diff --git a/_data/sidebars/data_management.yml b/_data/sidebars/data_management.yml index 2e3fe8765..ef4856495 100644 --- a/_data/sidebars/data_management.yml +++ b/_data/sidebars/data_management.yml @@ -74,8 +74,10 @@ subitems: url: /data_management_plan - title: Data organisation url: /data_organisation - - title: Data protection - url: /data_protection + - title: Data security + url: /data_security + - title: Data sensitivity + url: /data_sensitivity - title: Data provenance url: /data_provenance - title: Data publication @@ -90,14 +92,14 @@ subitems: url: /metadata_management - title: Existing data url: /existing_data + - title: GDPR compliance + url: /gdpr_compliance - title: Identifiers url: /identifiers - title: Licensing url: /licensing - title: Machine actionability url: /machine_actionability - - title: Data sensitivity - url: /sensitive_data - title: Tool assembly description: Find concrete combinations of tools and resources assembled into an ecosystem for research data management. url: /tool_assembly diff --git a/pages/data_life_cycle/planning.md b/pages/data_life_cycle/planning.md index c5efa67e0..29b656e42 100644 --- a/pages/data_life_cycle/planning.md +++ b/pages/data_life_cycle/planning.md @@ -4,7 +4,7 @@ page_id: plan description: Introduction to data management planning. contributors: [Siiri Fuchs, Korbinian Bösl, Minna Ahokas, Federico Bianchini, Flora D'Anna] related_pages: - your_tasks: [compliance, costs, dmp, data_protection, dm_coordination, machine_actionability] + your_tasks: [compliance, costs, dmp, data_security, dm_coordination, machine_actionability] training: - name: Training in TeSS registry: TeSS diff --git a/pages/data_life_cycle/preserving.md b/pages/data_life_cycle/preserving.md index 967f9ac81..7055b864a 100644 --- a/pages/data_life_cycle/preserving.md +++ b/pages/data_life_cycle/preserving.md @@ -4,7 +4,7 @@ page_id: preserve description: Introduction to data preservation. contributors: [Siiri Fuchs, Korbinian Bösl, Anastasia Chasapi, Flora D'Anna] related_pages: - your_tasks: [data_organisation, data_protection, data_publication, metadata, storage, identifiers, licensing] + your_tasks: [data_organisation, data_security, data_publication, metadata, storage, identifiers, licensing] training: - name: Training in TeSS registry: TeSS diff --git a/pages/data_life_cycle/sharing.md b/pages/data_life_cycle/sharing.md index 3601f00bb..d134744ab 100644 --- a/pages/data_life_cycle/sharing.md +++ b/pages/data_life_cycle/sharing.md @@ -4,7 +4,7 @@ page_id: share description: Introduction to data sharing. contributors: [Flora D'Anna, Bert Droesbeke, Niclas Jareborg, Ulrike Wittig] related_pages: - your_tasks: [data_protection, data_brokering, data_publication, transfer, identifiers, licensing, metadata, sensitive] + your_tasks: [gdpr_compliance, data_security, data_brokering, data_publication, transfer, identifiers, licensing, metadata, sensitive] training: - name: Training in TeSS registry: TeSS diff --git a/pages/national_resources/no_resources.md b/pages/national_resources/no_resources.md index 77bfe398d..9f609440a 100644 --- a/pages/national_resources/no_resources.md +++ b/pages/national_resources/no_resources.md @@ -132,7 +132,7 @@ national_resources: how_to_access: Through Feide, only if you are based at the UiB related_pages: your_domain: [human_data] - your_tasks: [data_protection, sensitive] + your_tasks: [data_security, gdpr_compliance, sensitive] your_role: [policy_maker, data_steward] url: https://rette.app.uib.no/ - name: DataverseNO diff --git a/pages/tool_assembly/csc_assembly.md b/pages/tool_assembly/csc_assembly.md index 14be6caca..5f42a8ecd 100644 --- a/pages/tool_assembly/csc_assembly.md +++ b/pages/tool_assembly/csc_assembly.md @@ -5,7 +5,7 @@ description: The Center of Science (CSC) provides high-quality ICT expert servic page_id: csc affiliations: [FI, CSC, ELIXIR Europe] related_pages: - your_tasks: [sensitive, dmp, data_protection, storage, data_publication, data_transfer, data_analysis] + your_tasks: [sensitive, dmp, data_security, gdpr_compliance, storage, data_publication, data_transfer, data_analysis] your_domain: [human_data] training: - name: Training in TeSS @@ -54,7 +54,7 @@ When you start [collecting](collecting) data and need a storing environment wher ### Data processing and analysis -For [processing](processing), [analysing](analysing) and [storing data](storage) during the research project, CSC offers several [computing platforms](https://research.csc.fi/computing). These include both environments for non-sensitive and [sensitive data](sensitive_data). Depending on your needs, you can choose from a wide variety of computing resources: use [Chipster](https://chipster.csc.fi/) software for high-throughput data such as RNA-seq and single cell RNA-seq, build your own custom virtual machine, or utilise the full power of our world-class supercomputers. +For [processing](processing), [analysing](analysing) and [storing data](storage) during the research project, CSC offers several [computing platforms](https://research.csc.fi/computing). These include both environments for non-sensitive and [sensitive data](data_sensitivity). Depending on your needs, you can choose from a wide variety of computing resources: use [Chipster](https://chipster.csc.fi/) software for high-throughput data such as RNA-seq and single cell RNA-seq, build your own custom virtual machine, or utilise the full power of our world-class supercomputers. Supercomputers Puhti and Mahti can be used for larger scale analysis and simulations. They will soon be accompanied with the world-class supercomputer {% tool "lumi" %}. Pouta and Rahti cloud computing services offer more flexibility, allowing the user to manage the infrastructure. CSC's computers have a wide range of [preinstalled scientific software and databases](https://research.csc.fi/bioscience-programs) with usage instructions. diff --git a/pages/tool_assembly/omero_assembly.md b/pages/tool_assembly/omero_assembly.md index 9a887de11..4ec863f53 100644 --- a/pages/tool_assembly/omero_assembly.md +++ b/pages/tool_assembly/omero_assembly.md @@ -39,7 +39,7 @@ Recommendations and software tools are being developed to capture acquisition me ## Who is OMERO intended for? -OMERO is designed to be an institutional repository. It offers a secure central way for scientists, researchers and data stewards to handle their imaging data. All the image data from a facility can be securely stored and managed, using group permissions and user roles to allow controlled access tailored to your institution. From private repositories for [sensitive data](sensitive_data) to hosting public data for your website and latest publications, the permissions model is designed to meet the range of researchers’ needs. OMERO is tried and tested in hundreds of institutions world-wide, with extensive installation and configuration documentation for system administrators and community support via dedicated mailing lists and forums. +OMERO is designed to be an institutional repository. It offers a secure central way for scientists, researchers and data stewards to handle their imaging data. All the image data from a facility can be securely stored and managed, using group permissions and user roles to allow controlled access tailored to your institution. From private repositories for [sensitive data](data_sensitivity) to hosting public data for your website and latest publications, the permissions model is designed to meet the range of researchers’ needs. OMERO is tried and tested in hundreds of institutions world-wide, with extensive installation and configuration documentation for system administrators and community support via dedicated mailing lists and forums. The OMERO platform uses a Group/User permission system. ​​The degree to which their data is available to other members of the group depends on the permissions settings for that group. Whenever a user logs on to an OMERO server, they are connected under one of their groups. All data they import and any work that is done is assigned to the current group, however the user can move their data into another group. Users require login credentials to access the system. OMERO also supports the use of an LDAP server. diff --git a/pages/tool_assembly/transmed_assembly.md b/pages/tool_assembly/transmed_assembly.md index e751af70f..413ef6e37 100644 --- a/pages/tool_assembly/transmed_assembly.md +++ b/pages/tool_assembly/transmed_assembly.md @@ -5,7 +5,7 @@ description: TransMed tool assembly from ELIXIR Luxembourg supports projects in page_id: transmed affiliations: [ELIXIR Europe, LU] related_pages: - your_tasks: [compliance, storage, metadata, data_organisation, data_analysis, sensitive, data_protection, dmp] + your_tasks: [compliance, storage, metadata, data_organisation, data_analysis, sensitive, gdpr_compliance, dmp] your_domain: [human_data] --- diff --git a/pages/tool_assembly/tsd_assembly.md b/pages/tool_assembly/tsd_assembly.md index 4925e81aa..6010dad73 100644 --- a/pages/tool_assembly/tsd_assembly.md +++ b/pages/tool_assembly/tsd_assembly.md @@ -5,7 +5,7 @@ description: The Sensitive Data Service (TSD) provides a platform to store, comp page_id: tsd affiliations: ["NO", ELIXIR Europe, University of Oslo] related_pages: - your_tasks: [dmp, storage, sensitive, data_protection, transfer] + your_tasks: [dmp, storage, sensitive, data_security, gdpr_compliance, transfer] your_domain: [human_data] training: - name: Documentation for the HPC cluster @@ -18,7 +18,7 @@ training: ## What is the Norwegian tools assembly for sensitive data - TSD data management tools assembly? The Norwegian ELIXIR tools assembly for sensitive data is centred around -[TSD - literally for: services for sensitive data](https://www.uio.no/english/services/it/research/sensitive-data/) is an infrastructure provided by [the University of Oslo (UiO)](https://www.uio.no). Together with the other complementary tools provided by ELIXIR, TSD can be used for the management of [sensitive data](sensitive_data), including handling of [Human data](human_data). +[TSD - literally for: services for sensitive data](https://www.uio.no/english/services/it/research/sensitive-data/) is an infrastructure provided by [the University of Oslo (UiO)](https://www.uio.no). Together with the other complementary tools provided by ELIXIR, TSD can be used for the management of [sensitive data](data_sensitivity), including handling of [Human data](human_data). This assembly covers [Planning](planning), [Processing](processing), [Analysing](analysing) and [Sharing](sharing) Data Life Cycle stages and offer [Data Storage](storage) capacities and tools for [transfer](data_transfer) of sensitive data, following the requirements of the {% tool "eu-general-data-protection-regulation" %} and its Norwegian implementation. @@ -52,7 +52,7 @@ You can access the [ELIXIR-NO instance of the Data Stewardship Wizard](https://e If you use one of the Norwegian research infrastructures, such as the Norwegian sequencing infrastructure [NorSeq](https://www.norseq.org/) they can directly upload data to your TSD project for you - the process is described by ELIXIR Norway at [https://elixir.no/Services-bak/data_produced_NorSeq](https://elixir.no/Services-bak/data_produced_NorSeq) The sensitive data tools assembly provides [Nettskjema](https://nettskjema.no) as a solution for designing and managing data collections using online forms and surveys. This is a secure and GDPR-compliant service. It can be accessed through the UiO's web pages and it is used through a web browser. Submissions from a Nettskjema questionnaire can be delivered securely (fully encrypted) to your project area within TSD. -TSD-users are granted access to Nettskjema through [IDporten or Feide](https://www.uio.no/tjenester/it/adm-app/nettskjema/mer-om/eksterne-brukere). When the Nettskjema form is complete, you can upload it on TSD following [these instructions](https://www.uio.no/tjenester/it/adm-app/nettskjema/hjelp/koble-skjema-til-tsd.html). After verification, the form can be used for collecting sensitive data. Note that further processing and analysis of the results should be conducted within TSD. If exporting data is necessary, the files should be properly [de-identified or anonymised](sensitive_data.html#how-can-you-de-identify-your-data). +TSD-users are granted access to Nettskjema through [IDporten or Feide](https://www.uio.no/tjenester/it/adm-app/nettskjema/mer-om/eksterne-brukere). When the Nettskjema form is complete, you can upload it on TSD following [these instructions](https://www.uio.no/tjenester/it/adm-app/nettskjema/hjelp/koble-skjema-til-tsd.html). After verification, the form can be used for collecting sensitive data. Note that further processing and analysis of the results should be conducted within TSD. If exporting data is necessary, the files should be properly [de-identified or anonymised](data_sensitivity.html#how-can-you-de-identify-your-data). ### Data Processing and Analysis diff --git a/pages/your_domain/human_data.md b/pages/your_domain/human_data.md index 8015c4d8b..9628430e6 100644 --- a/pages/your_domain/human_data.md +++ b/pages/your_domain/human_data.md @@ -4,7 +4,7 @@ description: Data management solutions for human data. contributors: [Niclas Jareborg, Nirupama Benis, Ana Portugal Melo, Pinar Alper, Laura Portell Silva, Wolmar Nyberg Åkerström, Nazeefa Fatima, Vilem Ded, Teresa D'Altri] page_id: human_data related_pages: - your_tasks: [sensitive] + your_tasks: [sensitive, gdpr_compliance] tool_assembly: [tsd, covid-19, transmed] training: - name: Training in TeSS @@ -57,8 +57,8 @@ When working with human data, you must follow established research ethical guide * **Receiving data from a repository** also comes with certain use restrictions. These are either defined in the license attributed to the data or defined in a dataset specific **access policy** and **terms of service** of the repository. * Personal data protection legislation: * **Within the EU.** If you are performing human data research in the EU, or your data subjects are located in the EU, then you must adhere to the General Data Protection Regulation - GDPR. - * Requirements for research that fall under the GDPR are outlined in the [RDMkit Data protection page](data_protection). - * Attributes of the data determines data sensitivity and sensitivity affects the considerations for data handling. The [RDMkit Data Sensitivity page](sensitive_data) provides guidance on determining and reducing data sensitivity. + * Requirements for research that fall under the GDPR are outlined in the [RDMkit GDPR compliance page](gdpr_compliance). + * Attributes of the data determines data sensitivity and sensitivity affects the considerations for data handling. The [RDMkit Data Sensitivity page](data_sensitivity) provides guidance on determining and reducing data sensitivity. * **Outside the EU.** For countries outside the EU, the {% tool "international-compilation-of-human-research-standards" %} list relevant legislations. diff --git a/pages/your_domain/human_pathogen_genomics.md b/pages/your_domain/human_pathogen_genomics.md index 6cf3e40c5..d74329a31 100644 --- a/pages/your_domain/human_pathogen_genomics.md +++ b/pages/your_domain/human_pathogen_genomics.md @@ -8,7 +8,7 @@ related_pages: - data_brokering - metadata - transfer - - data_protection + - data_security - data_quality tool_assembly: - covid-19 @@ -51,7 +51,7 @@ While the object of interest in this domain are pathogens, the data is usually d * [Processing and analysing human data](human_data#processing-and-analysing-human-data) #### Isolate pathogen from host information -* Depending on the pathogen, how it interacts with the host, or the methods applied, it can be possible to generate clean isolates that do not contain host related material. Data produced from a clean isolate could potentially be handled with few restrictions, while other data will be considered to be personal and [sensitive](sensitive_data) that need [protection](data_protection). +* Depending on the pathogen, how it interacts with the host, or the methods applied, it can be possible to generate clean isolates that do not contain host related material. Data produced from a clean isolate could potentially be handled with few restrictions, while other data will be considered to be personal and [sensitive](data_sensitivity) that need [protection](data_security). #### Public health initiatives * National and international recommendations from public health authorities, epidemic surveillance programs and research data communities should be considered when planning a new study or surveillance programme. In particular, you could consult conventions for relevant surveillance programs while considering widely adopted guidelines for research documentation, and instructions from the data sharing platforms. diff --git a/pages/your_role/policy_maker.md b/pages/your_role/policy_maker.md index d094f2126..e00436a36 100644 --- a/pages/your_role/policy_maker.md +++ b/pages/your_role/policy_maker.md @@ -31,8 +31,8 @@ In your role of policy maker, you may need to: * The [Compliance page](compliance_monitoring) helps comply with the institution policy, including legal and ethical aspects. * The [National resources pages](national_resources) point to country-specific information resources such as local funding agencies and research councils, and information on local policies for open science, national regulations on data ethics, and domain-specific infrastructures and tools. -* [Data protection](data_protection) helps to make research data compliant to GDPR. -* [Data sensitivity](sensitive_data) helps to identify sensitivity of different research data types. +* [Data protection](data_security) helps to make research data compliant to GDPR. +* [Data sensitivity](data_sensitivity) helps to identify sensitivity of different research data types. * [Licensing](licensing) gives advice on how to assign a licence to research data. * [Data management plan](data_management_plan) guides through writing a data management plan. * [Project data management coordination](dm_coordination) gives support in coordination and organisation of RDM in collaborative projects. diff --git a/pages/your_role/principal_investigator.md b/pages/your_role/principal_investigator.md index 6b990f0f1..3c61085b4 100644 --- a/pages/your_role/principal_investigator.md +++ b/pages/your_role/principal_investigator.md @@ -33,7 +33,7 @@ In your role of PI, you may need to: * To organise data management in collaborative projects, it will benefit from a formalised way of working via a [Data Management Working Group (DMWG)](dm_coordination). * The [costs of data management page](costs_data_management) helps you budget for your project, including costs for data storage and preservation. * The [national resources pages](national_resources) provide country-specific guidance, to help you choose the best services, tools and pipelines to manage your data. - * The [human data page](human_data#planning-for-projects-with-human-data) gathers information that needs to be taken into consideration when working with human data. Make sure to [protect the data](data_protection#how-do-you-ensure-that-your-data-is-handled-securely) in your project well and prevent unauthorised access. + * The [human data page](human_data#planning-for-projects-with-human-data) gathers information that needs to be taken into consideration when working with human data. Make sure to [protect the data](data_security#how-do-you-ensure-that-your-data-is-handled-securely) in your project well and prevent unauthorised access. * Consider your [data storage needs](storage) in an early stage, including long-term storage at the project end. * The [data organisation page](data_organisation) helps you with file naming, versioning and folder structures. * [Data documentation](metadata_management), like README files and metadata, help secondary users to understand and reuse your data. diff --git a/pages/your_role/research_software_engineer.md b/pages/your_role/research_software_engineer.md index 560412651..df174dd6f 100644 --- a/pages/your_role/research_software_engineer.md +++ b/pages/your_role/research_software_engineer.md @@ -38,8 +38,8 @@ In your role of research software engineer, you may need to: * The [identifiers page](identifiers) gives advice on how to create and use identifiers. [Machine actionability](machine_actionability) helps to automatically access and process research data. * Consider the best practices and technical solutions for [data analysis](data_analysis). - * [Data protection](data_protection) helps you to make research data GDPR-compliant. - * [Data sensitivity](sensitive_data) helps you to identify sensitivity of different research data types. + * [Data protection](data_security) helps you to make research data GDPR-compliant. + * [Data sensitivity](data_sensitivity) helps you to identify sensitivity of different research data types. * [Licensing](licensing) gives advice on how to assign a licence to research data. * Consult the [data transfer page](data_transfer) for information about transferring large data files. * The [data brokering page](data_brokering) provides information on uploading data to repositories and metadata requirements for the process. diff --git a/pages/your_tasks/data_brokering.md b/pages/your_tasks/data_brokering.md index 00f65a274..1f1678484 100644 --- a/pages/your_tasks/data_brokering.md +++ b/pages/your_tasks/data_brokering.md @@ -36,7 +36,7 @@ There are many aspects to consider when getting started as a broker. * Identify what kind of processing you will handle as a broker, such as (meta)data curation and validation, data masking/anonymisation. * Define the time frame for your commitment and your responsibilities for the data, such as how to handle data loss before delivery, what to do with the data after a successful delivery, how to manage changes to data that has already been delivered, etc. * Identify who is responsible for the data before, during and after delivery, such as the data controller/processor (according to GDPR) and/or intellectual property owner/licensee relationships between the provider and recipient -* Ensure that you will be able to establish contracts/agreements that cover the data and processing that you will handle, such as considerations for [data protection](data_protection), [licensing](licensing), and [compliance](compliance_monitoring). +* Ensure that you will be able to establish contracts/agreements that cover the data and processing that you will handle, such as considerations for [data security](data_security), [licensing](licensing), [GDPR](gdpr_compliance) and general [compliance](compliance_monitoring). * Estimate and secure the resources required to keep your commitment, such as staff with time and necessary skills, accounts, compute, storage and software * Refer to the sections below for considerations related to collecting data from data providers and delivering data to public data repositories. @@ -45,7 +45,7 @@ There are many aspects to consider when getting started as a broker. The solutions that you adopt will vary depending on the agreements you have negotiated with data providers and/or recipients. The following are examples of general solutions that would help you comply with regulations and implement good data management practices. * [Data management plan](data_management_plan) – Many questions that you would answer while writing a data management plan can be relevant to answer when you specify the terms of service for your brokering service, such as data storage, data standards, legal and ethical, etc. -* [Data protection](data_protection) – If you are working with data concerning people in the EU, you should make sure to comply with both national and international regulations for data protection. +* [GDPR compliance](gdpr_compliance) – If you are working with data concerning people in the EU, you should make sure to comply with both national and international regulations for data protection. * Apply for brokering permissions at the repository where you plan to submit data. For example, you can have a broker account at ENA; in this case, please visit [ENA Documentation](https://ena-docs.readthedocs.io/en/latest/faq/data_brokering.html) for guidelines on how to apply for such an account. ## Collecting and processing the metadata and data diff --git a/pages/your_tasks/data_publication.md b/pages/your_tasks/data_publication.md index 322dbbf8a..68f863690 100644 --- a/pages/your_tasks/data_publication.md +++ b/pages/your_tasks/data_publication.md @@ -78,7 +78,7 @@ Once you have decided where to publish your data, you will have to make your (me * How is the data uploaded? * What metadata do you need to provide? * Under which licence should the data be published? - * Should [sensitive data](sensitive_data) and metadata be anonymised or pseudonymised prior to a publication? This could notably be the case if you work with [human data](human_data). + * Should [sensitive data](data_sensitivity) and metadata be anonymised or pseudonymised prior to a publication? This could notably be the case if you work with [human data](human_data). * After data is submitted to a public repository, should the original copy of the data be retained at the central brokering platform and linked to its public counterpart? Or should it be removed and replaced with the ID of the public record? diff --git a/pages/your_tasks/data_protection.md b/pages/your_tasks/data_security.md similarity index 57% rename from pages/your_tasks/data_protection.md rename to pages/your_tasks/data_security.md index 874bca7ec..428c074f4 100644 --- a/pages/your_tasks/data_protection.md +++ b/pages/your_tasks/data_security.md @@ -1,8 +1,9 @@ --- -title: Data protection +title: Data security contributors: [Pinar Alper, Yvonne Kallberg, Vilem Ded, Eva Csosz, Niclas Jareborg] -description: How to protect your research data, and how to make research data compliant to GDPR. -page_id: data_protection +description: How do you ensure that your data is handled securely. +page_id: data_security +redirect_from: data_protection related_pages: tool_assembly: [tsd, transmed] training: @@ -10,20 +11,18 @@ training: registry: TeSS url: https://tess.elixir-europe.org/search?q=data+protection#materials dsw: -- name: Will you collect any data connected to a person, "personal data"? - uuid: 49c009cb-a38c-4836-9780-8a8b3dd1cbac -- name: Do you need a Data Protection Impact Assessment? - uuid: 8915bd25-db22-4ed6-bcc8-b1bbdc52989e - name: What technical and procedural safeguards have been established for processing the data? uuid: a30f5047-33c1-45a7-8b3f-b1b90c364fc9 faircookbook: -- name: Licensing Data - url: https://w3id.org/faircookbook/FCB034 -- name: Declaring data permitted uses - url: https://w3id.org/faircookbook/FCB035 -- name: Data Protection Impact Assessment and Data Privacy - url: https://w3id.org/faircookbook/FCB074 +- name: Downloading data with Aspera + url: https://w3id.org/faircookbook/FCB015 +- name: Transferring data with SFTP + url: https://w3id.org/faircookbook/FCB014 +- name: How to create checksum files + url: https://w3id.org/faircookbook/FCB052 +- name: How to check file integrity by validating checksums + url: https://w3id.org/faircookbook/FCB053 --- ## How do you ensure that your data is handled securely? @@ -67,60 +66,5 @@ To protect your research data, code, and other information assets you should est * Organisational Measures * The procedures on how the technical protection measures are to be used, and who is responsible for what, must be understood by all personnel that work with the data, code, and other information assets. The procedures should be documented, and staff should have access to relevant training to follow the procedures. This is often the most vulnerable part in an Information Security strategy. * Policies are an important component of data management and they are essential for information security. Organisations use policies to announce to their staff and third parties the expectations, roles and responsibilities in data handling. Policies typically cover data classification, storage/backup, transfer, retention/archival, deletion/destruction, acceptable use of IT platforms and the reporting of security incidents and data breaches. In some cases research data requirements would be addressed in dedicated policies. Therefore, at the planning phase, it is important to understand institutional data policies applicable to the project’s data. If the data is considered sensitive as per the institutional data classification, this will have an impact on the IT platforms that can be used to store and transmit the data as well as the specific procedures to be followed. - * Information inventories and documentation is another requirement for projects dealing with sensitive data. At the planning phase you should identify the various categories of data that will be processed in the project e.g. personal health and biomedical data, sensitive habitat data, IP restricted data from the industry. You should document which platforms will be used to process the data and the applicable security measures in case certain measures are applied to restricted classes of data. See the next section for GDPR-specific documentation requirements. See the [Data Sensitivity](/sensitive_data) page for more information on sensitive data. + * Information inventories and documentation is another requirement for projects dealing with sensitive data. At the planning phase you should identify the various categories of data that will be processed in the project e.g. personal health and biomedical data, sensitive habitat data, IP restricted data from the industry. You should document which platforms will be used to process the data and the applicable security measures in case certain measures are applied to restricted classes of data. See the next section for GDPR-specific documentation requirements. See the [Data Sensitivity](/data_sensitivity) page for more information on sensitive data. * [ISO/IEC 27001](https://en.wikipedia.org/wiki/ISO/IEC_27001) is an international information security standard adopted by data processing centres worldwide. Some universities and research institutes also acquire an ISO 27001 certification for their IT environments. Such certifications allow institutions to consistently and thoroughly identify information security risks and put in place best practice information security controls. These controls would include all above mentioned technical and organisational safeguards and more. - - -## How do you protect research data under GDPR? - -### Description - -Where scientific research involves the processing of data concerning people in the European Union (EU), it is subject to the {% tool "eu-general-data-protection-regulation" %} (GDPR). The GDPR applies a ["special regime"](https://edps.europa.eu/sites/edp/files/publication/20-01-06_opinion_research_en.pdf) to research, providing -derogations from some obligations given appropriate criteria are met and safeguards are in place. The criteria is to follow standards in research method and ethics, as well as to aim societal benefit rather than serving private interests in research. -The safeguards are a multitude and include: - * data collection with informed consent under ethical oversight and accountability; - * ensuring lawful processing and exchange of human-subject information; - * putting in place organisational and technical data protection measures such as encryption and pseudonymisation. - -The practical impact of the GDPR on research is, then, establishing these safeguards within projects. - -### Considerations - -Seek expert help for the interpretation of GDPR legal requirements to practicable measures. - * Research institutes appoint Data Protection Officers (DPO). Before starting a project you should contact your DPO to be informed of GDPR compliance requirements for your institution. - * Each EU country has its own national implementation of the GDPR. If your project involves a multi-national consortium, the requirements of all participating countries need to be met and you should inform the project coordinator of any country-specific requirements. - * Legal offices in research institutes provide model agreements, which cater for various research scenarios and consortia setups. You should inform your local legal office of your project's setup and identify the necessary agreements to be signed. - -Assess your project under the GDPR. - * Determine your GDPR role. Are you a data controller, who determines the purposes and means of the processing, or, are you a data processor, who acts under instructions from the controller? - * If you are a controller, you need to check whether your processing poses high privacy risks for data subjects, and if so, perform a Data Protection Impact Assessment (DPIA). - * The GDPR lists certain data e.g. race, ethnicity, health, genetic, biometric data as [special category](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/how-my-personal-data-protected/how-data-my-religious-beliefs-sexual-orientation-health-political-views-protected_en), requiring it's heightened protection. Your research will be considered high risk processing if it involves special category data or if it includes some specified types of processing. - * A DPIA is often a pre-requisite for ethics applications. Your DPO or local ethics advisory board can help determine whether your project requires a DPIA. - * Performing the DPIA while writing the DMP will allow you to reuse information and save time. - * An outcome of the DPIA will be a listing of risks and corresponding mitigations. Mitigations identify the data protection measures you'll adopt, both technical organisational. - -Apply technical and organisational measures for data protection. These include: - * institutional policies and codes of conduct; - * staff training; - * user authentication, authorisation, data level access control; - * data privacy measures such as pseudonymisation, anonymisation and encryption, - * arrangements that will enable data subjects to exercise their rights. - -Record your data processing. To meet GDPR's accountability requirement you should maintain records on the following: - * project stakeholders and their GDPR roles (controller, processor); - * purpose of your data processing; - * description of data subjects and the data; - * description of data recipients, particularly those outside the EU; - * logs of data transfers to recipients and the safeguards put in place for transfers, such as data sharing agreements; - * time limits for keeping different categories of personal data; - * description of organizational and technical data protection measures. - -### Solution - - * [European Data Protection Supervisor's "Preliminary opinion on Data Protection and Scientific Research"](https://edps.europa.eu/sites/edp/files/publication/20-01-06_opinion_research_en.pdf) - * {% tool "bbmri-eric-s-elsi-knowledge-base" %} contains a glossary, agreement templates and guidance. - * {% tool "daisy" %} and {% tool "erpa" %} are software tools from ELIXIR that allows the record keeping of data processing activities in research projects. - * {% tool "dawid" %} is a software tool from ELIXIR that allows generation of tailor-made data sharing agreements - * {% tool "dpia-knowledge-model" %} is designed to leverage {% tool "data-stewardship-wizard" %} to perform DPIA. - * {% tool "tryggve-elsi-checklist" %} is a list of Ethical, Legal, and Societal Implications (ELSI) to consider for research projects on human subjects. - diff --git a/pages/your_tasks/sensitive_data.md b/pages/your_tasks/data_sensitivity.md similarity index 99% rename from pages/your_tasks/sensitive_data.md rename to pages/your_tasks/data_sensitivity.md index e515287c5..d858a3754 100644 --- a/pages/your_tasks/sensitive_data.md +++ b/pages/your_tasks/data_sensitivity.md @@ -3,6 +3,7 @@ title: Data sensitivity contributors: [Rob Hooft, Yvonne Kallberg, Pinar Alper, Markus Englund, Thanasis Vergoulis, Robert Andrews, Nazeefa Fatima] description: How to identify the sensitivity of different research data types page_id: sensitive +redirect_from: sensitive_data related_pages: tool_assembly: [tsd, covid-19, transmed] training: diff --git a/pages/your_tasks/existing_data.md b/pages/your_tasks/existing_data.md index 493316e68..7e87fac9b 100644 --- a/pages/your_tasks/existing_data.md +++ b/pages/your_tasks/existing_data.md @@ -66,7 +66,7 @@ When you find data of interest, you should first check if the quality is good an * Check the [licences](licensing) or repository policy for data usage. * Data from publications can generally be used but make sure that you cite the publication as reference. * If you cannot find the licence of the data, contact the authors. No licence means no reuse allowed. - * If you are reusing personal (identifiable) or even sensitive data, some extra care needs to be taken (see [Human data](human_data) and [Sensitive data](sensitive_data) pages): + * If you are reusing personal (identifiable) or even sensitive data, some extra care needs to be taken (see [Human data](human_data) and [Sensitive data](data_sensitivity) pages): * Make sure you select a data repository that has a clear, published data access/use policy. You do not want to be liable for improper reuse of personal information. For instance, if you’re downloading human data from some lab’s website make sure there is a statement/confirmation that the data was collected with ethical and legal considerations in place. * Sensitive data is often shared under restrictions. Check in the description of the access conditions whether these match with your project (i.e. whether you would be able to successfully ask to get access to the data). For instance, certain datasets can only be accessed by projects with Ethics/Institutional Review Board approval or some can only be used within a specific research field. diff --git a/pages/your_tasks/gdpr_compliance.md b/pages/your_tasks/gdpr_compliance.md new file mode 100644 index 000000000..df4c35e6c --- /dev/null +++ b/pages/your_tasks/gdpr_compliance.md @@ -0,0 +1,78 @@ +--- +title: GDPR compliance +contributors: [Pinar Alper, Yvonne Kallberg, Vilem Ded, Eva Csosz, Niclas Jareborg] +description: How to protect your research data, and how to make research data compliant to GDPR. +page_id: gdpr_compliance +related_pages: + tool_assembly: [tsd, transmed] + your_tasks: [data_security] +training: + - name: Training in TeSS + registry: TeSS + url: https://tess.elixir-europe.org/search?q=data+protection#materials +dsw: +- name: Will you collect any data connected to a person, "personal data"? + uuid: 49c009cb-a38c-4836-9780-8a8b3dd1cbac +- name: Do you need a Data Protection Impact Assessment? + uuid: 8915bd25-db22-4ed6-bcc8-b1bbdc52989e +faircookbook: +- name: Licensing Data + url: https://w3id.org/faircookbook/FCB034 +- name: Declaring data permitted uses + url: https://w3id.org/faircookbook/FCB035 +- name: Data Protection Impact Assessment and Data Privacy + url: https://w3id.org/faircookbook/FCB074 +--- + +## How do you protect research data under GDPR? + +### Description + +Where scientific research involves the processing of data concerning identifiable people in the European Union (EU), it is subject to the General Data Protection Regulation (GDPR). The GDPR applies a ["special regime"](https://edps.europa.eu/sites/edp/files/publication/20-01-06_opinion_research_en.pdf) to research, providing derogations from some obligations given appropriate criteria are met and safeguards are in place. The criteria are to follow standards in research method and ethics, as well as to aim for societal benefit rather than serving private interests in research. + +The safeguards are a multitude and include: + * data collection with informed consent under ethical oversight and accountability; + * ensuring lawful processing and exchange of human-subject information; + * putting in place organisational and technical data protection measures such as encryption and pseudonymisation. + +The practical impact of the GDPR on research is, then, establishing these safeguards within projects. + +### Considerations + +Seek expert help for the interpretation of GDPR legal requirements to practicable measures. + * Research institutes appoint Data Protection Officers (DPO). Before starting a project you should contact your DPO to be informed of GDPR compliance requirements for your institution. + * Each EU country has its own national implementation of the GDPR. If your project involves a multi-national consortium, the requirements of all participating countries need to be met and you should inform the project coordinator of any country-specific requirements. + * Legal offices in research institutes provide model agreements, which cater for various research scenarios and consortia setups. You should inform your local legal office of your project's setup and identify the necessary agreements to be signed. + +Assess your project under the GDPR. + * Determine your GDPR role. Are you a data controller, who determines the purposes and means of the processing, or, are you a data processor, who acts under instructions from the controller? + * If you are a controller, you need to check whether your processing poses high privacy risks for data subjects, and if so, perform a Data Protection Impact Assessment (DPIA). + * The GDPR lists certain data e.g. race, ethnicity, health, genetic, biometric data as [special category](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/how-my-personal-data-protected/how-data-my-religious-beliefs-sexual-orientation-health-political-views-protected_en), requiring heightened protection. Your research will be considered high-risk processing if it involves special category data or if it includes some specified types of processing. + * A DPIA is often a prerequisite for ethics applications. Your DPO or local ethics advisory board can help determine whether your project requires a DPIA. + * Performing the DPIA while writing the DMP will allow you to reuse information and save time. + * An outcome of the DPIA will be a listing of risks and corresponding mitigations. Mitigations identify the data protection measures you will adopt, both technical and organisational. + +Apply technical and organisational measures for data protection. These include: + * institutional policies and codes of conduct; + * staff training; + * user authentication, authorisation, data level access control; + * data privacy measures such as pseudonymisation, anonymisation and encryption; + * arrangements that will enable data subjects to exercise their rights. + +Record your data processing. To meet GDPR's accountability requirement you should maintain records on the following: + * project stakeholders and their GDPR roles (controller, processor); + * purpose of your data processing; + * description of data subjects and the data; + * description of data recipients, particularly those outside the EU; + * logs of data transfers to recipients and the safeguards put in place for transfers, such as data sharing agreements; + * time limits for keeping different categories of personal data; + * description of organisational and technical data protection measures. + +### Solution + + * [European Data Protection Supervisor's "Preliminary opinion on Data Protection and Scientific Research"](https://edps.europa.eu/sites/edp/files/publication/20-01-06_opinion_research_en.pdf) + * {% tool "bbmri-eric-s-elsi-knowledge-base" %} contains a glossary, agreement templates and guidance. + * {% tool "daisy" %} and {% tool "erpa" %} are software tools from ELIXIR that allow the record-keeping of data processing activities in research projects. + * {% tool "dawid" %} is a software tool from ELIXIR that allows the generation of tailor-made data-sharing agreements + * {% tool "dpia-knowledge-model" %} is designed to leverage {% tool "data-stewardship-wizard" %} to perform DPIA. + * {% tool "tryggve-elsi-checklist" %} is a list of Ethical, Legal, and Societal Implications (ELSI) to consider for research projects on human subjects.