-Data identifiability must be assessed in light of the data in question, planned total storage time, available resources, technological advances, and the reidentification literature.
-Compliance with the informed consent to research participation, (if applicable) the ethics approval, and a lawful basis for personal data processing must be ensured also for secondary use.
-The principles of data protection (Article 5 of the GDPR) must be respected. Technical and organizational measures must be in place to protect against unauthorized or unlawful data processing and against accidental loss, destruction, or damage. Data subject rights must be respected also if data is deposited in a research repository or otherwise reused. If applicable, an incidental findings policy should also apply for the secondary use of the data.
-Controlled access and using EEA-based repositories will alleviate several legal issues.
-Technological solutions, such as blockchain and federated sharing/training, may assist in legal compliance.
-Benefit sharing measures should be considered when private companies are new data user.
-The legal challenges pertaining to data transfers to non-EEA countries must be solved on a legislative level in the EEA and the relevant non-EEA countries.
This passage is part of D2.4: Report on Social and Legal Implications and Challenges Related to OS written by Heidi Beate Bentzen, Teodora Konach, Signe Mežinska.