data protection and the ethics review process - europa

Data Protection and the Ethics Review

Process

Albena Kuyumdzhieva, PhD

Programme Manager Research/Ethics Review

SAM UNIT, DG Research and Innovation

Ethics and

Data…why

should we care?Ethics and Data:

Why Should We

Care?• No human should be subject to research

project without his/her knowledge and

agreement;

• Potentially high risk for data subject rights

(in case of data breach) such as:

- Discrimination;

- Stigmatisation;

- Harm to the welfare and wellbeing etc.;

• Lost of trust in science;

Main Ethics Concerns

• Big Data analytics;

• Use of data from social media platforms;

• Use of data collected by commercial organisations (e.g. fitness trackers) for research purposes and vice versa;

Free, voluntary and informed consent


• Profound confusion between the concepts of 'being in public' and 'being public';

• Misconception that publicly available data poses only marginal risks.

Utilisation of publicly available data

Online recruitment

• Uncertainty as to the real age of the participants;

• Possible harm for the individuals;



• Lack of clear understanding of the process and the difference between anonymisation and pseudonymisation;

• Excessive collection of data and unjustified storage periods.

Anonymisation and Pseudonymisation

Data Minimisation


• Non-secure data processing arrangements;

• Use of non-adequate software and storage providers and changing terms of use;

• Restrictions for processing of data in third countries.

Security Arrangements Data Transfers

Ethics

EU General Data Protection Regulation:Data Protection:

European Convention on Human Rights

Charter of Fundamental Rights of

the European Union

Treaty on the Functioning of the European UnionTreaty on the Functioning of the European Union

Charter of Fundamental Rights of the European Union

• Builds on the principles of the Data Protection Directive 95/46/EC;

• Increases transparency and accountability of the data processing;

• Enhances the data protection rights of the individuals.

Accountability based approach

Data protection

by design and by default

Data minimisation

Risk based approach

Mandatory Data

Protection Officer

Data protection impact

assessments Key Elements

Key approaches

Personal data is any information relating to an identified or identifiable (directly or indirectly) natural person.

Identifiers: • Name;• Identification number;• Location data;• Online identifier (e.g. IP, cookie ID);• One or more factors specific to the physical, physiological, genetic, mental,

economic, cultural or social identity of the individual.

Processing of data is any operation such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Key definitions

Some useful terms

Special Categories of Personal Data

Genetic data;

Biometric data;

Data concerning health or data concerning a natural person's sex life or sexual orientation;

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership.

Key definitions

Some useful terms

Anonymisation

• A process of ensuring that the risk of somebody being identified in the data is negligible.

NB!

• It is a process of producing safe data but it only makes sense if this data is useful!

Key definitions

Some useful terms

Pseudonymised data: where obvious identifiers (e.g. names and addresses) have been replaced with indirect identifiers (e.g. numbers) in the main data set and the indirect identifiers are then held with the obvious identifiers in a separate data set (known as the ‘key’);

Pseudonymised personal data, which could be attributed to a natural person by the use of additional information is considered to be information related to an identifiable natural person and thus falls within the scope of GDPR!

Key definitions

NB!

Some useful terms

Any form of automated processing of personal data evaluating thepersonal aspects…in particular to analyse or predict aspectsconcerning the data subject's performance at work, economicsituation, health, personal preferences or interests, reliability orbehaviour, location or movements.

Profiling

Key definitions

Some useful terms

Specific data subjects rights: To know about the existence of the profiling and its possible consequences; Understand the logic behind the decision-making; Object/opt out of profiling; Contest/seek human intervention in respect of the automated decision

reached.

FREELY GIVEN

What is the scope of the given consent?

Possibility to consent only to certain areas of research or parts of research.

SPECIFIC

Clear and in plain language;

Intelligible;

Clearly distinguishable from other issues;

INFORMED

Absolutely clear

UNAMBIGIOUS

Is there imbalance between the data controller and the data subject?

Can the consent be withdrawn as easy as it is given?

Consent

Key principles

Risk based approach

Data protection must be proportionate to the

risks to data subjects.

Key developments

Key principles

Examples of Higher Ethics Risk IndicatorsTypes of personal data used in the research

* racial or ethnic origin;* political opinions, religious or philosophical beliefs;* genetic, biometric or health data; * sex life or sexual orientation;* trade union membership.

Data subjects involved in the research

* children;* vulnerable persons ;* persons who have not given their explicit consent to participate in the research project.

Scale or complexity of data processing

* large-scale processing of personal data;* systematic monitoring of publicly assessable area on a large scale* involvement of multiple datasets and/or service providers, or the combination and analysis of different datasets (i.e. “big data”).

Guidance Note on Ethics and Data Protection (2018)

Guidance Note on Ethics and Data Protection (2018)

Data processing techniques involved in the research

* privacy-invasive methods or technologies (e.g. the covert observation, surveillance, tracking or deception of individuals);* the use of camera systems to monitor behaviour or record sensitive information;* “data-mining” (including data collected from social media networks), “web-crawling” or “social network analysis”;* the profiling of individuals or groups (particularly behavioural or psychological profiling);* the use of “artificial intelligence” to analyse personal data;* the use of automated decision-making which has a significant impact on the data subject(s).

Involvement of non-EU countries

* transfer of personal data to non-EU countries;* collection of personal data outside the EU.

Examples of Higher Ethics Risk Indicators

New Data Protection Requirements for H2020 projects

GDPR and Its Impact on the Ethics

Review Process

Lawfulness, FAIRNESS and transparency of data processing.

Key principles

Ethics and Data Protection: H2020 Key Approaches

H2020 Ethics Framework: What shall we look at?

1. Does the research involve the collection and/or processing of personal data?

No specific

requirements

needed.

Requirements

Key questions

Confirmation by the host institution that it has appointed a Data Protection Officer (DPO) and the contact details of the DPO are made available to all data subjects involved in the research.

If designation of a DPO is not required under the GDPR , a detailed data protection policy for the project must be elaborated.

General requirements

If personal data is processed, the following may be requested:

Description of the technical and organisational measures that will be implemented to safeguard the rights and freedoms of the data subjects/research participants.


If personal data is processed:

Description of the anonymysation/ pseudonymisation techniques that will be implemented.

Description of the security measures that will be implemented to prevent unauthorised access to personal data or the equipment used for processing.

AND/OR

Explanation how all of the data they intend to process is relevant and limited to the purposes of the research project (in accordance with the ‘data minimisation ‘principle).


If personal data is processed:

Explanation why the research data will not be anonymised/ pseudonymised.

Detailed information on the informed consent procedures with regard to data processing.

Templates of the informed consent forms and information sheets.

No specific requirements

needed.Specific requirements

2. Does the research involve processing of special categories of data?

o Does the research involve the processing of genetic, biometric or

health related data?

Key questions

Detailed justification for the processing of special categories of personal data.

The beneficiary must check if special derogations pertaining to the rights of data subjects or the processing of genetic, biometric and/or health data have been established under the national law and submit declaration of compliance.


needed.

Specific requirements

3. Does the research involve profiling, systematic monitoring of individuals or processing of large scale of special categories of data, intrusive methods* of data processing or any other data processing operation that may result in high risk to the rights and freedoms of the research participants?

Key questions

Explanation how the data subjects will be informed of the existence of the profiling, its

possible consequences and how their fundamental rights will be safeguarded.

*Such as behaviour profiling, tracking, surveillance, audio and video recording, geo-location tracking etc.



4. Does the research involve further processing of previously collected personal data?

Key questions

An explicit confirmation that the beneficiary has lawful basis for the data processing and that

the appropriate technical and organisational measures are in place to safeguard the rights of

the data subjects.



5. Is it planned to import personal data - from the non-EU countries into the EU?

Key questions

In case personal data are transferred from a non-EU country to the EU (or another third state), confirmation that such transfers comply with the laws of the country in which the data were collected.



6. Is it planned to export personal data from the EU to non-EU countries?

Key questions

In case personal data are transferred from the EU to a non-EU country or to an international organisation, confirmation that such transfers are in accordance with Chapter

V of the General Data Protection Regulation 2016/679.

For countries, not covered by

adequacy decision*:

*Norway, Liechtenstein, Iceland; Andorra; Argentina; Canada(commercial organisations); Switzerland; Faeroe Islands; Guernsey;

Israel; Isle of Man; Japan, Jersey; New Zealand; United States (under Privacy Shield); Eastern Republic of Uruguay



7.Does the research involve the processing of publicly available data?

Key questions

An explicit confirmation that the data used in the project is publicly available and can be freely used for the purposes of the project.



8.Does the data processing expose the research participants to high ethics risks?

Key questions

Evaluate the ethics risks related to the data processing activities of the project. This includes also an opinion if data protection impact assessment should be conducted under art.35 GDPR. The risk evaluation and the opinion must be submitted as a deliverable.

Assessment of:

Individual ethics harms (for the research participants);

Ethics harms to third parties (e.g. family, friends etc.)

Group level ethics harm (for the community or the group);

Ethics risks to be considered (non-exclusive list):

Discrimination;

Stigmatisation;

Exposing identity and sensitive data (privacy breach);

Security/safety risks for the research participants;

Reputational risk and loss of position within occupational and other settings;

Harms to the interests and wellbeing on the research participants, third parties and the community;

Potential for misuse of data.

Ethics risk assessment

Dual Use

Focus on Civil Application

Misuse

Dual Use

Certain goods/technologies can be security threats, especially in terms of weapons of mass destruction proliferation.

If the research concerned is intended to develop or improve dual-use technologies or goods, it may qualify for funding, as long as the goods or technologies are intended for civil applications.

! Dual-use items are items,

including software and technology, which can be used for both civil and military purposes, and shall include all goods which can be used for both non- explosive uses and assisting in any way in the manufacture of nuclear weapons or other nuclear explosive devices.(art. 2(1) of Regulation 428/2009 setting up the Community regime for the control of exports, transfer, brokering and transit of dual-use items)

Annex 1 contains 9 special categories referring to:o Category 0 Nuclear materials,

facilities and equipment;o Category 1 Special materials and

related equipment;o Category 2 Materials processing;o Category 3 Electronics;o Category 4 Computers;o Category 5 Telecommunications and

‘information security’;o Category 6 Sensors and lasers;o Category 7 Navigation and avionics;o Category 8 Marine;o Category 9 Aerospace and propulsion.

Dual use items

Does the research involve dual-use items in the sense of Regulation 428/2009?

o No specific requirements needed.

o How have the applicants addressed dual-use concerns?

o Have export authorisations/licences been requested?

o Have the relevant (national) authorities been informed?

o What would the applicants do if the authorisations are refused?

Key questions

o Details on the dual-use items in the sense of Regulation (EC) 428/2009;

o Details on potential dual use implications of the project and risk-mitigation strategies;

o Before the beginning of the activity, the researcher must submit to the Commission a copy of any export or transfer licences required under EU, national or international law (if applicable).


Copies of ethics opinions;

Inclusion of security expertise in research;

Restrict access to certain deliverables/results;

Copies of security clearances (if necessary for classified research);

Special authorisations if the publication of the research findings concern technology that could be used to develop, produce or use dual-use items;

Training for staff;


Exclusive focus on Civilian Application

• Only research and innovation activities focusing on civil applicationsare eligible for funding under Horizon 2020.

• Research intended to be used in military applications, cannot befunded under H2020.

Exclusive focus on civil applications

o In order to determine whether a project or proposal meets the conditions laid down in H2020 Regulation, the objective(s) of the proposed activity have to be assessed;

o If the technologies/products/services concerned are intended to be used in non-military activities or aim to serve non-military purposes, they will be considered as having an exclusive focus on civil applications.

Which factors should not be taken into account?

o Involvement of the defence industry or military organisations;

o Subject area: explosives, chemical, biological, radiological and nuclear elements; defence or counter-terrorism etc.

o What is the determining factor?

o Intended application!

Key definitions

Could the research raise concers regarding the exclusive focus on civil application?

o No specific requirements needed.

The applicant must:o Explain the exclusive civilian focus of the

research;o Justify inclusion of military partners or military

technologies (i.e. explain how they relate to civilian applications, e.g. in the context of law enforcement activities).

Key definitions

Project objective:

The purpose of the project is to develop and test a new class of ultra-high temperature ceramic matrix composites with self-healing capability suitable for application in severe aerospace environments. There are plans to explore the potential exploitation of the results in other sectors (e.g. Renewable Energy, High-Tech industry and Nuclear), with future applications “unimaginable in other fields”.

Partners: The project coordinator and one of the partners had previous grants for development of on ultra-high temperature ceramic composites used for military purposes. The non-EU partner is a missile component producer.

Ethics section: The applicants acknowledge that the technology can be used by third parties for incorporation in rocket delivery vehicles for weapons, including for weapons of mass destruction.

Example

Misuse

• Notwithstanding the fact that research is usually carried out with good intentions, some types of research have the potential to harm humans, animals or the environment.

• Potential misuse of research refers to research involving or generating materials, methods, technologies or knowledge that could be misused for unethical purposes.

The answers to the following questions determine the risk for misuse:

Could the materials/methods/technologies and knowledge involved or generated:

• harm humans, animals or the environment if they were modified or enhanced?

• be used to curtail human rights or civil liberties?

• serve purposes other than those intended? If so, would such use be unethical?

What would happen if the materials/methods/technologies and knowledge involved or generated ended up in the wrong hands?

Could the research be misused to stigmatise, discriminate against, harass or intimidate people?

Key definitions

Specific areas that are particularly vulnerable

o Biological, chemical, radiological and nuclear security-sensitive materials and explosives;

o Research with a potential impact on human rights (e.g. research on surveillance technologies, new data-gathering and data-merging technologies, social or genetic research that could lead to discrimination or stigmatisation);

o Research that could ultimately be used for malevolent purposes (e.g. may provide terrorists or criminals with information or technologies that would have substantial direct impacts on the security of individuals, groups or states).

Does your research have a potential for misuse of research results?

o No specific requirements needed.o Measures to minimise the risk of potential

misuse;o Limiting the dissemination of results;o Classifying certain deliverables; o Training of staff;


o Risk-assessment and details on the mitigation measures set in place;

plus:

o Details of the applicable legal requirements;

o Details of the measures to prevent misuse;

o Copies of authorisations (if required).

o Copies of security clearances (if applicable).

o Copies of ethics approvals (if applicable).


General advice

o Use the right evaluation factor (see previous slides);

o Although certain research areas are more likely to raise ethics issues, (potential) concerns regarding dual-use, misuse and the exclusive focus on civil applications can be found in all types of projects;

o Make sure you are familiar with the relevant legal documents and provisions;

o Pay attention to the risks described and the measures taken –are the applicants aware of potential ethics issues?

data protection and the ethics review process - europa

Documents