PANELFIT Code of Conduct on Data Protection for Research and Innovation

Presented on 2021-04-20. Internal presentation for the PANELFIT Mutual Learning Encounter.

Pranesh Prakash

Affiliated Fellow
Information Society Project, Yale Law School

 

Karen Soacha

Researcher

Instituto de Ciences del Mar (ICM-CSIC)

 

CC-BY-SA 4.0: (copy, share, adapt: sharing is caring)

no proprietary standards or software were used in the making of this slide deck

Why this meeting?

To convey

  1. The process through which the CCDP was created

  2. What questions and issues were sought be addressed through the CCDP?

  3. What kinds of Codes of Conduct and other guidance documents already exist that cover such questions and issues?

  4. Brief overview of what the CCDP covers
     

Receive feedback to improve the CCDP

Why the CCDP?

The PANELFIT project's general agreement sets out the broad aims for the CCDP (called therein as the "Code of Conduct for Responsible Research and Innovation")

 

After research looking at gaps, we came up with a more specific aim

What is the CCDP?

“an essential tool for researchers who must deal with the challenges addressed by PANELFIT routinely … meant to facilitate the primary aims of ethical compliance from the very beginning, hindering the appearance of ethical and legal issues regarding both data protection and security/cyber-security” (p. 8)

“mainly responding to the issues and gaps detected … based on the materials included in the Guidelines” (p. 18)

“a set of basic ethical standards and guidelines for researchers working in the ICT field that could serve as a day-to-day assessment tool” (p. 5)

“written in strict accordance with the requirements of RRI” (p. 23)

What is the CCDP?

“The CCDP aims to provide an easy-to-understand set of conduct rules that cover the main principles provided in the EU’s General Data Protection Regulations (GDPR), as well as a set of desirable practices, specifically tailored to the research community.”

Methodology

Examples of CoCs

  • Relating to research & data protection

  • Relating to ICTs and AI

  • Relating to RRI

  • Mentioned in the Draft Guideline

Methodology

  • CoC-related issues in the Critical Analysis

  • Academic articles on:

    • CoCs and GDPR

    • CoCs and RRI

Methodology

  • Share research at PANELFIT meeting

  • Draft versions of CCDP

    • Multiple rounds of comments & corrections

    • Feedback at Mutual Learning Encounter

  • Final version of CCDP

Codes of Conduct

EU-level, under GDPR

None approved so far under Art. 40 of the GDPR

Codes of Conduct

EU-level, under GDPR

One submitted:

Code of Conduct on Data Protection in Online Gambling.

(In Malta. Multi-year preparation process, and 18-24 months for approval.)

Codes of Conduct

EU-level, under GDPR

Some being submitted for approval, formulated, conceptualized, etc.:

  • EU Cloud Code of Conduct (SCOPE Europe)

  • Code of Conduct on Health Research (BBMRI-ERIC)

  • Code of Conduct on Language Research (CLARIN)

Codes of Conduct

EU-level / EU-funded Guidance on Research

  • RESPECT Code of Practice for Socio-Economic Research.

  • Guidelines on Data Protection Issues Relating to European Socio-Economic Research.

  • European Charter for Researchers.

  • European Code of Conduct for Research Integrity.

  • Global Code of Conduct for Research in Resource-Poor Settings.

Codes of Conduct

EU-level / EU-funded Guidance on Research

  • Code of Practice on Secondary Use of Medical Data in European Scientific Research Projects.

  • Preliminary Opinion on Data Protection and Scientific Research, by the European Data Protection Supervisor.

  • EFAMRO & ESOMAR’s Guidance Note for the Research Sector: Appropriate use of different legal bases under the GDPR.

  • Guidelines for Responsible Research and Innovation.

  • EU Code of Conduct on Agricultural Data Sharing by Contractual Agreement.

Codes of Conduct

EU-level / EU-funded Guidance on Research

The Responsible Innovation Compass project has catalogued 130 publicly-funded RRI projects in Europe, including 19 focussed on the ethics component of RRI.

Codes of Conduct

Globally, on AI and Ethics

  • At least 84 sets of ethical guidelines on AI

    • 13 from EU member-states and

    • 6 from EU institutions

Codes of Conduct

CoCs on Research and DP in EU member-states

None approved post-GDPR on research.*

 

Pre-2018 examples like Dutch "Code of Conduct for the Use of Personal Data in Scientific Research"

 

 

*Post-2018 examples exist, like Spain's "Code of Best Practices on Data Protection for Big Data Projects", but that's not focussed on research

Codes of Conduct

Research on CoCs & Research

CoCs weren't successful under DPD.

But hope is GDPR has addressed concerns & incentives.

Codes of Conduct

Research on CoCs & Research

Genomics, Language, Bio-banks, etc.

 

Benefits of CoCs include harmonization, increase legal certainty due to specificity.

Codes of Conduct

Research on CoCs & Research

Pessimism:
(Koscik & Myska)

"It is difficult to find an institution that would have the mandate to speak for a research community" (ALLEA, EUA?)

Codes of Conduct

Research on CoCs & Research

Pessimism:

 

"We presume that the adoption of a Europe-wide code of conduct for data protection in research is very unlikely."

Codes of Conduct

Research on CoCs & Research

Pessimism:

 

"Each research discipline uses specific methods and many scientific disciplines do not need to process personal data at all."

Codes of Conduct

Research on CoCs & Research

However:

 

"… likely that individual codes of conduct will be adopted for some narrow research fields and specific research-related activities such as biobanking, genomic research, social networks research, and sociological surveys."

Summary: Findings

Trade-off between width of applicability of CoC and depth of guidance.

Summary: Findings

Most CoCs & guidelines on research don't deal with data protection in depth, with some exceptions like EDPS's "Preliminary Opinion" and EFAMRO & ESOMAR’s "Guidance Note for the Research Sector".

Summary: Findings

No extant CoCs under Art. 40

Summary: Findings

Most CoC-related issues raised by Critical Analysis can't be addressed by non-Art. 40 CoCs

Summary: Findings

There already exist >130 EU-funded RRI projects

(including at least 19 on RRI & ethics, and many guidelines, good practice documents, frameworks, etc.)

Summary: Findings

There already exist >84 documents on AI and Ethics

(including at least 19 from the EU region)

Scope

CCDP is not meant to be a CoC under Article 40 of the GDPR

Scope

There are few CoCs on data protection in research, but the PANELFIT Guidelines on Data Protection Ethical and Legal Issues in ICT Research and Innovation already provide extensive guidance on this issue.


 The CCDP needed to be distinguished both from existing EC-funded CoCs on RRI, as well as the PANELFIT Guidelines themselves.

Scope

There's a trade-off between being applicable to all forms of research and providing specific guidance.

Scope

Limited to covering:

  • broad data protection principles

(Articles 5, 6, 9, 10, 38, 89 + Recitals 26, 33, 51–56, 159)

  • good practices

  • keeping in mind researchers' needs

Scope

Not meant to be a substitute for

 

"Guidelines on Data Protection, Ethical and Legal Issues in ICT Research and Innovation"


"Critical Analysis of the ICT Data Protection Regulatory Framework"


Any sector-specific CoC

Brief Overview of CCDP

 

Preamble

Aim, scope, and need for CCDP for responsible research & innovation

Brief Overview of CCDP

 

Data Protection Principles

Lawfulness, fairness, transparency

Brief Overview of CCDP

 

Data Protection Principles

Purpose limitation

Brief Overview of CCDP

 

Data Protection Principles

Data minimization

Brief Overview of CCDP

 

Data Protection Principles

Accuracy

Brief Overview of CCDP

 

Data Protection Principles

Storage limitation

Brief Overview of CCDP

 

Data Protection Principles

Integrity and confidentiality

Brief Overview of CCDP

 

Data Protection Principles

Accountability

Brief Overview of CCDP

 

Good Practices

Anonymization, pseudonymization and encryption

Brief Overview of CCDP

 

Good Practices

Aggregate and coarse data

Brief Overview of CCDP

 

Good Practices

Multiple grounds for processing

Brief Overview of CCDP

 

Good Practices

Consent in data protection and in ethics

Brief Overview of CCDP

 

Good Practices

Legitimacy, fairness, and ethics approvals

Brief Overview of CCDP

 

Good Practices

Data protection authorities and ethics boards

Brief Overview of CCDP

 

Good Practices

Data protection guidelines, DPIA, and DPOs

Brief Overview of CCDP

 

Annexure 1

Key resources

Contact Details

pranesh@prakash.im soacha@icm.csic.es

@pranesh
@adrisoacha

Review of PANELFIT Code of Conduct on Data Protection

By Pranesh Prakash

Review of PANELFIT Code of Conduct on Data Protection

Internal presentation, made on 2021-04-20

  • 865