GDPR for research demystified

 One last GDPR round

This month (February 2023) I gave a talk to the British Neuroscience Association about data privacy. This time around I played the card of demystifying GDPR.

I have previously discussed why I think we can share data lawfully. What I want to do here is give you the actual parts in GDPR articles to point to your Data Protection Officer and layers to demonstrate once and for all you are allowed to share.

 

The easy one: share privately among EU colleagues

Article 1(3): The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data

Well, that's it, what do you want me to say - among EU members we can share personal data.

Sharing for science

Article 5:  Principles relating to processing of personal data

1.b. Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

let's check Article 89(1): Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes: Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.

As a researcher in EU, you can share pseudonymized data, so basically our brain imaging data with no IDs one them, but make sure to share only what is necessary for the research purpose. That's it.

Sharing outside EU 

There is nothing that says we cannot share personal data with countries outside the EU, what one cannot do is share as freely as with other EU state members. This issue relates to the so-called adequacy decisions.  

Some countries are considered just like EU states: The effect of such a decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland , the United Kingdom under the GDPR and the LED, and Uruguay as providing adequate protection.

Other countries require additional safeguards (sorry USA friends): Article 46 (b): The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by: (a) legally binding and enforceable instrument between public authorities or bodies; binding corporate rules in accordance with Article 47; (b) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2);  .... 

So for people located in adequate countries, no need to do anything, for others, you need to have a contract signed ... no need to worry, this contract is a standard contract called Standard Contractual Clauses which ensures 'appropriate data protection safeguards'. 

This initial purpose does not limit what we can do

 

 

Article 5 (b) above already mentions that the collection purpose should not limit usage for science. 

Two additional recitals exist to make it cristal clear, no issues here

Recital 33: It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.

Recital 50:  The processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected. In such a case, no legal basis separate from that which allowed the collection of the personal data is required. If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Union or Member State law may determine and specify the tasks and purposes for which the further processing should be regarded as compatible and lawful. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be considered to be compatible lawful processing operations.

What you do need to do is (1) have consent to share data -- make your life easy and separate that from the consent to participate in a study (this part is related to ethics, ethics has no saying on the legality of sharing), (2) indicate in that form the purpose, like 'biomedical research', this creates some limitation but nothing that makes re-usage impossible.

Done

Now you have it, all the relevant bits (articles 1, 5, 46, 89, recitals 33, 55 and adequacy decisions) you can throw at people that tell you, you cannot share, YES YOU CAN.