Issues of personal data protection in scientific research Prepared by: Marko Trošelj
The Croatian legal framework International Acts - Convention 108 and EU legislation Personal data and privacy protection – Constitutional category Article 37: The safety and secrecy of personal data shall be guaranteed for everyone. Without consent from the person concerned, personal data may be collected, processed, and used only under the conditions specified by law. includes the purpose limitation principle General act: Personal Data Protection Act (OG 103/03, 118/06, 41/08, 130/11)
Basic provisions Personal Data Protection Act regulates the personal data protection of natural persons The purpose of personal data protection is to protect the privacy of individuals, as well as other human rights and fundamental freedoms in the processing of personal data
Definitions Data controller: the entity that determines the purposes and means of processing personal data Processor: the entity that processes personal data on behalf of the controller Data subject: an identified or identifiable natural person whose personal data are processed Data processing: any operation or set of operations which is performed on personal data. (collection, recording, organization, storage, usage, disclosure, dissemination...)
Personal data processing Purpose of processing: Personal dana shall be collected for a purpose known to the data subject, explicitly stated and in accordance with the law Further processing only for the purposes it has been collected for, or for a purpose in line with the purpose it has been collected for EXCEPTION Further processing of personal data for historical, statistical or scientific purposes shall not be considered as incompatible provided that appropriate protection measures are in place
Personal data processing Proportionality principle - Personal data must be relevant to what is necessary in relation to the established purpose and it shall not be collected in quantities more extensive than necessary Personal data must be accurate, complete and up to date Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed. Personal data may be stored for longer periods solely for historical, statistical or scientific purposes – appropriate protection measures are established by special acts.
Personal data processing Lawfulness of processing Personal data shall be collected and subsequently processed only if one of the following applies: with consent of the data subject in cases determined by law for the purpose of fulfilling legal obligations of the controller …
Special categories of personal data Processing of personal data pertaining to racial or ethnic origin, political opinions, religious or other beliefs, trade union membership, data concerning health or sexual orientation, as well as personal data regarding criminal and misdemeanour proceedings In principle, shall be prohibited Exceptions: - upon consent of the data subject - if the data processing is necessary to exercise the rights and obligations of the controller based on special regulations…
Information to data subject Prior to collecting any personal data, controller must inform the data subject whose personal data is being collected about: the identity of the controller, the purpose of processing this data, the right of access the right to rectification the recipients or categories of recipients
Usage of personal data by the recipience Controller shall allow the usage of personal data to other recipients based on written request if this is necessary for carrying out tasks within their activity as defined by law The written request must contain provisions on purpose, legal basis, and type of personal data requested Personal data processed for scientific research or statistical purposes must not allow for the identification of data subjects
Safeguards Personal data shall be adequately protected from accidental or deliberate abuse, destruction, loss, unauthorized alteration or access controller and recipient shall undertake appropriate technical, staffing and organisational measures
Rights of the data subject controller shall within 30 days provide the following to every data subject: whether or not data relating to the data subject are being processed allow access and copying of such files information on who obtained access to the data, for what purpose and on what legal basis Upon request or independently controller shall alter or delete personal data if this data is incomplete, inaccurate or outdated
General Data Protection Regulation It shall apply from 25 May 2018. Uniformity of personal data processing in all Member States New Challenges
Principles Lawfulness, fairness and transparency Purpose limitation Data minimisation Accuracy Storage limitation Integrity and confidentiality Accountability
New Definitions restriction of processing pseudonymisation profiling genetic data biometric data
Anonymisation The principles of data protection should apply to any information concerning an identified or identifiable natural person This Regulation does not concern the processing of anonymous information, including for statistical or research purposes
Data processing for scientific purposes The processing of personal data for scientific purposes should be subject to appropriate safeguards for the rights and freedoms of the data subject pursuant to this Regulation Principle of data minimisation Principle of purpose limitation Principle of storage limitation
Thank you for attention