PANELFIT Code of Conduct on Data Protection for Research and Innovation
Presented on 2021-06-24. Internal presentation for Second PANELFIT Mutual Learning Encounter.
Pranesh Prakash
Co-Founder
Centre for Internet and Society
Affiliated Fellow
Information Society Project, Yale Law School
Karen Soacha
Researcher
Instituto de Ciences del Mar (ICM-CSIC)
CC-BY-SA 4.0: (copy, share, adapt: sharing is caring)
no proprietary standards or software were used in the making of this slide deck
Why this meeting?
To convey
-
The process through which the CCDP was created
-
What questions and issues were sought be addressed through the CCDP?
-
What kinds of Codes of Conduct and other guidance documents already exist that cover such questions and issues?
-
Brief overview of what the CCDP covers
Receive feedback to improve the CCDP
Why the CCDP?
The PANELFIT project's general agreement sets out the broad aims for the CCDP (called therein as the "Code of Conduct for Responsible Research and Innovation")
After research, we came up with a more specific aim.
What is the CCDP?
“an essential tool for researchers who must deal with the challenges addressed by PANELFIT routinely … meant to facilitate the primary aims of ethical compliance from the very beginning, hindering the appearance of ethical and legal issues regarding both data protection and security/cyber-security” (p. 8)
“mainly responding to the issues and gaps detected … based on the materials included in the Guidelines” (p. 18)
“a set of basic ethical standards and guidelines for researchers working in the ICT field that could serve as a day-to-day assessment tool” (p. 5)
“written in strict accordance with the requirements of RRI” (p. 23)
What is the CCDP?
Finally:
“The CCDP aims to provide an easy-to-understand set of conduct rules that cover the main principles provided in the EU’s General Data Protection Regulations (GDPR), as well as a set of desirable practices, specifically tailored to the research community.”
Methodology
Examples of CoCs
-
Relating to research & data protection
-
Relating to ICTs and AI
-
Relating to RRI
-
Mentioned in the Draft Guideline (country-specific)
Methodology
-
CoC-related issues in the Critical Analysis
-
Academic articles on:
-
CoCs and GDPR
-
CoCs and RRI
-
Methodology
-
Share research at PANELFIT meeting
-
Draft versions of CCDP
-
Multiple rounds of comments & corrections
-
Feedback at Mutual Learning Encounter
-
-
Final version of CCDP
Codes of Conduct
EU-level, under GDPR
None approved so far under Art. 40 of the GDPR
Codes of Conduct
EU-level, under GDPR
One submitted:
Code of Conduct on Data Protection in Online Gambling.
(In Malta. Multi-year preparation process, and 18-24 months for approval.)
Codes of Conduct
EU-level, under GDPR
Some being submitted for approval, formulated, conceptualized, etc.:
-
EU Cloud Code of Conduct (SCOPE Europe)
-
Code of Conduct on Health Research (BBMRI-ERIC)
-
Code of Conduct on Language Research (CLARIN)
-
Code of Conduct on Genomic Data (early stages, TBD)
Codes of Conduct
EU-level / EU-funded Guidance on Research
-
RESPECT Code of Practice for Socio-Economic Research.
-
Guidelines on Data Protection Issues Relating to European Socio-Economic Research.
-
European Charter for Researchers.
-
European Code of Conduct for Research Integrity.
-
Global Code of Conduct for Research in Resource-Poor Settings.
Codes of Conduct
EU-level / EU-funded Guidance on Research
-
Code of Practice on Secondary Use of Medical Data in European Scientific Research Projects.
-
Preliminary Opinion on Data Protection and Scientific Research, by the European Data Protection Supervisor.
-
EFAMRO & ESOMAR’s Guidance Note for the Research Sector: Appropriate use of different legal bases under the GDPR.
-
GREAT's Guidelines for Responsible Research and Innovation.
-
EU Code of Conduct on Agricultural Data Sharing by Contractual Agreement.
Codes of Conduct
EU-level / EU-funded Guidance on Research
The Responsible Innovation Compass project has catalogued 130 publicly-funded RRI projects in Europe, including 19 focussed on the ethics component of RRI.
Codes of Conduct
Globally, on AI and Ethics
-
(As of 2019) at least 84 sets of ethical guidelines on AI
-
13 from EU member-states and
-
6 from EU institutions
-
Codes of Conduct
CoCs on Research and DP in EU member-states
None approved post-GDPR on research.*
Pre-2018 examples like Dutch "Code of Conduct for the Use of Personal Data in Scientific Research"
*Post-2018 examples exist, like Spain's "Code of Best Practices on Data Protection for Big Data Projects", but that's not focussed on research
Codes of Conduct
Research on CoCs & Research
CoCs weren't successful under Data Protection Directive.
But hope is GDPR has addressed concerns & has added incentives.
Codes of Conduct
Research on CoCs & Research
Genomics, Language, Bio-banks, etc.
Benefits of CoCs include harmonization, increase legal certainty due to specificity.
Codes of Conduct
Research on CoCs & Research
Pessimism:
(Koscik & Myska)
"It is difficult to find an institution that would have the mandate to speak for a research community" (ALLEA, EUA?)
Codes of Conduct
Research on CoCs & Research
Pessimism:
"We presume that the adoption of a Europe-wide code of conduct for data protection in research is very unlikely."
Codes of Conduct
Research on CoCs & Research
Pessimism:
"Each research discipline uses specific methods and many scientific disciplines do not need to process personal data at all."
Codes of Conduct
Research on CoCs & Research
However:
"… likely that individual codes of conduct will be adopted for some narrow research fields and specific research-related activities such as biobanking, genomic research, social networks research, and sociological surveys."
Summary: Findings
Trade-off between width of applicability of CoC and depth of guidance.
Summary: Findings
Most CoCs & guidelines on research don't deal with data protection in depth, with some exceptions like EDPS's "Preliminary Opinion" and EFAMRO & ESOMAR’s "Guidance Note for the Research Sector".
Summary: Findings
No extant CoCs under Art. 40
Summary: Findings
Most CoC-related issues raised by Critical Analysis can't be addressed by non-Art. 40 CoCs
Summary: Findings
There already exist >130 EU-funded RRI projects
(including at least 19 on RRI & ethics, and many guidelines, good practice documents, frameworks, etc.)
Summary: Findings
There already exist >84 documents on AI and Ethics
(including at least 19 from the EU region)
Scope
CCDP is not meant to be a CoC under Article 40 of the GDPR
Scope
There are few CoCs on data protection in research, but the PANELFIT Guidelines on Data Protection Ethical and Legal Issues in ICT Research and Innovation already provide extensive guidance on this issue.
The CCDP needed to be distinguished both from existing EC-funded CoCs on RRI, as well as the PANELFIT Guidelines themselves.
Scope
There's a trade-off between being applicable to all forms of research and providing specific guidance.
Scope
Limited to covering:
-
broad data protection principles
(Articles 5, 6, 9, 10, 38, 89 + Recitals 26, 33, 51–56, 159)
-
good practices
-
keeping in mind researchers' needs
Scope
Not meant to be a substitute for
"Guidelines on Data Protection, Ethical and Legal Issues in ICT Research and Innovation"
"Critical Analysis of the ICT Data Protection Regulatory Framework"
Any sector-specific CoC
Brief Overview of CCDP
Preamble
Aim, scope, and need for CCDP for responsible research & innovation
Brief Overview of CCDP
Data Protection Principles
Lawfulness, fairness, transparency
Brief Overview of CCDP
Data Protection Principles
Purpose limitation
Brief Overview of CCDP
Data Protection Principles
Data minimization
Brief Overview of CCDP
Data Protection Principles
Accuracy
Brief Overview of CCDP
Data Protection Principles
Storage limitation
Brief Overview of CCDP
Data Protection Principles
Integrity and confidentiality
Brief Overview of CCDP
Data Protection Principles
Accountability
Brief Overview of CCDP
Good Practices
Anonymization, pseudonymization and encryption
Anonymization: not "personal" data anymore
Pseudonymization: data minimization + confidentiality
Encryption: confidentiality
Brief Overview of CCDP
Good Practices
Aggregate and coarse data
Aggregate data: Multiple people's data together
Coarse data: Non-specific data (e.g., age range, instead of birthdate)
Brief Overview of CCDP
Good Practices
Multiple grounds for processing
What happens when multiple grounds are used for processing, and one of the grounds is removed (e.g., consent is revoked)?
Brief Overview of CCDP
Good Practices
Consent in data protection and in ethics
Keep consent for data protection separate from consent as human research participant
Brief Overview of CCDP
Good Practices
Legitimacy, fairness, and ethics approvals
Ethical data collection and use is important, so don't collect/use data in a manner that an ethics board would disapprove.
Brief Overview of CCDP
Good Practices
Data protection authorities and ethics boards
Brief Overview of CCDP
Good Practices
Data protection guidelines, DPIA, and DPOs
Brief Overview of CCDP
Annexure 1
Key resources
Contact Details
pranesh@prakash.im soacha@icm.csic.es
@pranesh
@adrisoacha
Review of PANELFIT Code of Conduct on Data Protection (MLE 2)
By Pranesh Prakash
Review of PANELFIT Code of Conduct on Data Protection (MLE 2)
Internal presentation, made on 2021-06-24
