Review of Codes of Conduct

for the PANELFIT project

Presented on 2020-09-14. Internal presentation for the PANELFIT project.

Pranesh Prakash

Affiliated Fellow
Information Society Project, Yale Law School

 

Karen Soacha

Investigadora

Instituto de Ciences del Mar (ICM-CSIC)

 

CC-BY-SA 4.0: (copy, share, adapt: sharing is caring)

no proprietary standards or software were used in the making of this slide deck

What is the Code of Conduct for Responsible Research and Innovation?

“a set of basic ethical standards and guidelines for researchers working in the ICT field that could serve as a day-to-day assessment tool” (p. 5)

What is the Code of Conduct for Responsible Research and Innovation?

“an essential tool for researchers who must deal with the challenges addressed by PANELFIT routinely … meant to facilitate the primary aims of ethical compliance from the very beginning, hindering the appearance of ethical and legal issues regarding both data protection and security/cyber-security” (p. 8)

What is the Code of Conduct for Responsible Research and Innovation?

“mainly responding to the issues and gaps detected … based on the materials included in The Guidelines” (p. 18)

What is the Code of Conduct for Responsible Research and Innovation?

“written in strict accordance with the requirements of RRI” (p. 23)

Why this review?

  1. Better understand what questions and issues should be addressed through the CCRRI

  2. What kinds of Codes of Conduct and other guidance documents already exist that cover such questions and issues

  3. How best to move forward creating it.

Methodology

Examples of CoCs

  • Relating to research & data protection

  • Relating to ICTs and AI

  • Relating to RRI

  • Mentioned in the Draft Guideline

Methodology

  • CoC-related issues in the Critical Analysis

  • Academic articles on:

    • CoCs and GDPR

    • CoCs and RRI

Codes of Conduct

EU-level, under GDPR

None approved so far under Art. 40 of the GDPR

Codes of Conduct

EU-level, under GDPR

One submitted:

Code of Conduct on Data Protection in Online Gambling.

(In Malta. Multi-year preparation process, and 18-24 months for approval.)

Codes of Conduct

EU-level, under GDPR

Some being submitted for approval, formulated, conceptualized, etc.:

  • EU Cloud Code of Conduct (SCOPE Europe)

  • Code of Conduct on Health Research (BBMRI-ERIC)

  • Code of Conduct on Language Research (CLARIN)

Codes of Conduct

EU-level / EU-funded Guidance on Research

  • RESPECT Code of Practice for Socio-Economic Research.

  • Guidelines on Data Protection Issues Relating to European Socio-Economic Research.

  • European Charter for Researchers.

  • European Code of Conduct for Research Integrity.

  • Global Code of Conduct for Research in Resource-Poor Settings.

Codes of Conduct

EU-level / EU-funded Guidance on Research

  • Code of Practice on Secondary Use of Medical Data in European Scientific Research Projects.

  • Preliminary Opinion on Data Protection and Scientific Research, by the European Data Protection Supervisor.

  • EFAMRO & ESOMAR’s Guidance Note for the Research Sector: Appropriate use of different legal bases under the GDPR.

  • Guidelines for Responsible Research and Innovation.

  • EU Code of Conduct on Agricultural Data Sharing by Contractual Agreement.

Codes of Conduct

EU-level / EU-funded Guidance on Research

The Responsible Innovation Compass project has catalogued 130 publicly funded RRI projects in Europe, including 19 focussed on the ethics component of RRI.

Codes of Conduct

Globally, on AI and Ethics

  • At least 84 sets of ethical guidelines on AI

    • 13 from EU member-states and

    • 6 from EU institutions

Codes of Conduct

CoCs on Research and DP in EU member-states

None approved post-GDPR on research.*

 

Pre-2018 examples like Dutch "Code of Conduct for the Use of Personal Data in Scientific Research"

 

 

*Post-2018 examples exist, like Spain's "Code of Best Practices on Data Protection for Big Data Projects", but that's not focussed on research

Codes of Conduct

Research on CoCs & Research

CoCs weren't successful under DPD.

But hope is GDPR has addressed concerns & incentives.

Codes of Conduct

Research on CoCs & Research

Genomics, Language, Bio-banks, etc.

 

Benefits of CoCs include harmonization, increase legal certainty due to specificity.

Codes of Conduct

Research on CoCs & Research

Pessimism:
(Koscik & Myska)

"It is difficult to find an institution that would have the mandate to speak for a research community" (ALLEA, EUA?)

Codes of Conduct

Research on CoCs & Research

Pessimism:

 

"We presume that the adoption of a Europe-wide code of conduct for data protection in research is very unlikely."

Codes of Conduct

Research on CoCs & Research

Pessimism:

 

"Each research discipline uses specific methods and many scientific disciplines do not need to process personal data at all."

Codes of Conduct

Research on CoCs & Research

However:

 

"… likely that individual codes of conduct will be adopted for some narrow research fields and specific research-related activities such as biobanking, genomic research, social networks research, and sociological surveys."

CoC-Related Issues in the Critical Analysis

Six issues:

 

 

(1) harmonization of data protection practices to enable cross-country research within the EU.

 

Only Art. 40 CoCs and EDPB guidance can address. Scholarly opinions can't. 

Unlikely that non-Art. 40 CoC can address adequately. (Harmonization required.)

CoC-Related Issues in the Critical Analysis

Six issues:

 

 

(2) question of when, under which legal bases, and under what circumstances, reuse of personal data for a secondary purpose of research is permissible.

 

Unlikely that non-Art. 40 CoC can address adequately.

CoC-Related Issues in the Critical Analysis

Six issues:

 

 

(3) whether multiple legal bases can be used for processing the same personal data (either simultaneously, or sequentially)

 

Unlikely that non-Art. 40 CoC can address adequately.

CoC-Related Issues in the Critical Analysis

Six issues:

 

 

(4) differentiating between a research subject’s consent for participation in research from consent for processing and use of their personal data

 

Art. 29 Working Party opinion exists, so that can be incorporated into a non-Art. 40 CoC.

CoC-Related Issues in the Critical Analysis

Six issues:

 

 

(5) applicability of data protection laws to deceased persons

 

Unlikely that non-Art. 40 CoC can address adequately. (Harmonization required.)

CoC-Related Issues in the Critical Analysis

Six issues:

 

 

(6) lack of uniformity and clarity on national safeguards for research purposes under Article 89 of the GDPR.

 

Unlikely that non-Art. 40 CoC can address adequately. (Harmonization required.)

Summary: Findings

Trade-off between width of applicability and depth of guidance.

Summary: Findings

Most CoCs & guidelines on research don't deal with data protection in depth, with some exceptions like EDPS's "Preliminary Opinion" and EFAMRO & ESOMAR’s "Guidance Note for the Research Sector".

Summary: Findings

No extant CoCs under Art. 40

Summary: Findings

Most CoC-related issues raised by Critical Analysis can't be addressed by non-Art. 40 CoCs

Summary: Findings

>130 EU-funded RRI projects exist

(including at least 19 on RRI & ethics, and many guidelines, good practice documents, frameworks, etc.)

Summary: Findings

>84 documents on AI and Ethics

(including at least 19 from the EU region)

Scope

CCRRI is "specifically aimed to produce a set of basic ethical standards and guidelines for researchers working in the ICT field".

 

But the PANELFIT project aims to "facilitate the implementation of this new regulation" (GDPR).

 

So we take it that CCRRI should focus on data protection within RRI.

Scope

CCRRI can't be a CoC under Article 40 of the GDPR


CCRRI can't address most of the CoC-related issues in the Critical Analysis

Scope

There are few CoCs on data protection in research, but the PANELFIT Guidelines on Data Protection Ethical and Legal Issues in ICT Research and Innovation will already provide extensive guidance on this issue.


Any CCRRI will need to be distinguished both from existing EC-funded CoCs on RRI, as well as the PANELFIT Guidelines themselves.

Scope

There's a trade-off between being applicable to all forms of research and providing specific guidance.

Contact Details

pranesh@prakash.im soacha@icm.csic.es

@pranesh
@adrisoacha

Review of Code of Conduct forPANELFIT

By Pranesh Prakash

Review of Code of Conduct forPANELFIT

Internal presentation, made on 2020-09-14

  • 872