Vigdis Kvalheim Norwegian Social Science Data Services (NSD) New Legal Challenges - New EC Privacy Regulation Data Preservation and Data Sharing in danger?

Slides:



Advertisements
Similar presentations
WTO - TBT Committee Ana Maria Vallina, PhD Coordination Among Regulatory Bodies: The Chilean Experience Ana Maria Vallina PhD Head of Foreign Trade Department.
Advertisements

Public Sector Information & Data Protection: A plea for personal privacy settings for the re-use of PSI Bart van der Sloot Institute for Information Law.
PRIVACY ASPECTS OF RE-USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR
Data Protection & Human Rights. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Net Neutrality, What Else? Wim Nauwelaerts Partner Hunton & Williams.
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
The European Data Protection Regulation and research Graham Love Chief Executive Health Research Board 1.
Use of Children as Research Subjects What information should be provided for an FP7 ethical review?
The European Union legal framework for clinical data access: The European Union legal framework for clinical data access: potential challenges and opportunities.
EU: Bilateral Agreements of Member States
EU: Bilateral Agreements of Member States. Formerly concluded international agreements of Member States with third countries Article 351 TFEU The rights.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
European Ombudsman Access to environmental information Task Force on Access to Information Geneva, 4 December 2014.
Institutional arrangements and legal framework for energy statistics United Nations Statistics Division International Workshop on Energy Statistics
Clinical Research Conference 2012 Legal, Ethical, and Social Dimensions of Clinical Research Takis Vidalis, Ph. D., Hellenic National Bioethics Commission.
EHRs and the European Union – current legislation and future directions. Dr Richard Fitton.
Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.
IAEA International Atomic Energy Agency Overview of legal framework Regional Workshop - School for Drafting Regulations 3-14 November 2014 Abdelmadjid.
M. ANGELA JIMENEZ 1 UNIT 5. REGULATION OF EXTERNAL AUDIT IFAC AND E.C.
EUROPEAN COMMISSION - DG Internal Market 1 "Reviewing the Review: The European Commission's Third Review of the Product Liability Directive"
Overview of the EU Food Safety Requirements
The Eighth Asian Bioethics Conference Biotechnology, Culture, and Human Values in Asia and Beyond Confidentiality and Genetic data: Ethical and Legal Rights.
IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.
Europe's work in progress: quality of mHealth Pēteris Zilgalvis, J.D., Head of Unit, Health and Well-Being, DG CONNECT Voka Health Community 29 September.
Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
Joana Mendes Amsterdam Centre for European Law and Governance, University of Amsterdam Jean Monnet Seminar, University of Macau 27 October 2011 Participation.
WHO, Almaty 2002 Food Legislation of the European Union and its effect on Slovak legislation1 Food legislation of the European Union and its effect on.
PROTECTION OF PERSONAL DATA. OECD GUIDELINES: BASIC PRINCIPLES OF NATIONAL APPLICATION Collection Limitation Principle There should be limits to the collection.
DG Information Society The EU and Data Retention Data Retention Meeting London, 14 May 2003 Philippe GERARD, DG Information Society The positions.
Data Protection Principles as Basic Foundation for Data Protection in EU/EEA Introduction to Data Protection Theory Seminar - AFIN Stephen.
The EU Directive on "Services in the internal market", COM(2004) 2 final/3 Agnese Knabe Project coordinator European Public Health Alliance Civic Alliance.
The EU and Access to Environmental Information Unit D4 European Commission, Directorate General for the Environment 1.
Data Protection Principles as Basic Foundation for Data Protection in EU/EEA Introduction to Data Protection Theory Seminar - AFIN Stephen.
The EU General Data Protection Regulation Frank Rankin.
Council of Europe Child Participation Assessment Tool Agnes von Maravic Children’s Rights Division Council of Europe Based on slides prepared by Gerison.
Evaluation of restrictions: art. 15 and art TAIEX Seminar on the EU Service Directive, 3 May 2007 Carlos Almaraz.
EPHA Presentation Healthcare and social services treated equally as estate agents or advertising companies excluded from the Directive or Healthcare and.
Week 12. Lecture 2. Health Law & the EU Cross-border healthcare: patients’ rights.
TAIEX-REGIO Workshop on Applying the Partnership Principle in the European Structural and Investment Funds Bratislava, 20/05/2016 Involvement of Partners.
Privacy and ‘Big Data’: the European perspective Human Subjects’ Protections in the Digital Age: IRB, Privacy and Big Data Peter Elias, University of Warwick.
Hallgrímur Snorrason Management seminar on global assessment Session 6: Institutional and legal framework of the national statistical system Yalta
Brussels Privacy Symposium on Identifiability
Processing for archiving purposes in the GDPR
GDPR (General Data Protection Regulation)
Luca De Matteis Justice counsellor (criminal law, data protection)
Issues of personal data protection in scientific research
Data Protection: EU & International
Research on human biological materials: Lithuanian perspective
New challenges for archives in Iceland
General Data Protection Regulation
Nuclear and Treaty Law Section Office of Legal Affairs
Information Governance and Data Privacy: A World of Risk
Introduction to GDPR 09/11/2018.
Katrine Utaaker Segadal
Dan Tofan | Expert in NIS 21st Art. 13a WG| LISBON |
The GDPR and research data
General Data Protection Regulation
of social security systems, COM (2016)815”
Council of Europe Child Participation Assessment Tool
Report on data protection legislation Case of Romania
The legal and institutional framework for data access in Norway
The activity of Art. 29. Working Party György Halmos
Is Data Protection a Fundamental Right Protecting the Individual?
ARTICLE 16 OF REGULATION (EC) 1083/2006
The EDPS: competences and processing of personal data in EU funds
The Treaty of Lisbon and Administrative Cooperation
Dr Elizabeth Lomas The General Data Protection Regulation (GDPR): Changing the data protection landscape Dr Elizabeth Lomas
EUROPEAN UNION CITIZENSHIP
European Union Law Daniele Gallo
Presentation transcript:

Vigdis Kvalheim Norwegian Social Science Data Services (NSD) New Legal Challenges - New EC Privacy Regulation Data Preservation and Data Sharing in danger? WP4 Data Archiving WP6 Ethical and Legal Issues IASSIST Cologne May 30, 2013 NSD©2013

G ENERAL D ATA P ROTECTION R EGULATION (COM(2012)0011) T WO P ROPOSALS : G ENERAL D ATA P ROTECTION R EGULATION (COM(2012)0011) T WO P ROPOSALS : The European Commission, January 25, 2012 The Parliament, Committee on Civil Liberties, Justice and Home Affairs, December Replaces Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and the free movement of such data. New Instrument; a (directly applicable) Regulation, to ensure a unified legal framework in Europe.

NSD©2013 G ENERAL D ATA P ROTECTION R EGULATION (COM(2012)0011) T WO P ROPOSALS : G ENERAL D ATA P ROTECTION R EGULATION (COM(2012)0011) T WO P ROPOSALS : WHY? The Directive has failed to achieve proper harmonization due to different implementation of its provisions in Member States The result is differences in level of data protection both on paper and in practice, which hamper free exchange of personal data The new legal instrument aims to reduce fragmentation and harmonize legislation and legislative practice

NSD©2013 Why does this concern us? Law and legal practice in relation to various types of data do affect opportunities for research as well as the possibilities for data archives and research infrastructures to serve the needs of empirical research Law and legal practice should be a major concern for national research infrastructures

NSD©2013 EU Directive 95/46/EC - The Data Protection Directive Article 6: Purpose specification – fundamental right and principle EU Directive 95/46/EC - The Data Protection Directive Article 6: Purpose specification – fundamental right and principle 1.Member States shall provide that personal data must be: b)collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards; e)kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use. 1.Member States shall provide that personal data must be: b)collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards; e)kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.

NSD©2013 EU Directive 95/46/EC - The Data Protection Directive Article 11: Information where the data have not been obtained from the data subject EU Directive 95/46/EC - The Data Protection Directive Article 11: Information where the data have not been obtained from the data subject 2.Paragraph 1 shall not apply where, in particular for processing for statistical purposes or for the purposes of historical or scientific research, the provision of such information proves impossible or would involve a disproportionate effort or if recording or disclosure is expressly laid down by law. In these cases Member States shall provide appropriate safeguards.

NSD©2013 EU Directive 95/46/EC - The Data Protection Directive In short the state is that we got a legal instrument that works well for sciences: EU Directive 95/46/EC - The Data Protection Directive In short the state is that we got a legal instrument that works well for sciences: Further processing of personal data for historical, statistical or scientific purposes is not incompatible with the original purposes if necessary and the public interest clearly exceeds the risks - there are alternatives (safeguards) to consent. The prohibition against storing unnecessary personal data is lifted for historical, statistical or scientific purposes if the public interest clearly exceeds the disadvantages Exemption from purpose limitation principle is the fundamental research guarantees, in particular for register based research!

NSD©2013 For the research community the question is whether the new regulation provides good, safe and predictable conditions for research. The main conclusion is that the Commission’s proposal for the most part does accommodate research interests and implies more continuity than change in conditions One important exception is the provision on purpose limitation principle in Article 5 (b) of the Regulation which corresponds to Article 6 (b) in the EU Directive. Commission Proposes a Comprehensive Reform of the Data Protection Rules

NSD©2013 The clarification that further processing of personal data for scientific research is not incompatible with the original purpose has been dropped. Article 5 sets out the principles for personal data processing. This provision corresponds to Article 6 of the directive. The principle of specification of purpose Article 5 (b): … personal data shall be collected for specified, explicit and legitimate purposes and that they shall not be further processed Recital 40 to some extent repair this: The processing of personal data for other purposes should be only allowed …. in particular where the processing is necessary for historical, statistical or scientific research purposes.

NSD©2013 Commission Proposes a Comprehensive Reform of the Data Protection Rules Legal authority Article 6 lists alternative grounds for lawful processing of personal data. For the most part, this provision means continuity in the conditions for processing personal data for scientific purposes. New! New! The second paragraph of the Article explicitly authorizes the processing of personal data for research purposes: Processing of personal data which is necessary for the purposes of historical, statistical or scientific research shall be lawful subject to the conditions and safeguards referred to in Article 83.

NSD©2013 Commission Proposes a Comprehensive Reform of the Data Protection Rules Form of regulation (appropriate safeguards) Public authorities and public bodies, as well as enterprises with more than 250 employees, must designate a data protection officer The data protection officer arrangement will be the main element in the system for regulating, controlling and documenting the processing of personal data An effort to increase the level of protection!

NSD©2013 Commission Proposes a Comprehensive Reform of the Data Protection Rules In short, The core data protection principle of purpose limitation is strengthened The rights of the data subject are strengthened – consent (explicit), information, the right to be forgotten Information, knowledge and consent are the most important measures to safeguard privacy are strengthened The role and responsibilities of the data controller (institution) is strengthened The Data Official institution is mandatory

NSD©2013 Commission Proposes a Comprehensive Reform of the Data Protection Rules Nevertheless, the Commission's Proposal is striking the right balance between the public interest in information privacy and research New research provision, Article 83 and it’s associated provisions contain research exemptions/guarantees and protect the public interest in research The Albrecht-Repost signals a shift of balance

NSD©2013 G ENERAL D ATA P ROTECTION R EGULATION (COM(2012)0011) T HE Albrecht-Report G ENERAL D ATA P ROTECTION R EGULATION (COM(2012)0011) T HE Albrecht-Report Suggests amendments to the proposal from the Commission; Has caused widespread and serious concern in research environments across Europe.

NSD©2013 G ENERAL D ATA P ROTECTION R EGULATION (COM(2012)0011) T HE “Albrecht-Report” G ENERAL D ATA P ROTECTION R EGULATION (COM(2012)0011) T HE “Albrecht-Report” The Albrecht Report suggests to drop more or less all the important research provisions (derogations) that grants research a privileged position with regard to access and use of personal data. Argues that scientific research is not special with regard to its public interest, and do not deserve a privileged position within the legal framework For the scientific research in all fields and particularly for register based research, this is devastating and initiatives is taken to ensure that the research guarantees are continued

NSD©2013 The Albrecht-report Support the Commissions aim to strengthening the right to protection, ensuring a unified legal framework and reducing the administrative burdens for the data controller. But be aware!! Amendment 27 – Proposal for regulation Recital 42 (Consent) Processing of sensitive data for historical, statistical and scientific research purposes is not as urgent or compelling as public health or social protection. Consequently, there is no need to introduce an exception which would put them on the same level as the other listed justifications.

NSD©2013 The Albrecht-report Amendment 31 – Proposal - Recital 50 (exemption from the duty to inform) The Albrecht-report keeps the provision that exempt from the duty to inform but delete the following passage The latter could be particularly the case where processing is for historical, statistical or scientific research purposes; in this regard, the number of data subjects, the age of the data, and any compensatory measures adopted may be taken into consideration. Arguing that The deleted text may be misunderstood as promoting a lower level of protection for certain kinds of data processing.

NSD©2013 The Albrecht-report Amendment 327 and 328 – Article 81 Processing of health data shall be permitted only with the consent of the data subject. Arguing that health data is extremely sensitive and deserves utmost protection. Member States may provide exemptions on condition that data are anonymous, de-identified or pseudonym

NSD©2013 The Albrecht-report Article 83 Research provison (safeguards) In cases where the data subject has not given consent, sensitive data and data about children should only be used for research purposes if based on law and serving exceptionally high public interest. Otherwise, any "research", no matter if academic or corporate and including e.g. market research, could be used as an excuse to override all protections provided for in the other parts of this Regulation. Member States may provide exemptions on condition that data are anonymous, de-identified or pseudonym

NSD©2013 Science Europe Position Statement Recommendation 2 Science Europe supports Article 83 of the Proposal and its associated provisions and derogations and calls upon the EU institutions to maintain the provisions of Article 83 as proposed by the European Commission, and to ensure that all associated derogations for scientific research are retained and further clarified. Recommendation 4 Science Europe believes that anonymisation must be explicitly stated to be outside the scope of the Regulation. Clarity is required concerning how the definition of ‘personal’ data in the proposed regulation relates to ‘pseudonymised’ data.

NSD©2013 Science Europe Position Statement Recommendation 6 Science Europe urges the EU institutions to acknowledge the specificity of the requirements for consent in scientific research, and to maintain derogations of Article 83 allowing for processing of appropriately-protected personal data for scientific research without consent, or by using ‘broad’ consent procedure if they are practical. Recommendation 7 Science Europe stresses the crucial need for a DPR that does not increase the administrative burden for scientific researchers and research organinsations.

NSD©2013 The Message We have to accept that we need; an adequate legal framework to safeguard both privacy and access to personal data for scientific purposes; systems (Data Protection Official) for documentation, information and assessment of necessity, risks and benefits, to protect information privacy as well as user interests and rights.

NSD©2013 Why? Participants in research need protection Researchers need protection Institution need protection Society need access Self-regulation and transparency to build trust and support!

NSD©2013 Now it is Time to Act! The European institutions in now entering a crucial stage in the legislative process Our role and duty as national research infrastructures is to make research funders and ministries among others, aware of the damaging effects to research and society if the proposed amendments in the Albrecht report are implemented. The proposal is clearly contradicting high level policies for open access and data sharing across Europe It is also contradicting the aim towards harmonisation

NSD©2013 Thank you for listening!