawfully processed, inaccurate or incomplete data)• objection (to processing for direct marketing purposes)
I. Personal Data• What is personal data?
• What is processing?
• What are special categories of personal data?
• When is processing of personal data lawful?
• What is consent?
• What are the obligations of the data controller?
• What are the rights of the data subject?
www.eudat.eu 12
• What are the rights of the data subject?
• Are there any exceptions?• the doctrine of compatible purposes (historical, statistical or scientific -
if Member States provide appropriate safeguards) (see: Opinion 03/2013 on purpose limitation)
• vary across jurisdictions• anonymized / pseudonymized data (see: Opinion 05/2014 on Anonymisation
Techniques)
II. Personal Data - New Regulation• Research exception in art. 83
1. In accordance with the rules set out in this Regulation, personal data may be processed for historical, statistical or scientific research purposes only if:
(a) these purposes cannot be otherwise fulfilled by processing data which does not permit or not any longer permit the identification of the data subject;
(b) data enabling the attribution of information to an identified or identifiable data subject is kept separately from the other information under the highest technical standards, and all necessary measures are taken to prevent unwarranted re-identification of the data subjects.
www.eudat.eu 13
• Exception for archive services in art. 83a• New, stricter definition of personal data:
• To determine whether a person is identifiable, account should be taken of all the means reasonably likely to be used either by the controller or by any other person to identify or single out the individual directly or indirectly. To ascertain whether means are reasonable likely to be used to identify the individual, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration both available technology at the time of the processing and technological development.
measures are taken to prevent unwarranted re-identification of the data subjects.
III. About EUDAT
a pan-European initiative building a sustainable cross-disciplinary and cross-national data infrastructure providing a set of shared services for accessing and preserving research data
EUDAT is...
www.eudat.eu
supporting multiple research communities by working closely with them to deliver these technical services as part of the EUDAT Collaborative Data Infrastructure (CDI)
III. About EUDATA truly pan-European Infrastructure
Research CommunitiesNational Data CentresTechnology Providers
Offering permanence,
www.eudat.eu
general data centrescommunity centres representing all the associatedcommunity data centres
Offering permanence, persistence, reliability and
long term solutions
III. About EUDATThe EUDAT services suite
www.eudat.eu
Contact us for more information [email protected]
www.eudat.eu 17
The author wishes to acknowledge the many valuable suggestions made by:
Marc Stauch, Ville Oksanen & Adam Carter
Content generated by
Pawel Kamocki, IDS Mannheim, [email protected]
Contact us for more information [email protected]