Recommendations for processing data about humans

Introduction

These recommendations are based on the results of one of the ROSiE project work packages aimed at mapping, analysing and addressing social and legal implications and challenges related to Open Science in the context of research ethics and research integrity.

The recommendations for processing data about humans are based on a deliverable that assessed the legal aspects of open science using a legal dogmatic methodology.

Processing data about humans

  1. Assess the identifiability of the data, keeping in mind that the threshold for considering data anonymous varies between jurisdictions. In the EU/EEA, the threshold for considering data anonymous under Regulation 2016/679 (GDPR) is very high. If individuals can be identified in the dataset or through linkage with other datasets, or if the data is uniquely identifiable, the data is personal data and must be processed in accordance with the GDPR. Pseudonymized data remains personal data.
  2. Even if the data is anonymous, consider the impact of the data on groups, to avoid group discrimination or other forms of misuse.
  3. If depositing data in a research repository, or sharing the data with new researchers/research institutions, consider the following in relation to the GDPR and domestic research ethics legislation:
  • If required, conduct a Data Protection Impact Assessment in accordance with Article 35 of the GDPR.
  • Assess whether the repository or new user is a new controller, a joint controller, or a data processor, and enter into the necessary contracts in accordance with the roles.
  • Assess which country’s courts and which country’s laws apply.
  • Ensure that the limits of the ethics approval and the informed consent are respected and that a lawful basis for data processing in accordance with Articles 6 and 9 of the GDPR is in place. For research repositories, assess the procedures for ensuring this for new users.
  • If the repository or new user is based outside the EEA or with an international organization, ensure that a Chapter V GDPR transfer mechanism is in place.
  • For data repositories, assess the procedures for data access. For new users, assess potential onward transfers.
  • Assess the fulfillment of data subject rights, and that personal data is processed fairly and in a transparent manner in relation to the data subject/research participant.
  • Assess the technical and organizational measures, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.
  • Assess the procedures for ensuring that the personal data is accurate and, where necessary, kept up to date.
  • Assess the compliance with the principle of data minimization in Article 5(1)(c), that personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  • Assess the compliance with the principle of purpose limitation in Article 5(1)(b), that personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes.
  • Assess the compliance with the p rinciple of storage limitation in Article 5(1)(b), that personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to the implementation of the appropriate technical and organizational measures required by the GDPR in order to safeguard the rights and freedoms of the data subject/research participant. Assess the fulfillment of your research institution’s accountability duties.
  • If applicable, assess the procedures for returning research results, including incidental findings, to research participants, and how the rights to know and not to know are respected.

Specific and practical EC guidance addressing all the points above on how both to comply with EU data protection legislation and achieve the aim of open science would be useful to researchers. The European Data Protection Board will in 2023/2024 prepare Guidelines on the processing of data for medical and scientific research purposes, and this may be a useful starting point for such open science guidance.


This passage is part of D2.3 Recommendations for addressing social challenges in OS written by Heidi Beate Bentzen, Teodora Konach, Signe Mežinska.