Last updated: 
1 month 3 weeks ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

EDPS preliminary opinion on Data Protection and Scientific Research

Thursday, January 9, 2020 - 16:21

The European Data Protection Supervisor has just published an interesting paper on the research provisions in the GDPR. The whole thing is worth reading, but some things particularly caught my eye:

  • Stresses (again) that research-consent is not the same as GDPR-consent, though the former may still be an "appropriate safeguard" when using a legal basis other than consent (pp18-20).
  • Tries (pp9-10) to distinguish GDPR provisions on "academic expression" from those on "scientific research". The breadth of the former should not be a way to avoid the safeguards required by the latter.
  • Scratches head (pp20-21) on how to reconcile the right to information with research that requires subjects not to know what is actually being researched.
  • "Requires controllers to assess honestly and manage responsibly the risks inherent in their research projects" (p2)
  • Sees ethics review boards as key to that: in particular to distinguishing between public interest research (which should qualify for the various GDPR exemptions/presumptions) and "research which serves primarily private or commercial ends" (which should not). There's a three-step test on p12, and a recommendation on p25 that Data Protection Officers should work with research ethics boards to refine both the rules and the applicable safeguards.
  • Suggests (p25) EU-level Code(s) of Practice to govern research practices in different fields.
  • Muses (p26) on a future right of access to large commercial datasets for research in the public interest.

Although the report concludes that "there is no evidence that the GDPR itself hampers genuine scientific reearch", there is a recognition that "more time is needed to see how the special regime for data protection in the field of scientific research plays out on the ground". As the list above indicates, several areas are identified as requiring further discussion, either within the research and data protection communities, or wider public debate.