EU scientific data processing and sharing (2/2)

A review of ''Information Provision for Informed Consent Procedures in Psychological Research under the GDPR: A Practical Guide" from the preprint

Funny coincidence: the week I was attending a 4 days long GDPR training course, this GDPR paper came out! perfect opportunity to apply my freshly updated knowledge.

In case you missed it and in love with data sharing and EU law, you can also check part 1 of this blog in which I review quickly what the law says and how it works for science.

Open Review - general comments

I found the paper overall too 'pessimistic' making it as GDPR makes it hard to process and share data - which I partly disagree with. Besides this feeling it gave me, well it's good academic work with references, examples, etc.

There is one elephant in the room

There is one thing that is clearly missing in my opinion, does psychological research need personally identifiable information?

Article 11 of the GDPR: 

1. If the purposes for which a controller processes personal data do not or do no longer require the identification of a data subject by the controller, the controller shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation.

As a researcher, to me, this is the 1st thing I want to do. Think about the data I want to collect and if PII is needed. As quickly discussed in the 1st post, I think many behavioural studies can simply use this. 

So which psychological research is concerned by GDPR?

I agree with the authors (in the Box 1) that when data include large demographics and heath data, that record could lead to re-identification and thus this should still be considered personal data even after pseudonymization. Obviously any behavioural-genetic studies as this is a special category of data. Finally, I would add any brain imaging studies, as these can also be used for re-identification. Besides those cases, psychology research is not concerned with GDPR per se, although it will be needed to inform participants that data are going to be fully anonymized and thus no information about their data in particular can be given.

An example? each log file of a 'standard' behavioural experiment has a randomly generated ID on them, and no one knows how this link to the real participant's ID (which you do have for records keeping: consent and compensation) - your research data have no PII.

Nitty-gritty

This part is mostly for the authors to give detailed feedback.

Throughout: Article 29 Working Party was subsided by GDPR so it is irrelevant to cite. The idea developed remains - mostly in article 7.

P3: national laws do not 'regulate' GDPR but each country can have derogations (article 89) and additional protective measures - effectively it works as a 'regulation' but it just sounds weird to say so IMO

P5: the DPO job is to help the data controller - he/she should never be mentioned in the consent or information sheet - the Supervisory Authority details should

P5 purpose of processing: article 89 and recital 33 make it clear research is different 'It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection'

P7 recipients inside a project: it is not true that participants must be informed of any other people processing their data (check the role of a data processor for instance) - it is the responsibility of the data controller to ensure that any other processing is lawful and you can make this easier by having people consenting on further processing for research purposes aligned with the current one.

P8 external parties: it is not true that participants must be informed of processing by the SA or the law -- in fact that does not apply to SA and law enforcement as this is considered 'out of scope' right from the start in article 2

P8 type of data collected: I don't like the sentence on 'researchers should exercise discretion' - even though I understand in this context what is meant - they must follow the principle of minimization Art5(c) and thus collect only what is needed.

P8 type of data generated: where is it in GDPR? I don't think it is the case that one has to report on that. If a subject asks, and you have kept a record linking their data to names, then yes you must provide it. 

P8 quick note on diagnostic: diagnostic may come from your T1w, T2w, but certainly not from fMRI sequences

P9 international transfer: it is totally exaggerated IMO (part b) - one can totally transfer PII data outside the EU: via Binding Corporate Rules, via Standard Contractual Clauses, and using Consent.

P9-10: storage period: there is a catch 22 - if data are shared and people have downloaded you cannot remove all traces, and this information should go in the consent as part of the risks

P11 contractual or statutory requirements: I have no idea what this is supposed to be -- a contractual case for processing is for eg a service to be performed, the controller must process PII so there is no need for consent  -- this part needs a concrete example from psychology research to see if that even applies (or delete)

P11 automated decision making: same reasoning as above - which concrete research case will rely on profiling for automated decision making affecting subjects' outcomes? (a concrete case in our lives, is an algorithm uses your PII to decide if you can have a loan - then is our right to refuse this)

As always, reviews look negative but it's still a great paper and an excellent initiative.