WORKSHOP - Opening and sharing of personal data Ethical and legal issues and solutions

# WORKSHOP - Opening and sharing of personal data: Ethical and legal issues and solutions ![qrcode_hackmd.io](https://hackmd.io/_uploads/SJCnElX40.png) :::success ## Details on the workshop *When*: 29/05/2024 *Where*: NeIC 2024, Tallinn *Resources*: [slides for the introduction](https://docs.google.com/presentation/d/1chyG67ZZF-jpdTfRzv8IvquofqBWQnIu2Fc68stTRfk/edit?usp=sharing) *This collaborative document:* https://hackmd.io/@eglerean/researchdataprotection *Backup version:* https://notes.coderefinery.org/researchdataprotection *Code of Conduct:* - Be respectful, open to new perspectives, welcome other's opinions, speak with care - Let's make this a safe space for discussions - Do not write anything here that you wouldn't write publicly on the internet - If you notice inclusion barriers, please do not hesitate to act - We follow the [CodeRefinery code of conduct](https://coderefinery.org/about/code-of-conduct/) ::: # 0. Warming-up ## Let's first agree on which tool to use for the workshop - Pen and paper (do we have them?) - This hackmd (the most flexible tool, but everyone should have a laptop) oo - This "presemo" https://presemo.aalto.fi/researchdataprotection (much more accessible for someone with only a mobile phone) ## Icebreaker 1 **What is your background?** - Researcher: oo - Technical support at research org: oooooooo - Administrative support at research org oo - Legal support at research org - Ethics support at research or o - Other ooo ## Icebreaker 2 **Do you think research data containing personal data should be opened for transparency and reuse?** *Personal data can be anything related to an individual: E-mail address (such as firstname.lastname@company.com), Telephone number, Identity card number, Car registration number, Positioning data (e.g. from a mobile phone), IP address, Patient records, ...* - Yes, 100% open - Mostly yes, as open as possible oo - Open only on request: we must control who access it and what they do with it - Not open at all: participant's privacy is more important - Not sure/impossible to answer/case-by-case specific answer: o - Yes, but not just CC0 (as long as the subject did not agree to this type of publishing) - As open as possible, as closed as necessary oooo ## Icebreaker 3 **Do you think that current data protection regulation and other legislations regulating the reuse of personal data have made it more difficult for researchers to work with personal data?** - Yes, things got much worse - Somewhat yes ooo - Neutral / I am not sure: ooo - Somewhat no - No, it is actually easier now ooo Yes, or rather, they have put a price tag on it, which makes people actually consider them. If you count it as easier to break the law, it is now harder. # 1. Introduction [slides for the introduction](https://docs.google.com/presentation/d/1chyG67ZZF-jpdTfRzv8IvquofqBWQnIu2Fc68stTRfk/edit?usp=sharing) # 2. Workshop task For each level of the pyramid, you can write - a comment, - a service that implements that layer - an infrastructure that is useful - an example of a process that works - ... or one that does not work - an unresolved issue - a wish for the future. Imagine that we are building a map for researchers AND for policy makers, infrastructure makers, university management, research software engineers, lawyers, ethical committe members..... Note: Please remember that it can be any type of research data with personal data, from interviews about your music taste, to special categories of sensitive data (Art.9(1) *Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.*) ![pyramid](https://hackmd.io/_uploads/HkGfQUmVC.png) ## Access (IT+RS) - Having a shared infrastructure for the hosting would be great, or at least a common infrastructure - Common infrastructure might mitigate increasing access costs - Compute resources in proximity of the data hosting (storage) infrastructure - In sweden NAISS SENS. They had Bianca system with private cluster inside the sunet network, it starts a private cluster inside the cluster. Bianca end of life in 2024, and Maja will take over it by NAISS. The final system will be EuroHPC Arrhenius Sensitive - Other swedish data related systems and solutions - https://datahub.aida.scilifelab.se/ - https://www.scb.se/en/services/ordering-data-and-statistics/ordering-microdata/mona--statistics-swedens-platform-for-access-to-microdata/ - Sweden local systems: COSMO-SENS (lund), TRE(Goteborj), VESTA (uuspala), KI also have some secure storage ## Agreement (IT+RS+Legal) - ... - ... - ... - ... ## Request for access (IT+RS+Legal+Ethics) - ... - ... - ... - ... ## Data preparation (RS+Researchers) - The data shared should be the data the reaearch was done on. Otherwise access to the original data needs to be arranged. - ... - ... - ... ## Consent for reuse (Researchers) - Comment: Consent of reuse is not upto the Researcher in Sweden, A very common mistake researchers makes is that they in their consent documents they promise that data will only be availible to the reasarch team. Which is against Swedish law and can never be promised. - My understanding is that you should work without consent as much as possible - The general guidline is to not rely on consent alone as a basis for legality of your acces to data. - ... ## Ethical legal approval (Ethics+Legal) - researcher applies for ethical approval - ... - ... - ... --- Please write at the bottom of each sub-section. If this document gets slow for whatever reason, please use this backup version ## General comments As a general comment, in Sweden the Swedish National Data service provides the general competens of Domain Specialist that help Researchers adn RS to navigate the processes of handeling WRT to the comment about Notifying your DPO about a potential breach: - I think this is actually quite important for the classic "cover your ass" approach. If you report it to your DPO, it is up to them to decide whether they report it on. If they don't you have fullfilled your reporting duty.