WORKSHOP

SUMMARY

WORKSHOP • 29 AUGUST 2018

Lunchtime workshop: Data protection for scientific research: Which preliminary findings under the GDPR?

by Olga Gkotsopoulou, Brussels Privacy Hub, LSTS, VUB

SUMMARY

On 29 August 2018, the Brussels Privacy Hub in cooperation with the Promoting Integrity as an Integral Dimension of Excellence in Research (PRINTEGER) project held a lunchtime workshop on “Data protection for scientific research: Which preliminary findings under the GDPR?”. The event took place in the Lisbon Conference Room of the Institute for European Studies (IES), from 12:00 to 13:45. Serge Gutwirth (LSTS, VUB) chaired the panel, which consisted of academics and Data Protection Officers: Marlon Domingus (Data Protection Officer, Erasmus University Rotterdam), Audrey Van Scharen (Data Protection Officer, VUB), Jef Ausloos (Legal Researcher, CiTiP, KU Leuven), Gloria González Fuster (LSTS/BPH, VUB).

Serge Gutwirth welcomed the speakers and the audience in a full room and gave the floor first to Gloria González Fuster (LSTS/BPH, VUB), who gave a brief introduction to the key findings of the PRINTEGER project. The project started in September 2015 and was concluded in August 2018, coordinated by the Institute for Science, Innovation and Society of the Radboud University Nijmegen. The aim of the project, which was co-funded by the European Union in parallel with other similar research initiatives, was to carry out research about research integrity and scientific misconduct. The PRINTEGER consortium has been working the past three years on the interdisciplinary dimension of the issue, with VUB devoting special attention to the legal aspects, attempting to answer the questions of what research integrity is for the law, and what does the law do in the area of research integrity.

González Fuster invited the audience to take a look at the Bonn Printeger Consensus Statement, which provides valuable guidance for research performing organisations. Research integrity is related to the law but also to how research ethics is defined, continued González Fuster, who identified four critical issues: First, looking into the research integrity policy from the legal perspective, different perceptions between research integrity and law can be found. Second, despite the lack of concrete guidance regarding research data management and the daze as to what are the obligations of a “good researcher”, there exists something that could be perceived as a kind of unreasonable trust to researchers which makes people believe that researchers by their mere status as such know how to process personal data in accordance with the relevant ethical standards and law. Third, the interplay between data protection law and ethical standards deserves further exploration, due to its increasingly significant societal value. Fourth, the broad interpretation of science in the GDPR also poses challenges. González Fuster used the recent Cambridge Analytica scandal to highlight the significance of research integrity, since Dr Kogan, one of the lead characters behind the scandal gathered all the data, later used for political micro-targeting and manipulation, at first in the name of science. González Fuster underlined that it seems that this was not an isolated incident but rather there are many examples of research performed within the same or similar terms. She then concluded her talk, by inviting the other panellists to address the following questions: “What is the GDPR saying about the subject?” and “How do DPOs perceive the obligations of the researchers and the data subject’ s rights in the research context?”

Marlon Domingus (DPO at Erasmus University Rotterdam, EUR) elucidated the tools and practices that the DPO office in his University has established in compliance with the GDPR requirements in the research context. The EUR approach focuses on a sustainable way to adjust compliance processes, first by investing in resources and workforce, and second by simplifying and standardising the relevant procedures followed by the researchers and the DPO staff. Tools, he presented, to this direction are, for instance, the Privacy Impact Assessment (PIA) Route Planner for Academic Research inspired by Harry Beck’s London Metro Map, a process map for researchers and the moral compass which helps DPOs to conduct a more thorough ethical assessment of the proposed research, going beyond a traditional evaluation.

Audrey Van Scharen (DPO at Vrije Universiteit Brussel) presented a complementary view on the matter, arguing that DPOs still have many questions, despite the favourable position of research in the GDPR. Van Scharen called attention to the exceptions laid out in GDPR with regards to purpose limitation (Article 5 (1)(a) GDPR), storage limitation (Article 5(1)(e) GDPR), consent as just one of the grounds of lawful processing (Article 6 GDPR) and broad consent (Recital 33 GDPR). She then refered to the three grounds of lawful processing, which may be relevant for research: the data subject´s consent, public interest and legitimate interest. Van Scharen continued by presenting the four paths for processing personal data for research, namely: application of the GDPR with no exceptions, application of the GDPR with the exceptions provided for scientific research, application of the GDPR with exceptions provided in the Member State legislation, and application of the GDPR and a code of conduct. For most of the part, argued Van Scharen, the compliance check can be carried out in three ways: by the researcher, with guidance from the DPO, in particular with regards to interpretation of specific complex legislation; by the DPO; or in the absence of a DPO, by the Ethics Committee.

Jef Ausloos (Legal Researcher, CiTiP, KU Leuven) started his talk by pointing out that scientific research ranks high in the EU policy agenda. Even though there are many different levels protecting scientific research, Ausloos chose to focus in particular on the exceptions with regards to data subjects’ rights, in particular those laid out in Article 89 GDPR (derogations in the Member States law), Article 17 GDPR (right to erasure), Article 14 GDPR (right to information) and Article 21 GDPR (the right to object). Ausloos emphasised that the reason for introducing exceptions for scientific research lies with the fact that the enforcement of some of the data subject´s rights might be burdensome for research projects and thus, the GDPR attempts to strike a fair balance. In order to explain this fair balancing under GDPR, he made a distinction between ex-ante (e.g. legitimate interest test) and ex-post (e.g. the right to object) balancing. Ausloos made his final point by clarifying two concepts which are often confused in the GDPR and are relevant for the balancing test, namely purposes and interests.

The talks were followed by a vivid Q&A session on various matters.