EU scientific data processing and sharing (1/2)

A blast from the past: remember when GDPR came into force in 2018? here are a few things I learned along the way and a refresher on it.

Remember GDPR?

Well of course you do - anyone dealing with EU citizens' personal data, being in the EU zone or not, has to abide by the General Data Protection Regulation. This 'future proof' law aims at protecting Personally Identifiable Information and it established information and protection of PII as a human right.

Scientific Personal Data 

Given the scope of GDPR, I am focusing here on data about living human participants and containing information that can be used to re-identify them, that is data were already pseudonymized - because no one needs to do research on the source data. I curated data from basic behavioural studies to medical imaging in patients, I repeat no one needs to work on data with people's ID on or in it, go-on demonstrates to me the opposite! I am genuinely interested to learn about cases where it is needed.

In many behavioural studies, there is simply no need to have PII associated with the research data - ie collect data fully anonymized from the start (your participants PII are for record keeping: consent and compensation). Unless the collected research data contain personal information themselves (see below the case of brain imaging) you can just then process, share, etc .. (article 11).

Example from Brain Imaging

My colleagues, friends and I published an article about Consent for brain imaging. Three key aspects have to be considered here: (1) brains are unique and can thus be considered as a biometric feature (e.g. Gaspar et al., 2011, Leppäaho et al., 2019, Duan et al., 2020) (2) often data concern patients and some are used while testing new treatments, all these being heath data records (3) additional health, behavioural, and cognitive data are typically associated with the brain imaging data; the aim being to search for biomarkers or more fundamentally understand how the brain works to produce different abilities.  With all of this in mind, it seems obvious that such data are very difficult to anonymize since there are different ways to re-identify. Worse, one might even argue that those enter the special category of data. 

Brainprinting from ERP, MEG/Genome association and morphometrics

Be reassured 

While all of this is scary, most scientific research on human participants comes from public institutions (universities and hospitals - well I think so but I would love to see numbers if someone has a source for that ..) and as long as we have the informed consent of participants, there should not be any big problems. A reassuring look at Article 89 will confirm that while one needs to be wary of people's rights, we can totally process PII - and data sharing is a form of processing. This is why in the open brain consent we argue that you must inform and consent participants about your study and also inform and consent about data sharing.

My study is too specific: 

GDPR wants PII to be used only for the purpose for which is was obtained, so you may think you cannot use your research data for anything else. WRONG. Check out those beautiful recital 33 and recital 50. The important part is that you need to consent people to be able to use their data for the 'general' purpose of your study, for instance, cardio-thoracic research. Rather than limiting consent to the specific of the study you are conducting at a particular moment in time, make participants aware that there is value in their data beyond the point of collection, and let them decide if they are ok with further processing. Thanks to recital 50, others can even reuse these data given the 'general(ish)' purpose for which data were collected.

Now the tricky part: data sharing

Sharing inside the EU is easy, but it cannot be fully open since one needs to protect PII. It cannot be fully open on the web, since data could go outside the EU. In such cases, additional signed paperwork is needed, such as standard contractual clauses - but this is not impossible. Article 49 makes it also clear that if consent to transfer is obtained, after informing subjects of risks, data can be shared with non-EU countries (besides those on the 'agreed' list). The EU wants to protect people, not block trade or research.

Bottom line: 

Check with your Data Protection Officer how you can share data rather than asking whether you can - we can, but need to do so safely that's all.

Read further 

The open brain consent website: https://open-brain-consent.readthedocs.io/en/stable/

Open Brain Consent working group (2021).The Open Brain Consent: Informing research participants and obtaining consent to share brain imaging data. Human Brain Mapping, 1-7

OHBM blog post in which we discuss brain imaging and GDPR 

My open review of 'Information Provision for Informed Consent Procedures in Psychological Research under the GDPR: A Practical Guide' (preprint)