From 45e4294cfb2cb191e85962dab3b57b7076c45496 Mon Sep 17 00:00:00 2001 From: Vilem Ded Date: Wed, 24 May 2023 10:10:11 +0200 Subject: [PATCH 01/19] rename data protection page to data security --- _data/sidebars/data_management.yml | 4 ++-- pages/data_life_cycle/planning.md | 2 +- pages/data_life_cycle/preserving.md | 2 +- pages/your_role/data_steward_infrastructure.md | 2 +- pages/your_tasks/{data_protection.md => data_security.md} | 4 ++-- 5 files changed, 7 insertions(+), 7 deletions(-) rename pages/your_tasks/{data_protection.md => data_security.md} (99%) diff --git a/_data/sidebars/data_management.yml b/_data/sidebars/data_management.yml index 108006d50..76392620d 100644 --- a/_data/sidebars/data_management.yml +++ b/_data/sidebars/data_management.yml @@ -68,8 +68,8 @@ subitems: url: /data_management_plan - title: Data organisation url: /data_organisation - - title: Data protection - url: /data_protection + - title: Data security + url: /data_security - title: Data provenance url: /data_provenance - title: Data publication diff --git a/pages/data_life_cycle/planning.md b/pages/data_life_cycle/planning.md index c5efa67e0..29b656e42 100644 --- a/pages/data_life_cycle/planning.md +++ b/pages/data_life_cycle/planning.md @@ -4,7 +4,7 @@ page_id: plan description: Introduction to data management planning. contributors: [Siiri Fuchs, Korbinian Bösl, Minna Ahokas, Federico Bianchini, Flora D'Anna] related_pages: - your_tasks: [compliance, costs, dmp, data_protection, dm_coordination, machine_actionability] + your_tasks: [compliance, costs, dmp, data_security, dm_coordination, machine_actionability] training: - name: Training in TeSS registry: TeSS diff --git a/pages/data_life_cycle/preserving.md b/pages/data_life_cycle/preserving.md index 967f9ac81..7055b864a 100644 --- a/pages/data_life_cycle/preserving.md +++ b/pages/data_life_cycle/preserving.md @@ -4,7 +4,7 @@ page_id: preserve description: Introduction to data preservation. contributors: [Siiri Fuchs, Korbinian Bösl, Anastasia Chasapi, Flora D'Anna] related_pages: - your_tasks: [data_organisation, data_protection, data_publication, metadata, storage, identifiers, licensing] + your_tasks: [data_organisation, data_security, data_publication, metadata, storage, identifiers, licensing] training: - name: Training in TeSS registry: TeSS diff --git a/pages/your_role/data_steward_infrastructure.md b/pages/your_role/data_steward_infrastructure.md index f40643190..e7bf2de93 100644 --- a/pages/your_role/data_steward_infrastructure.md +++ b/pages/your_role/data_steward_infrastructure.md @@ -4,7 +4,7 @@ description: Data Steward with focus on tools (software) and IT infrastructure f contributors: [Mijke Jetten, Federico Bianchini, Gregoire Rossier, Erik Hjerde, Siiri Fuchs, Minna Ahokas, Priit Adler, Alexander Botzki, Robert Andrews, Celia van Gelder, Daniel Wibberg, Graham Hughes, Marko Vidak, Pedro Fernandes, Pinar Alper, Victoria Dominguez D. Angel, Wolmar Nyberg Åkerström, Alexia Cardona] page_id: it_support related_pages: - your_tasks: [data_analysis, data_protection, data_brokering, transfer, identifiers, storage, data_organisation, machine_actionability, dm_coordination, data_provenance] + your_tasks: [data_analysis, data_security, data_brokering, transfer, identifiers, storage, data_organisation, machine_actionability, dm_coordination, data_provenance] training: - name: TeSS - ELIXIR’s training portal registry: TeSS diff --git a/pages/your_tasks/data_protection.md b/pages/your_tasks/data_security.md similarity index 99% rename from pages/your_tasks/data_protection.md rename to pages/your_tasks/data_security.md index e61b9cd36..38c004bfd 100644 --- a/pages/your_tasks/data_protection.md +++ b/pages/your_tasks/data_security.md @@ -1,8 +1,8 @@ --- -title: Data protection +title: Data security contributors: [Pinar Alper, Yvonne Kallberg, Vilem Ded, Eva Csosz, Niclas Jareborg] description: How to protect your research data, and how to make research data compliant to GDPR. -page_id: data_protection +page_id: data_security related_pages: tool_assembly: [tsd, transmed] training: From c0d4584dbdb438eb4b3902e60b783031e6bfdab9 Mon Sep 17 00:00:00 2001 From: Vilem Ded Date: Wed, 24 May 2023 10:25:01 +0200 Subject: [PATCH 02/19] GDPR compliance page --- _data/tool_and_resource_list.yml | 20 +++--- pages/data_life_cycle/sharing.md | 2 +- pages/national_resources/no_resources.md | 2 +- pages/tool_assembly/csc_assembly.md | 2 +- pages/tool_assembly/transmed_assembly.md | 2 +- pages/tool_assembly/tsd_assembly.md | 2 +- pages/your_domain/human_data.md | 2 +- pages/your_role/data_steward_policy.md | 2 +- pages/your_role/data_steward_research.md | 2 +- pages/your_tasks/GDPR_compliance.md | 77 ++++++++++++++++++++++++ pages/your_tasks/data_brokering.md | 4 +- pages/your_tasks/data_security.md | 55 ----------------- 12 files changed, 97 insertions(+), 75 deletions(-) create mode 100644 pages/your_tasks/GDPR_compliance.md diff --git a/_data/tool_and_resource_list.yml b/_data/tool_and_resource_list.yml index d2d0b0685..6df194b91 100644 --- a/_data/tool_and_resource_list.yml +++ b/_data/tool_and_resource_list.yml @@ -166,7 +166,7 @@ at providing practical know-how for responsible research. name: BBMRI-ERIC's ELSI Knowledge Base related_pages: - - data_protection + - gdpr_compliance - sensitive - policy_officer - data_manager @@ -706,7 +706,7 @@ - it_support - policy_officer - human_data - - data_protection + - gdpr_compliance - transmed url: https://daisy-demo.elixir-luxembourg.org - description: It guides you step by step through a DMP and lets you export a pre-filled @@ -816,7 +816,7 @@ to facilitate data sharing agreements. name: DAWID related_pages: - - data_protection + - gdpr_compliance - policy_officer - human_data url: https://dawid.elixir-luxembourg.org/ @@ -909,7 +909,7 @@ (DPIA). name: DPIA Knowledge Model related_pages: - - data_protection + - gdpr_compliance - policy_officer - human_data url: https://converge.ds-wizard.org/knowledge-models/elixir.lu:dpia-research:0.1.0 @@ -1098,7 +1098,7 @@ related_pages: - policy_officer - human_data - - data_protection + - gdpr_compliance url: https://gitlab.sib.swiss/clinbio/erpa-app - description: Regulation (eu) 2016/679 of the european parliament and of the council on the protection of natural persons with regard to the processing of personal @@ -1106,7 +1106,7 @@ data protection regulation). name: EU General Data Protection Regulation related_pages: - - data_protection + - gdpr_compliance - policy_officer - human_data - tsd @@ -1423,7 +1423,7 @@ - description: Framework for Responsible Sharing of Genomic and Health-Related Data name: GA4GH Regulatory and Ethics toolkit related_pages: - - data_protection + - gdpr_compliance - sensitive - policy_officer - data_manager @@ -1772,7 +1772,7 @@ - description: International information security standard name: ISO/IEC 27001 related_pages: - - data_protection + - gdpr_compliance - policy_officer - human_data url: https://en.wikipedia.org/wiki/ISO/IEC_27001 @@ -2042,7 +2042,7 @@ Assessments name: MONARC related_pages: - - data_protection + - gdpr_compliance - policy_officer - human_data - transmed @@ -2961,7 +2961,7 @@ - nels - csc - tsd - - data_protection + - gdpr_compliance url: https://scilifelab-data-guidelines.readthedocs.io/en/latest/docs/general/sensitive_data.html - description: TU Delft costing tool helps to budget for data management personnel costs in proposals. diff --git a/pages/data_life_cycle/sharing.md b/pages/data_life_cycle/sharing.md index 3601f00bb..fe258bc9c 100644 --- a/pages/data_life_cycle/sharing.md +++ b/pages/data_life_cycle/sharing.md @@ -4,7 +4,7 @@ page_id: share description: Introduction to data sharing. contributors: [Flora D'Anna, Bert Droesbeke, Niclas Jareborg, Ulrike Wittig] related_pages: - your_tasks: [data_protection, data_brokering, data_publication, transfer, identifiers, licensing, metadata, sensitive] + your_tasks: [GDPR_compliance, data_security, data_brokering, data_publication, transfer, identifiers, licensing, metadata, sensitive] training: - name: Training in TeSS registry: TeSS diff --git a/pages/national_resources/no_resources.md b/pages/national_resources/no_resources.md index 0202b7e94..c8284e85b 100644 --- a/pages/national_resources/no_resources.md +++ b/pages/national_resources/no_resources.md @@ -132,7 +132,7 @@ national_resources: how_to_access: Through Feide, only if you are based at the UiB related_pages: your_domain: [human_data] - your_tasks: [data_protection, sensitive] + your_tasks: [data_security, GDPR_compliance, sensitive] your_role: [policy_officer, data_manager] url: https://rette.app.uib.no/ - name: DataverseNO diff --git a/pages/tool_assembly/csc_assembly.md b/pages/tool_assembly/csc_assembly.md index 576b2e37a..8b0ccd770 100644 --- a/pages/tool_assembly/csc_assembly.md +++ b/pages/tool_assembly/csc_assembly.md @@ -5,7 +5,7 @@ description: The Center of Science (CSC) provides high-quality ICT expert servic page_id: csc affiliations: [FI, CSC, ELIXIR Europe] related_pages: - your_tasks: [sensitive, dmp, data_protection, storage, data_publication, data_transfer, data_analysis] + your_tasks: [sensitive, dmp, data_security, GDPR_compliance, storage, data_publication, data_transfer, data_analysis] your_domain: [human_data] training: - name: Training in TeSS diff --git a/pages/tool_assembly/transmed_assembly.md b/pages/tool_assembly/transmed_assembly.md index 1180cb066..994634b69 100644 --- a/pages/tool_assembly/transmed_assembly.md +++ b/pages/tool_assembly/transmed_assembly.md @@ -5,7 +5,7 @@ description: TransMed tool assembly from ELIXIR Luxembourg supports projects in page_id: transmed affiliations: [ELIXIR Europe, LU] related_pages: - your_tasks: [compliance, storage, metadata, data_organisation, data_analysis, sensitive, data_protection, dmp] + your_tasks: [compliance, storage, metadata, data_organisation, data_analysis, sensitive, GDPR_compliance, dmp] your_domain: [human_data] --- diff --git a/pages/tool_assembly/tsd_assembly.md b/pages/tool_assembly/tsd_assembly.md index 32cfa4ce5..ef997acdc 100644 --- a/pages/tool_assembly/tsd_assembly.md +++ b/pages/tool_assembly/tsd_assembly.md @@ -5,7 +5,7 @@ description: The Sensitive Data Service (TSD) provides a platform to store, comp page_id: tsd affiliations: ["NO", ELIXIR Europe, University of Oslo] related_pages: - your_tasks: [dmp, storage, sensitive, data_protection, transfer] + your_tasks: [dmp, storage, sensitive, data_security, GDPR_compliance, transfer] your_domain: [human_data] training: - name: Documentation for the HPC cluster diff --git a/pages/your_domain/human_data.md b/pages/your_domain/human_data.md index bd4dcedc0..1efe467be 100644 --- a/pages/your_domain/human_data.md +++ b/pages/your_domain/human_data.md @@ -55,7 +55,7 @@ When working with human data, you must follow established research ethical guide * The [Global Alliance for Genomics and Health (GA4GH)](https://www.ga4gh.org) has recommendations for these issues in their [GA4GH regulatory and ethical toolkit](https://www.ga4gh.org/genomic-data-toolkit/regulatory-ethics-toolkit/), see for instance the [Consent Clauses for Genomic Research](https://drive.google.com/file/d/1O5Ti7g7QJqS3h0ABm-LyTe02Gtq8wlKM/view?usp=sharing). * Personal data protection legislation: * **Within the EU.** If you are performing human data research in the EU, or your data subjects are located in the EU, then you must adhere to the General Data Protection Regulation - GDPR. - * Requirements for research that fall under the GDPR are outlined in the [RDMkit Data protection page](data_protection). + * Requirements for research that fall under the GDPR are outlined in the [RDMkit GDPR compliance page](GDPR_compliance). * Attributes of the data determines data sensitivity and sensitivity affects the considerations for data handling. The [RDMkit Data Sensitivity page](sensitive_data) provides guidance on determining and reducing data sensitivity. * **Outside the EU.** For countries outside the EU, the [International Compilation of Human Research Standards](https://www.hhs.gov/ohrp/sites/default/files/2020-international-compilation-of-human-research-standards.pdf) list relevant legislations. diff --git a/pages/your_role/data_steward_policy.md b/pages/your_role/data_steward_policy.md index 726964244..140b18f56 100644 --- a/pages/your_role/data_steward_policy.md +++ b/pages/your_role/data_steward_policy.md @@ -4,7 +4,7 @@ description: Data Steward with focus on data policies. contributors: [Mijke Jetten, Federico Bianchini, Gregoire Rossier, Erik Hjerde, Siiri Fuchs, Minna Ahokas, Priit Adler, Alexander Botzki, Robert Andrews, Celia van Gelder, Daniel Wibberg, Graham Hughes, Marko Vidak, Pedro Fernandes, Pinar Alper, Victoria Dominguez D. Angel, Wolmar Nyberg Åkerström, Alexia Cardona] page_id: policy_officer related_pages: - your_tasks: [compliance, licensing, dmp, data_protection, sensitive, dm_coordination] + your_tasks: [compliance, licensing, dmp, GDPR_compliance, sensitive, dm_coordination] training: - name: TeSS - ELIXIR’s training portal registry: TeSS diff --git a/pages/your_role/data_steward_research.md b/pages/your_role/data_steward_research.md index 48e69f1fc..317d1b5c4 100644 --- a/pages/your_role/data_steward_research.md +++ b/pages/your_role/data_steward_research.md @@ -4,7 +4,7 @@ description: Data Steward with focus on management of research data. contributors: [Mijke Jetten, Federico Bianchini, Gregoire Rossier, Erik Hjerde, Siiri Fuchs, Minna Ahokas, Priit Adler, Alexander Botzki, Robert Andrews, Celia van Gelder, Daniel Wibberg, Graham Hughes, Marko Vidak, Pedro Fernandes, Pinar Alper, Victoria Dominguez D. Angel, Wolmar Nyberg Åkerström, Alexia Cardona] page_id: data_manager related_pages: - your_tasks: [compliance, dmp, data_organisation, licensing, metadata, data_protection, data_publication, data_quality, transfer, identifiers, machine_actionability, dm_coordination, data_provenance] + your_tasks: [compliance, dmp, data_organisation, licensing, metadata, data_securitys, data_publication, data_quality, transfer, identifiers, machine_actionability, dm_coordination, data_provenance] training: - name: TeSS - ELIXIR’s training portal registry: TeSS diff --git a/pages/your_tasks/GDPR_compliance.md b/pages/your_tasks/GDPR_compliance.md new file mode 100644 index 000000000..9a79b8ac9 --- /dev/null +++ b/pages/your_tasks/GDPR_compliance.md @@ -0,0 +1,77 @@ +--- +title: GDPR compliance +contributors: [Pinar Alper, Yvonne Kallberg, Vilem Ded, Eva Csosz, Niclas Jareborg] +description: How to protect your research data, and how to make research data compliant to GDPR. +page_id: gdpr_compliance +related_pages: + tool_assembly: [tsd, transmed] +training: + - name: Training in TeSS + registry: TeSS + url: https://tess.elixir-europe.org/search?q=data+protection#materials +dsw: +- name: Will you collect any data connected to a person, "personal data"? + uuid: 49c009cb-a38c-4836-9780-8a8b3dd1cbac +- name: Do you need a Data Protection Impact Assessment? + uuid: 8915bd25-db22-4ed6-bcc8-b1bbdc52989e +faircookbook: +- name: Licensing Data + url: https://w3id.org/faircookbook/FCB034 +- name: Declaring data permitted uses + url: https://w3id.org/faircookbook/FCB035 +- name: Data Protection Impact Assessment and Data Privacy + url: https://w3id.org/faircookbook/FCB074 +--- + +## How do you protect research data under GDPR? + +### Description + +Where scientific research involves the processing of data concerning people in the European Union (EU), it is subject to the General Data Protection Regulation (GDPR). The GDPR applies a ["special regime"](https://edps.europa.eu/sites/edp/files/publication/20-01-06_opinion_research_en.pdf) to research, providing +derogations from some obligations given appropriate criteria are met and safeguards are in place. The criteria is to follow standards in research method and ethics, as well as to aim societal benefit rather than serving private interests in research. +The safeguards are a multitude and include: + * data collection with informed consent under ethical oversight and accountability; + * ensuring lawful processing and exchange of human-subject information; + * putting in place organisational and technical data protection measures such as encryption and pseudonymisation. + +The practical impact of the GDPR on research is, then, establishing these safeguards within projects. + +### Considerations + +Seek expert help for the interpretation of GDPR legal requirements to practicable measures. + * Research institutes appoint Data Protection Officers (DPO). Before starting a project you should contact your DPO to be informed of GDPR compliance requirements for your institution. + * Each EU country has its own national implementation of the GDPR. If your project involves a multi-national consortium, the requirements of all participating countries need to be met and you should inform the project coordinator of any country-specific requirements. + * Legal offices in research institutes provide model agreements, which cater for various research scenarios and consortia setups. You should inform your local legal office of your project's setup and identify the necessary agreements to be signed. + +Assess your project under the GDPR. + * Determine your GDPR role. Are you a data controller, who determines the purposes and means of the processing, or, are you a data processor, who acts under instructions from the controller? + * If you are a controller, you need to check whether your processing poses high privacy risks for data subjects, and if so, perform a Data Protection Impact Assessment (DPIA). + * The GDPR lists certain data e.g. race, ethnicity, health, genetic, biometric data as [special category](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/how-my-personal-data-protected/how-data-my-religious-beliefs-sexual-orientation-health-political-views-protected_en), requiring it's heightened protection. Your research will be considered high risk processing if it involves special category data or if it includes some specified types of processing. + * A DPIA is often a pre-requisite for ethics applications. Your DPO or local ethics advisory board can help determine whether your project requires a DPIA. + * Performing the DPIA while writing the DMP will allow you to reuse information and save time. + * An outcome of the DPIA will be a listing of risks and corresponding mitigations. Mitigations identify the data protection measures you'll adopt, both technical organisational. + +Apply technical and organisational measures for data protection. These include: + * institutional policies and codes of conduct; + * staff training; + * user authentication, authorisation, data level access control; + * data privacy measures such as pseudonymisation, anonymisation and encryption, + * arrangements that will enable data subjects to exercise their rights. + +Record your data processing. To meet GDPR's accountability requirement you should maintain records on the following: + * project stakeholders and their GDPR roles (controller, processor); + * purpose of your data processing; + * description of data subjects and the data; + * description of data recipients, particularly those outside the EU; + * logs of data transfers to recipients and the safeguards put in place for transfers, such as data sharing agreements; + * time limits for keeping different categories of personal data; + * description of organizational and technical data protection measures. + +### Solution + + * [EU General Data Protection Regulation](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN). + * [European Data Protection Supervisor's "Preliminary opinion on Data Protection and Scientific Research"](https://edps.europa.eu/sites/edp/files/publication/20-01-06_opinion_research_en.pdf) + * [BBMRI-ERIC's Ethical Legal Societal Issues (ELSI) Knowledge Base](https://www.bbmri-eric.eu/elsi/knowledge-base/) contains a glossary, agreement templates and guidance. + * [Data Information System DAISY](https://daisy-demo.elixir-luxembourg.org/) is software tool from ELIXIR that allows the record keeping of data processing activities in research projects. + * [DAWID](https://dawid.elixir-luxembourg.org) is a software tool from ELIXIR that allows generation of tailor-made data sharing agreements + * [Tryggve ELSI Checklist](https://scilifelab-data-guidelines.readthedocs.io/en/latest/docs/general/sensitive_data.html) is a list of Ethical, Legal, and Societal Implications (ELSI) to consider for research projects on human subjects. diff --git a/pages/your_tasks/data_brokering.md b/pages/your_tasks/data_brokering.md index 9dc80aa22..295318c2a 100644 --- a/pages/your_tasks/data_brokering.md +++ b/pages/your_tasks/data_brokering.md @@ -36,7 +36,7 @@ There are many aspects to consider when getting started as a broker. * Identify what kind of processing you will handle as a broker, such as (meta)data curation and validation, data masking/anonymisation. * Define the time frame for your commitment and your responsibilities for the data, such as how to handle data loss before delivery, what to do with the data after a successful delivery, how to manage changes to data that has already been delivered, etc. * Identify who is responsible for the data before, during and after delivery, such as the data controller/processor (according to GDPR) and/or intellectual property owner/licensee relationships between the provider and recipient -* Ensure that you will be able to establish contracts/agreements that cover the data and processing that you will handle, such as considerations for [data protection](data_protection), [licensing](licensing), and [compliance](compliance_monitoring). +* Ensure that you will be able to establish contracts/agreements that cover the data and processing that you will handle, such as considerations for [data security](data_security), [licensing](licensing), [GDPR](GDPR_compliance) and general [compliance](compliance_monitoring). * Estimate and secure the resources required to keep your commitment, such as staff with time and necessary skills, accounts, compute, storage and software * Refer to the sections below for considerations related to collecting data from data providers and delivering data to public data repositories. @@ -45,7 +45,7 @@ There are many aspects to consider when getting started as a broker. The solutions that you adopt will vary depending on the agreements you have negotiated with data providers and/or recipients. The following are examples of general solutions that would help you comply with regulations and implement good data management practices. * [Data management plan](data_management_plan) – Many questions that you would answer while writing a data management plan can be relevant to answer when you specify the terms of service for your brokering service, such as data storage, data standards, legal and ethical, etc. -* [Data protection](data_protection) – If you are working with data concerning people in the EU, you should make sure to comply with both national and international regulations for data protection. +* [GDPR compliance](GDPR_compliance) – If you are working with data concerning people in the EU, you should make sure to comply with both national and international regulations for data protection. * Apply for brokering permissions at the repository where you plan to submit data. For example, you can have a broker account at ENA; in this case, please visit [ENA Documentation](https://ena-docs.readthedocs.io/en/latest/faq/data_brokering.html) for guidelines on how to apply for such an account. ## Collecting and processing the metadata and data diff --git a/pages/your_tasks/data_security.md b/pages/your_tasks/data_security.md index 38c004bfd..051870f09 100644 --- a/pages/your_tasks/data_security.md +++ b/pages/your_tasks/data_security.md @@ -66,58 +66,3 @@ To protect your research data, code, and other information assets you should est * Policies are an important component of data management and they are essential for information security. Organisations use policies to announce to their staff and third parties the expectations, roles and responsibilities in data handling. Policies typically cover data classification, storage/backup, transfer, retention/archival, deletion/destruction, acceptable use of IT platforms and the reporting of security incidents and data breaches. In some cases research data requirements would be addressed in dedicated policies. Therefore, at the planning phase, it is important to understand institutional data policies applicable to the project’s data. If the data is considered sensitive as per the institutional data classification, this will have an impact on the IT platforms that can be used to store and transmit the data as well as the specific procedures to be followed. * Information inventories and documentation is another requirement for projects dealing with sensitive data. At the planning phase you should identify the various categories of data that will be processed in the project e.g. personal health and biomedical data, sensitive habitat data, IP restricted data from the industry. You should document which platforms will be used to process the data and the applicable security measures in case certain measures are applied to restricted classes of data. See the next section for GDPR-specific documentation requirements. See the [Data Sensitivity](/sensitive_data) page for more information on sensitive data. * [ISO/IEC 27001](https://en.wikipedia.org/wiki/ISO/IEC_27001) is an international information security standard adopted by data processing centres worldwide. Some universities and research institutes also acquire an ISO 27001 certification for their IT environments. Such certifications allow institutions to consistently and thoroughly identify information security risks and put in place best practice information security controls. These controls would include all above mentioned technical and organisational safeguards and more. - - -## How do you protect research data under GDPR? - -### Description - -Where scientific research involves the processing of data concerning people in the European Union (EU), it is subject to the General Data Protection Regulation (GDPR). The GDPR applies a ["special regime"](https://edps.europa.eu/sites/edp/files/publication/20-01-06_opinion_research_en.pdf) to research, providing -derogations from some obligations given appropriate criteria are met and safeguards are in place. The criteria is to follow standards in research method and ethics, as well as to aim societal benefit rather than serving private interests in research. -The safeguards are a multitude and include: - * data collection with informed consent under ethical oversight and accountability; - * ensuring lawful processing and exchange of human-subject information; - * putting in place organisational and technical data protection measures such as encryption and pseudonymisation. - -The practical impact of the GDPR on research is, then, establishing these safeguards within projects. - -### Considerations - -Seek expert help for the interpretation of GDPR legal requirements to practicable measures. - * Research institutes appoint Data Protection Officers (DPO). Before starting a project you should contact your DPO to be informed of GDPR compliance requirements for your institution. - * Each EU country has its own national implementation of the GDPR. If your project involves a multi-national consortium, the requirements of all participating countries need to be met and you should inform the project coordinator of any country-specific requirements. - * Legal offices in research institutes provide model agreements, which cater for various research scenarios and consortia setups. You should inform your local legal office of your project's setup and identify the necessary agreements to be signed. - -Assess your project under the GDPR. - * Determine your GDPR role. Are you a data controller, who determines the purposes and means of the processing, or, are you a data processor, who acts under instructions from the controller? - * If you are a controller, you need to check whether your processing poses high privacy risks for data subjects, and if so, perform a Data Protection Impact Assessment (DPIA). - * The GDPR lists certain data e.g. race, ethnicity, health, genetic, biometric data as [special category](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/how-my-personal-data-protected/how-data-my-religious-beliefs-sexual-orientation-health-political-views-protected_en), requiring it's heightened protection. Your research will be considered high risk processing if it involves special category data or if it includes some specified types of processing. - * A DPIA is often a pre-requisite for ethics applications. Your DPO or local ethics advisory board can help determine whether your project requires a DPIA. - * Performing the DPIA while writing the DMP will allow you to reuse information and save time. - * An outcome of the DPIA will be a listing of risks and corresponding mitigations. Mitigations identify the data protection measures you'll adopt, both technical organisational. - -Apply technical and organisational measures for data protection. These include: - * institutional policies and codes of conduct; - * staff training; - * user authentication, authorisation, data level access control; - * data privacy measures such as pseudonymisation, anonymisation and encryption, - * arrangements that will enable data subjects to exercise their rights. - -Record your data processing. To meet GDPR's accountability requirement you should maintain records on the following: - * project stakeholders and their GDPR roles (controller, processor); - * purpose of your data processing; - * description of data subjects and the data; - * description of data recipients, particularly those outside the EU; - * logs of data transfers to recipients and the safeguards put in place for transfers, such as data sharing agreements; - * time limits for keeping different categories of personal data; - * description of organizational and technical data protection measures. - -### Solution - - * [EU General Data Protection Regulation](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN). - * [European Data Protection Supervisor's "Preliminary opinion on Data Protection and Scientific Research"](https://edps.europa.eu/sites/edp/files/publication/20-01-06_opinion_research_en.pdf) - * [BBMRI-ERIC's Ethical Legal Societal Issues (ELSI) Knowledge Base](https://www.bbmri-eric.eu/elsi/knowledge-base/) contains a glossary, agreement templates and guidance. - * [Data Information System DAISY](https://daisy-demo.elixir-luxembourg.org/) is software tool from ELIXIR that allows the record keeping of data processing activities in research projects. - * [DAWID](https://dawid.elixir-luxembourg.org) is a software tool from ELIXIR that allows generation of tailor-made data sharing agreements - * [Tryggve ELSI Checklist](https://scilifelab-data-guidelines.readthedocs.io/en/latest/docs/general/sensitive_data.html) is a list of Ethical, Legal, and Societal Implications (ELSI) to consider for research projects on human subjects. - From e8cd07794b892ef97b8c1b9dcea6d26c90456314 Mon Sep 17 00:00:00 2001 From: Vilem Ded Date: Wed, 24 May 2023 11:38:39 +0200 Subject: [PATCH 03/19] minor edits --- pages/your_tasks/GDPR_compliance.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pages/your_tasks/GDPR_compliance.md b/pages/your_tasks/GDPR_compliance.md index 9a79b8ac9..63b8937c8 100644 --- a/pages/your_tasks/GDPR_compliance.md +++ b/pages/your_tasks/GDPR_compliance.md @@ -27,8 +27,8 @@ faircookbook: ### Description -Where scientific research involves the processing of data concerning people in the European Union (EU), it is subject to the General Data Protection Regulation (GDPR). The GDPR applies a ["special regime"](https://edps.europa.eu/sites/edp/files/publication/20-01-06_opinion_research_en.pdf) to research, providing -derogations from some obligations given appropriate criteria are met and safeguards are in place. The criteria is to follow standards in research method and ethics, as well as to aim societal benefit rather than serving private interests in research. +Where scientific research involves the processing of data concerning identifiable people in the European Union (EU), it is subject to the General Data Protection Regulation (GDPR). The GDPR applies a ["special regime"](https://edps.europa.eu/sites/edp/files/publication/20-01-06_opinion_research_en.pdf) to research, providing derogations from some obligations given appropriate criteria are met and safeguards are in place. The criteria is to follow standards in research method and ethics, as well as to aim societal benefit rather than serving private interests in research. + The safeguards are a multitude and include: * data collection with informed consent under ethical oversight and accountability; * ensuring lawful processing and exchange of human-subject information; @@ -58,7 +58,7 @@ Apply technical and organisational measures for data protection. These include: * data privacy measures such as pseudonymisation, anonymisation and encryption, * arrangements that will enable data subjects to exercise their rights. -Record your data processing. To meet GDPR's accountability requirement you should maintain records on the following: +Record your data processing. To meet GDPR's accountability requirement you should maintain records on the following: * project stakeholders and their GDPR roles (controller, processor); * purpose of your data processing; * description of data subjects and the data; From 96ceadf4633b0ef026480f2f465218b317351d6a Mon Sep 17 00:00:00 2001 From: Vilem Ded Date: Wed, 24 May 2023 11:39:22 +0200 Subject: [PATCH 04/19] minor edits --- pages/your_tasks/GDPR_compliance.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pages/your_tasks/GDPR_compliance.md b/pages/your_tasks/GDPR_compliance.md index 63b8937c8..75900794c 100644 --- a/pages/your_tasks/GDPR_compliance.md +++ b/pages/your_tasks/GDPR_compliance.md @@ -49,7 +49,7 @@ Assess your project under the GDPR. * The GDPR lists certain data e.g. race, ethnicity, health, genetic, biometric data as [special category](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/how-my-personal-data-protected/how-data-my-religious-beliefs-sexual-orientation-health-political-views-protected_en), requiring it's heightened protection. Your research will be considered high risk processing if it involves special category data or if it includes some specified types of processing. * A DPIA is often a pre-requisite for ethics applications. Your DPO or local ethics advisory board can help determine whether your project requires a DPIA. * Performing the DPIA while writing the DMP will allow you to reuse information and save time. - * An outcome of the DPIA will be a listing of risks and corresponding mitigations. Mitigations identify the data protection measures you'll adopt, both technical organisational. + * An outcome of the DPIA will be a listing of risks and corresponding mitigations. Mitigations identify the data protection measures you'll adopt, both technical organisational. Apply technical and organisational measures for data protection. These include: * institutional policies and codes of conduct; @@ -71,6 +71,7 @@ Record your data processing. To meet GDPR's accountability requirement you shoul * [EU General Data Protection Regulation](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN). * [European Data Protection Supervisor's "Preliminary opinion on Data Protection and Scientific Research"](https://edps.europa.eu/sites/edp/files/publication/20-01-06_opinion_research_en.pdf) + * [GDPR-Carpa - A Luxembourgish certification mechanism according to the GDPR criteria](https://cnpd.public.lu/en/actualites/national/2022/06/adpoption-gdpr-carpa.html) * [BBMRI-ERIC's Ethical Legal Societal Issues (ELSI) Knowledge Base](https://www.bbmri-eric.eu/elsi/knowledge-base/) contains a glossary, agreement templates and guidance. * [Data Information System DAISY](https://daisy-demo.elixir-luxembourg.org/) is software tool from ELIXIR that allows the record keeping of data processing activities in research projects. * [DAWID](https://dawid.elixir-luxembourg.org) is a software tool from ELIXIR that allows generation of tailor-made data sharing agreements From 183d0de052305783fb295c1c48b8cac9abddf301 Mon Sep 17 00:00:00 2001 From: Vilem Ded Date: Wed, 24 May 2023 12:04:20 +0200 Subject: [PATCH 05/19] data security page: update links to faircookbook --- pages/your_tasks/data_security.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/pages/your_tasks/data_security.md b/pages/your_tasks/data_security.md index 051870f09..1a8347095 100644 --- a/pages/your_tasks/data_security.md +++ b/pages/your_tasks/data_security.md @@ -15,12 +15,14 @@ dsw: - name: Do you need a Data Protection Impact Assessment? uuid: 8915bd25-db22-4ed6-bcc8-b1bbdc52989e faircookbook: -- name: Licensing Data - url: https://w3id.org/faircookbook/FCB034 -- name: Declaring data permitted uses - url: https://w3id.org/faircookbook/FCB035 -- name: Data Protection Impact Assessment and Data Privacy - url: https://w3id.org/faircookbook/FCB074 +- name: Downloading data with Aspera + url: https://w3id.org/faircookbook/FCB015 +- name: Transferring data with SFTP + url: https://w3id.org/faircookbook/FCB014 +- name: How to create checksum files + url: https://w3id.org/faircookbook/FCB052 +- name: How to check file integrity by validating checksums +url: https://w3id.org/faircookbook/FCB053 --- ## How do you ensure that your data is handled securely? From acfc77c5fe845e337996384d68d27e5f6f865b6a Mon Sep 17 00:00:00 2001 From: Vilem Ded Date: Wed, 24 May 2023 12:11:47 +0200 Subject: [PATCH 06/19] linking pages --- pages/your_domain/human_data.md | 2 +- pages/your_tasks/GDPR_compliance.md | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/pages/your_domain/human_data.md b/pages/your_domain/human_data.md index 1efe467be..ce47e708a 100644 --- a/pages/your_domain/human_data.md +++ b/pages/your_domain/human_data.md @@ -4,7 +4,7 @@ description: Data management solutions for human data. contributors: [Niclas Jareborg, Nirupama Benis, Ana Portugal Melo, Pinar Alper, Laura Portell Silva, Wolmar Nyberg Åkerström, Nazeefa Fatima, Teresa D'Altri] page_id: human_data related_pages: - your_tasks: [sensitive] + your_tasks: [sensitive, GDPR_compliance] tool_assembly: [tsd, covid-19, transmed] training: - name: Training in TeSS diff --git a/pages/your_tasks/GDPR_compliance.md b/pages/your_tasks/GDPR_compliance.md index 75900794c..09072947d 100644 --- a/pages/your_tasks/GDPR_compliance.md +++ b/pages/your_tasks/GDPR_compliance.md @@ -5,6 +5,7 @@ description: How to protect your research data, and how to make research data co page_id: gdpr_compliance related_pages: tool_assembly: [tsd, transmed] + your_tasks: [data_security] training: - name: Training in TeSS registry: TeSS From f3e4e10333625d6168c81415733349a60f2488fe Mon Sep 17 00:00:00 2001 From: Vilem Ded Date: Wed, 24 May 2023 12:21:06 +0200 Subject: [PATCH 07/19] data security: update of links to DSW --- pages/your_tasks/data_security.md | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/pages/your_tasks/data_security.md b/pages/your_tasks/data_security.md index 1a8347095..a5f736377 100644 --- a/pages/your_tasks/data_security.md +++ b/pages/your_tasks/data_security.md @@ -10,10 +10,17 @@ training: registry: TeSS url: https://tess.elixir-europe.org/search?q=data+protection#materials dsw: -- name: Will you collect any data connected to a person, "personal data"? - uuid: 49c009cb-a38c-4836-9780-8a8b3dd1cbac -- name: Do you need a Data Protection Impact Assessment? - uuid: 8915bd25-db22-4ed6-bcc8-b1bbdc52989e +- name: Is the risk of information loss, leaks and vandalism acceptably low? + uuid: 614ab69d-55a6-4214-b384-00ba21ce92a1 +- name: Will you monitor data integrity once it has been collected? + uuid: 02b3fed1-0b50-4a80-b8b6-a225a1107022 +- name: Will you be keeping a master list with checksums of certified/correct/canonical/verified data? + uuid: e0759fdc-7ce9-4020-816d-73119f634c7e +- name: Will you make backup copies of project data that is not in the work space? + uuid: 98d9789b-32fc-4e2f-876a-47760ad7c7ec +- name: Are you sure you will not need a backup of the data stored on the scratch file systems (any scratch you use)? + uuid: 3a076e83-73b0-4cdd-bb71-c5d41469a191 + faircookbook: - name: Downloading data with Aspera url: https://w3id.org/faircookbook/FCB015 From d84e07625db38b2cf289550bc5e7f2d674dfd3be Mon Sep 17 00:00:00 2001 From: Vilem Ded Date: Wed, 24 May 2023 12:22:02 +0200 Subject: [PATCH 08/19] data security: add description --- pages/your_tasks/data_security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/your_tasks/data_security.md b/pages/your_tasks/data_security.md index a5f736377..a1b5cc1e9 100644 --- a/pages/your_tasks/data_security.md +++ b/pages/your_tasks/data_security.md @@ -1,7 +1,7 @@ --- title: Data security contributors: [Pinar Alper, Yvonne Kallberg, Vilem Ded, Eva Csosz, Niclas Jareborg] -description: How to protect your research data, and how to make research data compliant to GDPR. +description: How do you ensure that your data is handled securely. page_id: data_security related_pages: tool_assembly: [tsd, transmed] From f99afaac9bee46af5702a7cc704f6500c40f7306 Mon Sep 17 00:00:00 2001 From: Vilem Ded Date: Wed, 24 May 2023 12:24:58 +0200 Subject: [PATCH 09/19] fix indent --- pages/your_tasks/data_security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/your_tasks/data_security.md b/pages/your_tasks/data_security.md index a1b5cc1e9..52aa1e643 100644 --- a/pages/your_tasks/data_security.md +++ b/pages/your_tasks/data_security.md @@ -29,7 +29,7 @@ faircookbook: - name: How to create checksum files url: https://w3id.org/faircookbook/FCB052 - name: How to check file integrity by validating checksums -url: https://w3id.org/faircookbook/FCB053 + url: https://w3id.org/faircookbook/FCB053 --- ## How do you ensure that your data is handled securely? From 358fa81434663c18bf2f3da918a9c771d4bebe3c Mon Sep 17 00:00:00 2001 From: Bert Droesbeke <44875756+bedroesb@users.noreply.github.com> Date: Thu, 15 Jun 2023 10:36:55 +0200 Subject: [PATCH 10/19] Update data_steward_research.md --- pages/your_role/data_steward_research.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/your_role/data_steward_research.md b/pages/your_role/data_steward_research.md index 317d1b5c4..fe4a9441f 100644 --- a/pages/your_role/data_steward_research.md +++ b/pages/your_role/data_steward_research.md @@ -4,7 +4,7 @@ description: Data Steward with focus on management of research data. contributors: [Mijke Jetten, Federico Bianchini, Gregoire Rossier, Erik Hjerde, Siiri Fuchs, Minna Ahokas, Priit Adler, Alexander Botzki, Robert Andrews, Celia van Gelder, Daniel Wibberg, Graham Hughes, Marko Vidak, Pedro Fernandes, Pinar Alper, Victoria Dominguez D. Angel, Wolmar Nyberg Åkerström, Alexia Cardona] page_id: data_manager related_pages: - your_tasks: [compliance, dmp, data_organisation, licensing, metadata, data_securitys, data_publication, data_quality, transfer, identifiers, machine_actionability, dm_coordination, data_provenance] + your_tasks: [compliance, dmp, data_organisation, licensing, metadata, data_security, data_publication, data_quality, transfer, identifiers, machine_actionability, dm_coordination, data_provenance] training: - name: TeSS - ELIXIR’s training portal registry: TeSS From c6b3cf7380557e7c2e22a9bba18a3b6910cf5038 Mon Sep 17 00:00:00 2001 From: Bert Droesbeke <44875756+bedroesb@users.noreply.github.com> Date: Thu, 15 Jun 2023 10:41:36 +0200 Subject: [PATCH 11/19] Rename data_security.md to data_protection.md --- pages/your_tasks/{data_security.md => data_protection.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename pages/your_tasks/{data_security.md => data_protection.md} (100%) diff --git a/pages/your_tasks/data_security.md b/pages/your_tasks/data_protection.md similarity index 100% rename from pages/your_tasks/data_security.md rename to pages/your_tasks/data_protection.md From aa84d788420369a557afef03bc1010797f30318f Mon Sep 17 00:00:00 2001 From: Bert Droesbeke <44875756+bedroesb@users.noreply.github.com> Date: Thu, 15 Jun 2023 10:52:34 +0200 Subject: [PATCH 12/19] Update main_tool_and_resource_list.csv --- _data/main_tool_and_resource_list.csv | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/_data/main_tool_and_resource_list.csv b/_data/main_tool_and_resource_list.csv index a020b576e..1338110a7 100644 --- a/_data/main_tool_and_resource_list.csv +++ b/_data/main_tool_and_resource_list.csv @@ -19,7 +19,7 @@ b2share,https://b2share.eudat.eu/,Store and publish your research data. Can be u BacDive,https://bacdive.dsmz.de,A searchable database for bacteria specific information,,micro_biotech Bacillus Genetic Stock Center (BGSC),http://www.bgsc.org/,A repository specific to Bacillus strains,biotools:NA,micro_biotech BASE,https://www.base-search.net/,A search engine for academic web resources,,existing_data -BBMRI-ERIC's ELSI Knowledge Base,https://www.bbmri-eric.eu/elsi/knowledge-base/,The ELSI Knowledge Base is an open-access resource platform that aims at providing practical know-how for responsible research.,,"data_protection, sensitive, policy_officer, data_manager, human_data" +BBMRI-ERIC's ELSI Knowledge Base,https://www.bbmri-eric.eu/elsi/knowledge-base/,The ELSI Knowledge Base is an open-access resource platform that aims at providing practical know-how for responsible research.,,"data_security, sensitive, policy_officer, data_manager, human_data" Beacon,https://beacon-project.io/,The Beacon protocol defines an open standard for genomics data discovery.,biotools:ga4gh_beacon,"researcher, data_manager, it_support, human_data" Benchling,https://www.benchling.com,R&D Platform for Life Sciences,,micro_biotech BIAFLOWS,https://biaflows.neubias.org/,BIAFLOWS is an open-soure web framework to reproducibly deploy and benchmark bioimage analysis workflows,biotools:biaflows,data_analysis @@ -80,7 +80,7 @@ CS3,https://www.cs3community.org/,Cloud Storage Services for Synchronization and CTD,http://ctdbase.org/,A database that aims to advance understanding about how environmental exposures affect human health.,biotools:ctd,toxicology_data cURL,https://curl.se,Command line tool and library for transferring data with URLs,,"transfer, it_support" Cytomine-IMS,https://github.com/cytomine/Cytomine-IMS,Image Data management,,"data_manager, bioimaging_data" -DAISY,https://daisy-demo.elixir-luxembourg.org,Data Information System to keep sensitive data inventory and meet GDPR accountability requirement.,biotools:Data_Information_System_DAISY,"it_support, policy_officer, human_data, data_protection, transmed" +DAISY,https://daisy-demo.elixir-luxembourg.org,Data Information System to keep sensitive data inventory and meet GDPR accountability requirement.,biotools:Data_Information_System_DAISY,"it_support, policy_officer, human_data, data_security, transmed" DAMAP,https://damap.org/,"It guides you step by step through a DMP and lets you export a pre-filled DMP as a Word document that you can customize and use for submission to funders. Also, DAMAP is compatible with the RDA recommendation for machine-actionable DMPs and offers an export of JSON DMPs. DAMAP is open source and to be self deployed.",,"dmp, researcher, data_manager" Data Catalog,https://datacatalog.elixir-luxembourg.org/,"Unique collection of project-level metadata from large research initiatives in a diverse range of fields, including clinical, molecular and observational studies. Its aim is to improve the findability of these projects following FAIR data principles.",fairsharing:NA,"metadata, transmed" Data Catalog Vocabulary (DCAT),https://www.w3.org/TR/vocab-dcat-2/,DCAT is an RDF vocabulary designed to facilitate interoperability between data catalogs published on the Web.,,"machine_actionability, it_support, rare_disease" @@ -92,7 +92,7 @@ Data Use Ontology,https://github.com/EBISPOT/DUO,DUO allows to semantically tag data.world Data License list,https://help.data.world/hc/en-us/articles/115006114287-Common-license-types-for-datasets,Overview of typical licenses used for data resources,,"licensing, biomol_sim" DataCite,https://search.datacite.org/,A search engine for the complete collection of publicly available DataCite DOIs,fairsharing:yknezb,existing_data DATAVERSE,https://dataverse.org/,Open source research data respository software.,fairsharing:NA,"storage, researcher, data_manager, it_support, ifb" -DAWID,https://dawid.elixir-luxembourg.org/,The Data Agreement Wizard is a tool developed by ELIXIR-Luxembourg to facilitate data sharing agreements.,,"data_protection, policy_officer, human_data" +DAWID,https://dawid.elixir-luxembourg.org/,The Data Agreement Wizard is a tool developed by ELIXIR-Luxembourg to facilitate data sharing agreements.,,"data_security, policy_officer, human_data" dbGAP,https://www.ncbi.nlm.nih.gov/gap/,The database of Genotypes and Phenotypes (dbGaP) archives and distributes data from studies investigating the interaction of genotype and phenotype in Humans,fairsharing:88v2k0,"data_publication, researcher, it_support, human_data" DisGeNET,https://www.disgenet.org/,A discovery platform containing collections of genes and variants associated to human diseases.,biotools:disgenet,"data_analysis, human_data, researcher, toxicology_data" DisProt,https://disprot.org/,A database of intrinsically disordered proteins,biotools:disprot,"idp, researcher" @@ -102,7 +102,7 @@ DMPRoadmap,https://github.com/DMPRoadmap/roadmap,DMP Roadmap is a Data Managemen DMPTool,https://dmptool.org,Build your Data Management Plan,,"dmp, researcher, data_manager" DNA Data Bank of Japan (DDBJ),https://www.ddbj.nig.ac.jp/index-e.html,A database of DNA sequences,,micro_biotech Docker,https://www.docker.com/,"Docker is a software for the execution of applications in virtualized environments called containers. It is linked to DockerHub, a library for sharing container images",fairsharing-coll:bsg-d001254,"it_support, data_analysis" -DPIA Knowledge Model,https://converge.ds-wizard.org/knowledge-models/elixir.lu:dpia-research:0.1.0,A DSW knowledge model guiding users through a set of questions to collect information necessary for a research project Data Protection Impact Assessment (DPIA).,,"data_protection, policy_officer, human_data" +DPIA Knowledge Model,https://converge.ds-wizard.org/knowledge-models/elixir.lu:dpia-research:0.1.0,A DSW knowledge model guiding users through a set of questions to collect information necessary for a research project Data Protection Impact Assessment (DPIA).,,"data_security, policy_officer, human_data" Dropbox,https://www.dropbox.com/?landing=dbv2,Cloud storage and file sharing service,,"storage, it_support, transfer" Drug Matrix,https://ntp.niehs.nih.gov/data/drugmatrix/,A toxicogenomic resource that provides access to the gene expression profiles of over 600 different compounds in several cell types from rats and primary rat hepatocytes.,,toxicology_data Dryad,https://datadryad.org/,"Open-source, community-led data curation, publishing, and preservation platform for CC0 publicly available research data",fairsharing:wkggtx,"data_publication, biomol_sim, bioimaging_data" @@ -123,8 +123,8 @@ ENA upload tool,https://github.com/usegalaxy-eu/ena-upload-cli,The program submi Ensembl,https://www.ensembl.org/index.html,"Genome browser for vertebrate genomes that supports research in comparative genomics, evolution, sequence variation and transcriptional regulation.",fairsharing:fx0mw7, Ensembl Genomes,https://ensemblgenomes.org/,"Comparative analysis, data mining and visualisation for the genomes of non-vertebrate species",fairsharing:923a0p, Ensembl Plants,https://plants.ensembl.org/,Open-access database of full genomes of plant species.,fairsharing:j8g2cv,"plant_geno_assembly, plants" -ERPA,https://gitlab.sib.swiss/clinbio/erpa-app,Web-based tool allowing users to create and manage a register of personal data processing activities (ROPA).,,"policy_officer, human_data, data_protection" -EU General Data Protection Regulation,https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN,"Regulation (eu) 2016/679 of the european parliament and of the council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/ec (general data protection regulation).",,"data_protection, policy_officer, human_data, tsd" +ERPA,https://gitlab.sib.swiss/clinbio/erpa-app,Web-based tool allowing users to create and manage a register of personal data processing activities (ROPA).,,"policy_officer, human_data, data_security" +EU General Data Protection Regulation,https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN,"Regulation (eu) 2016/679 of the european parliament and of the council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/ec (general data protection regulation).",,"data_security, policy_officer, human_data, tsd" EUDAT licence selector wizard,https://ufal.github.io/public-license-selector/,EUDAT's wizard for finding the right licence for your data or code.,,"licensing, researcher, data_manager, policy_officer" EudraVigilance,https://www.ema.europa.eu/en/human-regulatory/research-development/pharmacovigilance/eudravigilance,The European database of suspected adverse drug reaction reports is a public resource aimed to provide access to reported suspected side-effects of drugs. Side-effects are defined according to the MedDRA ontology.,,toxicology_data EUPID,https://eupid.eu/#/concept,"EUPID provides a method for identity management, pseudonymisation and record linkage to bridge the gap between multiple contexts.",,"it_support, policy_officer, human_data" @@ -158,7 +158,7 @@ Free-IPA,https://www.freeipa.org/,FreeIPA is an integrated Identity and Authenti Freegenes,https://stanford.freegenes.org/collections/open-genes,Repository of IP-free synthetic biological parts,,micro_biotech GA4GH Data Security Toolkit,https://www.ga4gh.org/genomic-data-toolkit/data-security-toolkit/,Principled and practical framework for the responsible sharing of genomic and health-related data.,,"data_publication, policy_officer, data_manager, it_support, human_data, sensitive" GA4GH Genomic Data Toolkit,https://www.ga4gh.org/genomic-data-toolkit/,Open standards for genomic data sharing.,,"data_manager, it_support, human_data" -GA4GH Regulatory and Ethics toolkit,https://www.ga4gh.org/genomic-data-toolkit/regulatory-ethics-toolkit/,Framework for Responsible Sharing of Genomic and Health-Related Data,,"data_protection, sensitive, policy_officer, data_manager, it_support, human_data" +GA4GH Regulatory and Ethics toolkit,https://www.ga4gh.org/genomic-data-toolkit/regulatory-ethics-toolkit/,Framework for Responsible Sharing of Genomic and Health-Related Data,,"data_security, sensitive, policy_officer, data_manager, it_support, human_data" Galaxy,https://galaxyproject.org/,"Open, web-based platform for data intensive biomedical research. Whether on the free public server or your own instance, you can perform, reproduce, and share complete analyses.",biotools:galaxy,"nels, marine_assembly, data_analysis, researcher, it_support, ifb, galaxy" GenBank,https://www.ncbi.nlm.nih.gov/genbank/,A database of genetic sequence information. GenBank may also refer to the data format used for storing information around genetic sequence data.,,micro_biotech Gene Expression Omnibus (GEO),https://www.ncbi.nlm.nih.gov/geo/,A repository of MIAME-compliant genomics data from arrays and high-throughput sequencing,,"micro_biotech, data_publication, metadata, transfer, ome, bioimaging_data, toxicology_data" @@ -195,7 +195,7 @@ IRIS,https://www.epa.gov/iris,The Integrated Risk Information System (IRIS) reso iRODS,https://irods.org/,Integrated Rule-Oriented Data System (iRODS) is open source data management software for a cancer genome analysis workflow.,biotools:irods,"storage, it_support, transmed, bioimaging_data" ISA-tools,https://isa-tools.org/,"Open source framework and tools helping to manage a diverse set of life science, environmental and biomedical experiments using the Investigation Study Assay (ISA) standard",fairsharing:53gp75,"it_support, data_manager, micro_biotech, machine_actionability" ISA4J,https://doi.org/10.12688/f1000research.27188.1,Open source software library that can be used to generate a ISA-TAB export from in-house data sets. These comprises e.g. local database or local file system based experimental.,biotools:isa4j,"plants, machine_actionability, plant_pheno_assembly" -ISO/IEC 27001,https://en.wikipedia.org/wiki/ISO/IEC_27001,International information security standard,,"data_protection, policy_officer, human_data" +ISO/IEC 27001,https://en.wikipedia.org/wiki/ISO/IEC_27001,International information security standard,,"data_security, policy_officer, human_data" IUPAC-IUBMB Joint Commission on Biochemical Nomenclature (JCBN),https://www.qmul.ac.uk/sbcs/iupac/jcbn/,A collaborative resource from IUPAC and IUBMB for naming standards in biochemistry,,micro_biotech JBEI-ICE,https://ice.jbei.org,A registry platform for biological parts,,micro_biotech Jupyter,https://jupyter.org,"Jupyter notebooks allow to share code, documentation",,"it_support, data_analysis" @@ -227,7 +227,7 @@ MoDEL-CNS,https://mmb.irbbarcelona.org/MoDEL-CNS/#/,Repository for Central Nervo ModelArchive,https://www.modelarchive.org/,Repository for theoretical models of macromolecular structures with DOIs for models,fairsharing:tpqndj,"biomol_sim, struct_bioinfo, data_publication" MOLGENIS,https://molgenis.gitbooks.io/molgenis/content/,"Molgenis is a modular web application for scientific data. Molgenis provides researchers with user friendly and scalable software infrastructures to capture, exchange, and exploit the large amounts of data that is being produced by scientific organisations all around the world.",biotools:molgenis,"identifiers, it_support, data_manager" MolMeDB,https://molmedb.upol.cz/,Database about interactions of molecules with membranes,"biotools:MolMeDB, fairsharing:cwzk3c",biomol_sim -MONARC,https://open-source-security-software.net/project/MONARC,A risk assessment tool that can be used to do Data Protection Impact Assessments,fairsharing:NA,"data_protection, policy_officer, human_data, transmed" +MONARC,https://open-source-security-software.net/project/MONARC,A risk assessment tool that can be used to do Data Protection Impact Assessments,fairsharing:NA,"data_security, policy_officer, human_data, transmed" MRI2DICOM,https://github.com/szullino/XNAT-PIC,"a Magnetic Resonance Imaging (MRI) converter from ParaVision® (Bruker, Inc. Billerica, MA) file format to DICOM standard",,"researcher, data_manager, xnat-pic" Multi-Crop Passport Descriptor (MCPD),https://www.bioversityinternational.org/e-library/publications/detail/faobioversity-multi-crop-passport-descriptors-v21-mcpd-v21/,The Multi-Crop Passport Descriptor is the metadata standard for plant genetic resources maintained ex situ by genbanks.,"biotools:NA, fairsharing:hn155r","metadata, researcher, it_support, policy_officer, plants, plant_pheno_assembly, plant_geno_assembly" MyTARDIS,http://www.mytardis.org/,A file-system based platform handling the transfer of data,,"data_manager, transfer, bioimaging_data" @@ -331,7 +331,7 @@ Tox21_Toolbox,https://ntp.niehs.nih.gov/whatwestudy/tox21/toolbox/index.html,"Th ToxCast_data,https://www.epa.gov/chemical-research/exploring-toxcast-data-downloadable-data,"The Toxicology in the 21st Century program, or Tox21, is a unique collaboration between several federal agencies to develop new ways to rapidly test whether substances adversely affect human health. This portal contains diverse downloadable results of the ToxCast project.",,toxicology_data TOXNET,https://www.nlm.nih.gov/toxnet/index.html,"The Toxicology Data Network (TOXNET) was a portal that allowed access to several relevant sources in the toxicological field. Nowadays, these sources have been integrated into other NLM resources.",,toxicology_data tranSMART,https://github.com/transmart,"Knowledge management and high-content analysis platform enabling analysis of integrated data for the purposes of hypothesis generation, hypothesis validation, and cohort discovery in translational research.",biotools:transmart,"researcher, data_manager, data_analysis, storage, transmed" -Tryggve ELSI Checklist,https://scilifelab-data-guidelines.readthedocs.io/en/latest/docs/general/sensitive_data.html,"A list of Ethical, Legal, and Societal Implications (ELSI) to consider for research projects on human subjects",,"sensitive, policy_officer, data_manager, human_data, nels, csc, tsd, data_protection" +Tryggve ELSI Checklist,https://scilifelab-data-guidelines.readthedocs.io/en/latest/docs/general/sensitive_data.html,"A list of Ethical, Legal, and Societal Implications (ELSI) to consider for research projects on human subjects",,"sensitive, policy_officer, data_manager, human_data, nels, csc, tsd, data_security" TU Delft data management costing tool,https://www.tudelft.nl/en/library/research-data-management/r/plan/data-management-costs,TU Delft costing tool helps to budget for data management personnel costs in proposals.,,costs TXG-MAPr,https://txg-mapr.eu/,"A tool that contains weighted gene co-expression networks obtained from the Primary Human Hepatocytes, rat kidney, and liver TG-GATEs dataset.",,"data_analysis, researcher, toxicology_data" UK Data Service Data Management costing Tool,https://ukdataservice.ac.uk/learning-hub/research-data-management/plan-to-share/costing/,UK Data Service activity-based costing tool.,,costs From 226e819ba20faa12196fbb1a01ebff21da8612b3 Mon Sep 17 00:00:00 2001 From: bedroesb Date: Tue, 22 Aug 2023 14:21:24 +0200 Subject: [PATCH 13/19] lower case --- pages/data_life_cycle/sharing.md | 2 +- pages/national_resources/no_resources.md | 2 +- pages/tool_assembly/csc_assembly.md | 2 +- pages/tool_assembly/transmed_assembly.md | 2 +- pages/tool_assembly/tsd_assembly.md | 2 +- pages/your_domain/human_data.md | 4 ++-- pages/your_tasks/data_brokering.md | 4 ++-- pages/your_tasks/{GDPR_compliance.md => gdpr_compliance.md} | 0 8 files changed, 9 insertions(+), 9 deletions(-) rename pages/your_tasks/{GDPR_compliance.md => gdpr_compliance.md} (100%) diff --git a/pages/data_life_cycle/sharing.md b/pages/data_life_cycle/sharing.md index fe258bc9c..d134744ab 100644 --- a/pages/data_life_cycle/sharing.md +++ b/pages/data_life_cycle/sharing.md @@ -4,7 +4,7 @@ page_id: share description: Introduction to data sharing. contributors: [Flora D'Anna, Bert Droesbeke, Niclas Jareborg, Ulrike Wittig] related_pages: - your_tasks: [GDPR_compliance, data_security, data_brokering, data_publication, transfer, identifiers, licensing, metadata, sensitive] + your_tasks: [gdpr_compliance, data_security, data_brokering, data_publication, transfer, identifiers, licensing, metadata, sensitive] training: - name: Training in TeSS registry: TeSS diff --git a/pages/national_resources/no_resources.md b/pages/national_resources/no_resources.md index 2d7451834..9f609440a 100644 --- a/pages/national_resources/no_resources.md +++ b/pages/national_resources/no_resources.md @@ -132,7 +132,7 @@ national_resources: how_to_access: Through Feide, only if you are based at the UiB related_pages: your_domain: [human_data] - your_tasks: [data_security, GDPR_compliance, sensitive] + your_tasks: [data_security, gdpr_compliance, sensitive] your_role: [policy_maker, data_steward] url: https://rette.app.uib.no/ - name: DataverseNO diff --git a/pages/tool_assembly/csc_assembly.md b/pages/tool_assembly/csc_assembly.md index 27e6c334b..1b2c0359c 100644 --- a/pages/tool_assembly/csc_assembly.md +++ b/pages/tool_assembly/csc_assembly.md @@ -5,7 +5,7 @@ description: The Center of Science (CSC) provides high-quality ICT expert servic page_id: csc affiliations: [FI, CSC, ELIXIR Europe] related_pages: - your_tasks: [sensitive, dmp, data_security, GDPR_compliance, storage, data_publication, data_transfer, data_analysis] + your_tasks: [sensitive, dmp, data_security, gdpr_compliance, storage, data_publication, data_transfer, data_analysis] your_domain: [human_data] training: - name: Training in TeSS diff --git a/pages/tool_assembly/transmed_assembly.md b/pages/tool_assembly/transmed_assembly.md index 0afd795dd..413ef6e37 100644 --- a/pages/tool_assembly/transmed_assembly.md +++ b/pages/tool_assembly/transmed_assembly.md @@ -5,7 +5,7 @@ description: TransMed tool assembly from ELIXIR Luxembourg supports projects in page_id: transmed affiliations: [ELIXIR Europe, LU] related_pages: - your_tasks: [compliance, storage, metadata, data_organisation, data_analysis, sensitive, GDPR_compliance, dmp] + your_tasks: [compliance, storage, metadata, data_organisation, data_analysis, sensitive, gdpr_compliance, dmp] your_domain: [human_data] --- diff --git a/pages/tool_assembly/tsd_assembly.md b/pages/tool_assembly/tsd_assembly.md index f099f70e8..e7257c7f9 100644 --- a/pages/tool_assembly/tsd_assembly.md +++ b/pages/tool_assembly/tsd_assembly.md @@ -5,7 +5,7 @@ description: The Sensitive Data Service (TSD) provides a platform to store, comp page_id: tsd affiliations: ["NO", ELIXIR Europe, University of Oslo] related_pages: - your_tasks: [dmp, storage, sensitive, data_security, GDPR_compliance, transfer] + your_tasks: [dmp, storage, sensitive, data_security, gdpr_compliance, transfer] your_domain: [human_data] training: - name: Documentation for the HPC cluster diff --git a/pages/your_domain/human_data.md b/pages/your_domain/human_data.md index ffb385e31..9549cdbbd 100644 --- a/pages/your_domain/human_data.md +++ b/pages/your_domain/human_data.md @@ -4,7 +4,7 @@ description: Data management solutions for human data. contributors: [Niclas Jareborg, Nirupama Benis, Ana Portugal Melo, Pinar Alper, Laura Portell Silva, Wolmar Nyberg Åkerström, Nazeefa Fatima, Teresa D'Altri] page_id: human_data related_pages: - your_tasks: [sensitive, GDPR_compliance] + your_tasks: [sensitive, gdpr_compliance] tool_assembly: [tsd, covid-19, transmed] training: - name: Training in TeSS @@ -57,7 +57,7 @@ When working with human data, you must follow established research ethical guide * The [Global Alliance for Genomics and Health (GA4GH)](https://www.ga4gh.org) has recommendations for these issues in their [GA4GH regulatory and ethical toolkit](https://www.ga4gh.org/genomic-data-toolkit/regulatory-ethics-toolkit/), see for instance the {% tool "consent-clauses-for-genomic-research" %}. * Personal data protection legislation: * **Within the EU.** If you are performing human data research in the EU, or your data subjects are located in the EU, then you must adhere to the General Data Protection Regulation - GDPR. - * Requirements for research that fall under the GDPR are outlined in the [RDMkit GDPR compliance page](GDPR_compliance). + * Requirements for research that fall under the GDPR are outlined in the [RDMkit GDPR compliance page](gdpr_compliance). * Attributes of the data determines data sensitivity and sensitivity affects the considerations for data handling. The [RDMkit Data Sensitivity page](sensitive_data) provides guidance on determining and reducing data sensitivity. * **Outside the EU.** For countries outside the EU, the {% tool "international-compilation-of-human-research-standards" %} list relevant legislations. diff --git a/pages/your_tasks/data_brokering.md b/pages/your_tasks/data_brokering.md index d0308b548..1f1678484 100644 --- a/pages/your_tasks/data_brokering.md +++ b/pages/your_tasks/data_brokering.md @@ -36,7 +36,7 @@ There are many aspects to consider when getting started as a broker. * Identify what kind of processing you will handle as a broker, such as (meta)data curation and validation, data masking/anonymisation. * Define the time frame for your commitment and your responsibilities for the data, such as how to handle data loss before delivery, what to do with the data after a successful delivery, how to manage changes to data that has already been delivered, etc. * Identify who is responsible for the data before, during and after delivery, such as the data controller/processor (according to GDPR) and/or intellectual property owner/licensee relationships between the provider and recipient -* Ensure that you will be able to establish contracts/agreements that cover the data and processing that you will handle, such as considerations for [data security](data_security), [licensing](licensing), [GDPR](GDPR_compliance) and general [compliance](compliance_monitoring). +* Ensure that you will be able to establish contracts/agreements that cover the data and processing that you will handle, such as considerations for [data security](data_security), [licensing](licensing), [GDPR](gdpr_compliance) and general [compliance](compliance_monitoring). * Estimate and secure the resources required to keep your commitment, such as staff with time and necessary skills, accounts, compute, storage and software * Refer to the sections below for considerations related to collecting data from data providers and delivering data to public data repositories. @@ -45,7 +45,7 @@ There are many aspects to consider when getting started as a broker. The solutions that you adopt will vary depending on the agreements you have negotiated with data providers and/or recipients. The following are examples of general solutions that would help you comply with regulations and implement good data management practices. * [Data management plan](data_management_plan) – Many questions that you would answer while writing a data management plan can be relevant to answer when you specify the terms of service for your brokering service, such as data storage, data standards, legal and ethical, etc. -* [GDPR compliance](GDPR_compliance) – If you are working with data concerning people in the EU, you should make sure to comply with both national and international regulations for data protection. +* [GDPR compliance](gdpr_compliance) – If you are working with data concerning people in the EU, you should make sure to comply with both national and international regulations for data protection. * Apply for brokering permissions at the repository where you plan to submit data. For example, you can have a broker account at ENA; in this case, please visit [ENA Documentation](https://ena-docs.readthedocs.io/en/latest/faq/data_brokering.html) for guidelines on how to apply for such an account. ## Collecting and processing the metadata and data diff --git a/pages/your_tasks/GDPR_compliance.md b/pages/your_tasks/gdpr_compliance.md similarity index 100% rename from pages/your_tasks/GDPR_compliance.md rename to pages/your_tasks/gdpr_compliance.md From a23682e4d6eb6b69c680fbce0957dd589a5008aa Mon Sep 17 00:00:00 2001 From: bedroesb Date: Tue, 22 Aug 2023 14:34:03 +0200 Subject: [PATCH 14/19] apply similar changes to data_sensitivity --- _data/sidebars/data_management.yml | 4 ++-- pages/tool_assembly/csc_assembly.md | 2 +- pages/tool_assembly/omero_assembly.md | 2 +- pages/tool_assembly/tsd_assembly.md | 4 ++-- pages/your_domain/human_data.md | 2 +- pages/your_domain/human_pathogen_genomics.md | 4 ++-- pages/your_role/policy_maker.md | 4 ++-- pages/your_role/principal_investigator.md | 2 +- pages/your_role/research_software_engineer.md | 4 ++-- pages/your_tasks/data_publication.md | 2 +- pages/your_tasks/{data_protection.md => data_security.md} | 3 ++- pages/your_tasks/{sensitive_data.md => data_sensitivity.md} | 1 + pages/your_tasks/existing_data.md | 2 +- pages/your_tasks/gdpr_compliance.md | 2 +- 14 files changed, 20 insertions(+), 18 deletions(-) rename pages/your_tasks/{data_protection.md => data_security.md} (99%) rename pages/your_tasks/{sensitive_data.md => data_sensitivity.md} (99%) diff --git a/_data/sidebars/data_management.yml b/_data/sidebars/data_management.yml index ae51556ff..691b73b6b 100644 --- a/_data/sidebars/data_management.yml +++ b/_data/sidebars/data_management.yml @@ -76,6 +76,8 @@ subitems: url: /data_organisation - title: Data security url: /data_security + - title: Data sensitivity + url: /data_sensitivity - title: Data provenance url: /data_provenance - title: Data publication @@ -96,8 +98,6 @@ subitems: url: /licensing - title: Machine actionability url: /machine_actionability - - title: Data sensitivity - url: /sensitive_data - title: Tool assembly description: Find concrete combinations of tools and resources assembled into an ecosystem for research data management. url: /tool_assembly diff --git a/pages/tool_assembly/csc_assembly.md b/pages/tool_assembly/csc_assembly.md index 1b2c0359c..5f42a8ecd 100644 --- a/pages/tool_assembly/csc_assembly.md +++ b/pages/tool_assembly/csc_assembly.md @@ -54,7 +54,7 @@ When you start [collecting](collecting) data and need a storing environment wher ### Data processing and analysis -For [processing](processing), [analysing](analysing) and [storing data](storage) during the research project, CSC offers several [computing platforms](https://research.csc.fi/computing). These include both environments for non-sensitive and [sensitive data](sensitive_data). Depending on your needs, you can choose from a wide variety of computing resources: use [Chipster](https://chipster.csc.fi/) software for high-throughput data such as RNA-seq and single cell RNA-seq, build your own custom virtual machine, or utilise the full power of our world-class supercomputers. +For [processing](processing), [analysing](analysing) and [storing data](storage) during the research project, CSC offers several [computing platforms](https://research.csc.fi/computing). These include both environments for non-sensitive and [sensitive data](data_sensitivity). Depending on your needs, you can choose from a wide variety of computing resources: use [Chipster](https://chipster.csc.fi/) software for high-throughput data such as RNA-seq and single cell RNA-seq, build your own custom virtual machine, or utilise the full power of our world-class supercomputers. Supercomputers Puhti and Mahti can be used for larger scale analysis and simulations. They will soon be accompanied with the world-class supercomputer {% tool "lumi" %}. Pouta and Rahti cloud computing services offer more flexibility, allowing the user to manage the infrastructure. CSC's computers have a wide range of [preinstalled scientific software and databases](https://research.csc.fi/bioscience-programs) with usage instructions. diff --git a/pages/tool_assembly/omero_assembly.md b/pages/tool_assembly/omero_assembly.md index 9a887de11..4ec863f53 100644 --- a/pages/tool_assembly/omero_assembly.md +++ b/pages/tool_assembly/omero_assembly.md @@ -39,7 +39,7 @@ Recommendations and software tools are being developed to capture acquisition me ## Who is OMERO intended for? -OMERO is designed to be an institutional repository. It offers a secure central way for scientists, researchers and data stewards to handle their imaging data. All the image data from a facility can be securely stored and managed, using group permissions and user roles to allow controlled access tailored to your institution. From private repositories for [sensitive data](sensitive_data) to hosting public data for your website and latest publications, the permissions model is designed to meet the range of researchers’ needs. OMERO is tried and tested in hundreds of institutions world-wide, with extensive installation and configuration documentation for system administrators and community support via dedicated mailing lists and forums. +OMERO is designed to be an institutional repository. It offers a secure central way for scientists, researchers and data stewards to handle their imaging data. All the image data from a facility can be securely stored and managed, using group permissions and user roles to allow controlled access tailored to your institution. From private repositories for [sensitive data](data_sensitivity) to hosting public data for your website and latest publications, the permissions model is designed to meet the range of researchers’ needs. OMERO is tried and tested in hundreds of institutions world-wide, with extensive installation and configuration documentation for system administrators and community support via dedicated mailing lists and forums. The OMERO platform uses a Group/User permission system. ​​The degree to which their data is available to other members of the group depends on the permissions settings for that group. Whenever a user logs on to an OMERO server, they are connected under one of their groups. All data they import and any work that is done is assigned to the current group, however the user can move their data into another group. Users require login credentials to access the system. OMERO also supports the use of an LDAP server. diff --git a/pages/tool_assembly/tsd_assembly.md b/pages/tool_assembly/tsd_assembly.md index e7257c7f9..6010dad73 100644 --- a/pages/tool_assembly/tsd_assembly.md +++ b/pages/tool_assembly/tsd_assembly.md @@ -18,7 +18,7 @@ training: ## What is the Norwegian tools assembly for sensitive data - TSD data management tools assembly? The Norwegian ELIXIR tools assembly for sensitive data is centred around -[TSD - literally for: services for sensitive data](https://www.uio.no/english/services/it/research/sensitive-data/) is an infrastructure provided by [the University of Oslo (UiO)](https://www.uio.no). Together with the other complementary tools provided by ELIXIR, TSD can be used for the management of [sensitive data](sensitive_data), including handling of [Human data](human_data). +[TSD - literally for: services for sensitive data](https://www.uio.no/english/services/it/research/sensitive-data/) is an infrastructure provided by [the University of Oslo (UiO)](https://www.uio.no). Together with the other complementary tools provided by ELIXIR, TSD can be used for the management of [sensitive data](data_sensitivity), including handling of [Human data](human_data). This assembly covers [Planning](planning), [Processing](processing), [Analysing](analysing) and [Sharing](sharing) Data Life Cycle stages and offer [Data Storage](storage) capacities and tools for [transfer](data_transfer) of sensitive data, following the requirements of the {% tool "eu-general-data-protection-regulation" %} and its Norwegian implementation. @@ -52,7 +52,7 @@ You can access the [ELIXIR-NO instance of the Data Stewardship Wizard](https://e If you use one of the Norwegian research infrastructures, such as the Norwegian sequencing infrastructure [NorSeq](https://www.norseq.org/) they can directly upload data to your TSD project for you - the process is described by ELIXIR Norway at [https://elixir.no/Services-bak/data_produced_NorSeq](https://elixir.no/Services-bak/data_produced_NorSeq) The sensitive data tools assembly provides [Nettskjema](https://nettskjema.no) as a solution for designing and managing data collections using online forms and surveys. This is a secure and GDPR-compliant service. It can be accessed through the UiO's web pages and it is used through a web browser. Submissions from a Nettskjema questionnaire can be delivered securely (fully encrypted) to your project area within TSD. -TSD-users are granted access to Nettskjema through [IDporten or Feide](https://www.uio.no/tjenester/it/adm-app/nettskjema/mer-om/eksterne-brukere). When the Nettskjema form is complete, you can upload it on TSD following [these instructions](https://www.uio.no/tjenester/it/adm-app/nettskjema/hjelp/koble-skjema-til-tsd.html). After verification, the form can be used for collecting sensitive data. Note that further processing and analysis of the results should be conducted within TSD. If exporting data is necessary, the files should be properly [de-identified or anonymised](sensitive_data.html#how-can-you-de-identify-your-data). +TSD-users are granted access to Nettskjema through [IDporten or Feide](https://www.uio.no/tjenester/it/adm-app/nettskjema/mer-om/eksterne-brukere). When the Nettskjema form is complete, you can upload it on TSD following [these instructions](https://www.uio.no/tjenester/it/adm-app/nettskjema/hjelp/koble-skjema-til-tsd.html). After verification, the form can be used for collecting sensitive data. Note that further processing and analysis of the results should be conducted within TSD. If exporting data is necessary, the files should be properly [de-identified or anonymised](data_sensitivity.html#how-can-you-de-identify-your-data). ### Data Processing and Analysis diff --git a/pages/your_domain/human_data.md b/pages/your_domain/human_data.md index 9549cdbbd..94ab38a91 100644 --- a/pages/your_domain/human_data.md +++ b/pages/your_domain/human_data.md @@ -58,7 +58,7 @@ When working with human data, you must follow established research ethical guide * Personal data protection legislation: * **Within the EU.** If you are performing human data research in the EU, or your data subjects are located in the EU, then you must adhere to the General Data Protection Regulation - GDPR. * Requirements for research that fall under the GDPR are outlined in the [RDMkit GDPR compliance page](gdpr_compliance). - * Attributes of the data determines data sensitivity and sensitivity affects the considerations for data handling. The [RDMkit Data Sensitivity page](sensitive_data) provides guidance on determining and reducing data sensitivity. + * Attributes of the data determines data sensitivity and sensitivity affects the considerations for data handling. The [RDMkit Data Sensitivity page](data_sensitivity) provides guidance on determining and reducing data sensitivity. * **Outside the EU.** For countries outside the EU, the {% tool "international-compilation-of-human-research-standards" %} list relevant legislations. diff --git a/pages/your_domain/human_pathogen_genomics.md b/pages/your_domain/human_pathogen_genomics.md index 6cf3e40c5..d74329a31 100644 --- a/pages/your_domain/human_pathogen_genomics.md +++ b/pages/your_domain/human_pathogen_genomics.md @@ -8,7 +8,7 @@ related_pages: - data_brokering - metadata - transfer - - data_protection + - data_security - data_quality tool_assembly: - covid-19 @@ -51,7 +51,7 @@ While the object of interest in this domain are pathogens, the data is usually d * [Processing and analysing human data](human_data#processing-and-analysing-human-data) #### Isolate pathogen from host information -* Depending on the pathogen, how it interacts with the host, or the methods applied, it can be possible to generate clean isolates that do not contain host related material. Data produced from a clean isolate could potentially be handled with few restrictions, while other data will be considered to be personal and [sensitive](sensitive_data) that need [protection](data_protection). +* Depending on the pathogen, how it interacts with the host, or the methods applied, it can be possible to generate clean isolates that do not contain host related material. Data produced from a clean isolate could potentially be handled with few restrictions, while other data will be considered to be personal and [sensitive](data_sensitivity) that need [protection](data_security). #### Public health initiatives * National and international recommendations from public health authorities, epidemic surveillance programs and research data communities should be considered when planning a new study or surveillance programme. In particular, you could consult conventions for relevant surveillance programs while considering widely adopted guidelines for research documentation, and instructions from the data sharing platforms. diff --git a/pages/your_role/policy_maker.md b/pages/your_role/policy_maker.md index d094f2126..e00436a36 100644 --- a/pages/your_role/policy_maker.md +++ b/pages/your_role/policy_maker.md @@ -31,8 +31,8 @@ In your role of policy maker, you may need to: * The [Compliance page](compliance_monitoring) helps comply with the institution policy, including legal and ethical aspects. * The [National resources pages](national_resources) point to country-specific information resources such as local funding agencies and research councils, and information on local policies for open science, national regulations on data ethics, and domain-specific infrastructures and tools. -* [Data protection](data_protection) helps to make research data compliant to GDPR. -* [Data sensitivity](sensitive_data) helps to identify sensitivity of different research data types. +* [Data protection](data_security) helps to make research data compliant to GDPR. +* [Data sensitivity](data_sensitivity) helps to identify sensitivity of different research data types. * [Licensing](licensing) gives advice on how to assign a licence to research data. * [Data management plan](data_management_plan) guides through writing a data management plan. * [Project data management coordination](dm_coordination) gives support in coordination and organisation of RDM in collaborative projects. diff --git a/pages/your_role/principal_investigator.md b/pages/your_role/principal_investigator.md index 6b990f0f1..3c61085b4 100644 --- a/pages/your_role/principal_investigator.md +++ b/pages/your_role/principal_investigator.md @@ -33,7 +33,7 @@ In your role of PI, you may need to: * To organise data management in collaborative projects, it will benefit from a formalised way of working via a [Data Management Working Group (DMWG)](dm_coordination). * The [costs of data management page](costs_data_management) helps you budget for your project, including costs for data storage and preservation. * The [national resources pages](national_resources) provide country-specific guidance, to help you choose the best services, tools and pipelines to manage your data. - * The [human data page](human_data#planning-for-projects-with-human-data) gathers information that needs to be taken into consideration when working with human data. Make sure to [protect the data](data_protection#how-do-you-ensure-that-your-data-is-handled-securely) in your project well and prevent unauthorised access. + * The [human data page](human_data#planning-for-projects-with-human-data) gathers information that needs to be taken into consideration when working with human data. Make sure to [protect the data](data_security#how-do-you-ensure-that-your-data-is-handled-securely) in your project well and prevent unauthorised access. * Consider your [data storage needs](storage) in an early stage, including long-term storage at the project end. * The [data organisation page](data_organisation) helps you with file naming, versioning and folder structures. * [Data documentation](metadata_management), like README files and metadata, help secondary users to understand and reuse your data. diff --git a/pages/your_role/research_software_engineer.md b/pages/your_role/research_software_engineer.md index 560412651..df174dd6f 100644 --- a/pages/your_role/research_software_engineer.md +++ b/pages/your_role/research_software_engineer.md @@ -38,8 +38,8 @@ In your role of research software engineer, you may need to: * The [identifiers page](identifiers) gives advice on how to create and use identifiers. [Machine actionability](machine_actionability) helps to automatically access and process research data. * Consider the best practices and technical solutions for [data analysis](data_analysis). - * [Data protection](data_protection) helps you to make research data GDPR-compliant. - * [Data sensitivity](sensitive_data) helps you to identify sensitivity of different research data types. + * [Data protection](data_security) helps you to make research data GDPR-compliant. + * [Data sensitivity](data_sensitivity) helps you to identify sensitivity of different research data types. * [Licensing](licensing) gives advice on how to assign a licence to research data. * Consult the [data transfer page](data_transfer) for information about transferring large data files. * The [data brokering page](data_brokering) provides information on uploading data to repositories and metadata requirements for the process. diff --git a/pages/your_tasks/data_publication.md b/pages/your_tasks/data_publication.md index 322dbbf8a..68f863690 100644 --- a/pages/your_tasks/data_publication.md +++ b/pages/your_tasks/data_publication.md @@ -78,7 +78,7 @@ Once you have decided where to publish your data, you will have to make your (me * How is the data uploaded? * What metadata do you need to provide? * Under which licence should the data be published? - * Should [sensitive data](sensitive_data) and metadata be anonymised or pseudonymised prior to a publication? This could notably be the case if you work with [human data](human_data). + * Should [sensitive data](data_sensitivity) and metadata be anonymised or pseudonymised prior to a publication? This could notably be the case if you work with [human data](human_data). * After data is submitted to a public repository, should the original copy of the data be retained at the central brokering platform and linked to its public counterpart? Or should it be removed and replaced with the ID of the public record? diff --git a/pages/your_tasks/data_protection.md b/pages/your_tasks/data_security.md similarity index 99% rename from pages/your_tasks/data_protection.md rename to pages/your_tasks/data_security.md index d0f08e849..c67c36a90 100644 --- a/pages/your_tasks/data_protection.md +++ b/pages/your_tasks/data_security.md @@ -3,6 +3,7 @@ title: Data security contributors: [Pinar Alper, Yvonne Kallberg, Vilem Ded, Eva Csosz, Niclas Jareborg] description: How do you ensure that your data is handled securely. page_id: data_security +redirect_from: data_protection related_pages: tool_assembly: [tsd, transmed] training: @@ -69,7 +70,7 @@ To protect your research data, code, and other information assets you should est * Organisational Measures * The procedures on how the technical protection measures are to be used, and who is responsible for what, must be understood by all personnel that work with the data, code, and other information assets. The procedures should be documented, and staff should have access to relevant training to follow the procedures. This is often the most vulnerable part in an Information Security strategy. * Policies are an important component of data management and they are essential for information security. Organisations use policies to announce to their staff and third parties the expectations, roles and responsibilities in data handling. Policies typically cover data classification, storage/backup, transfer, retention/archival, deletion/destruction, acceptable use of IT platforms and the reporting of security incidents and data breaches. In some cases research data requirements would be addressed in dedicated policies. Therefore, at the planning phase, it is important to understand institutional data policies applicable to the project’s data. If the data is considered sensitive as per the institutional data classification, this will have an impact on the IT platforms that can be used to store and transmit the data as well as the specific procedures to be followed. - * Information inventories and documentation is another requirement for projects dealing with sensitive data. At the planning phase you should identify the various categories of data that will be processed in the project e.g. personal health and biomedical data, sensitive habitat data, IP restricted data from the industry. You should document which platforms will be used to process the data and the applicable security measures in case certain measures are applied to restricted classes of data. See the next section for GDPR-specific documentation requirements. See the [Data Sensitivity](/sensitive_data) page for more information on sensitive data. + * Information inventories and documentation is another requirement for projects dealing with sensitive data. At the planning phase you should identify the various categories of data that will be processed in the project e.g. personal health and biomedical data, sensitive habitat data, IP restricted data from the industry. You should document which platforms will be used to process the data and the applicable security measures in case certain measures are applied to restricted classes of data. See the next section for GDPR-specific documentation requirements. See the [Data Sensitivity](/data_sensitivity) page for more information on sensitive data. * [ISO/IEC 27001](https://en.wikipedia.org/wiki/ISO/IEC_27001) is an international information security standard adopted by data processing centres worldwide. Some universities and research institutes also acquire an ISO 27001 certification for their IT environments. Such certifications allow institutions to consistently and thoroughly identify information security risks and put in place best practice information security controls. These controls would include all above mentioned technical and organisational safeguards and more. diff --git a/pages/your_tasks/sensitive_data.md b/pages/your_tasks/data_sensitivity.md similarity index 99% rename from pages/your_tasks/sensitive_data.md rename to pages/your_tasks/data_sensitivity.md index 1b7e739d2..8b6ca0707 100644 --- a/pages/your_tasks/sensitive_data.md +++ b/pages/your_tasks/data_sensitivity.md @@ -3,6 +3,7 @@ title: Data sensitivity contributors: [Rob Hooft, Yvonne Kallberg, Pinar Alper, Markus Englund, Thanasis Vergoulis, Robert Andrews, Nazeefa Fatima] description: How to identify the sensitivity of different research data types page_id: sensitive +redirect_from: data_sensitivity related_pages: tool_assembly: [tsd, covid-19, transmed] training: diff --git a/pages/your_tasks/existing_data.md b/pages/your_tasks/existing_data.md index 493316e68..7e87fac9b 100644 --- a/pages/your_tasks/existing_data.md +++ b/pages/your_tasks/existing_data.md @@ -66,7 +66,7 @@ When you find data of interest, you should first check if the quality is good an * Check the [licences](licensing) or repository policy for data usage. * Data from publications can generally be used but make sure that you cite the publication as reference. * If you cannot find the licence of the data, contact the authors. No licence means no reuse allowed. - * If you are reusing personal (identifiable) or even sensitive data, some extra care needs to be taken (see [Human data](human_data) and [Sensitive data](sensitive_data) pages): + * If you are reusing personal (identifiable) or even sensitive data, some extra care needs to be taken (see [Human data](human_data) and [Sensitive data](data_sensitivity) pages): * Make sure you select a data repository that has a clear, published data access/use policy. You do not want to be liable for improper reuse of personal information. For instance, if you’re downloading human data from some lab’s website make sure there is a statement/confirmation that the data was collected with ethical and legal considerations in place. * Sensitive data is often shared under restrictions. Check in the description of the access conditions whether these match with your project (i.e. whether you would be able to successfully ask to get access to the data). For instance, certain datasets can only be accessed by projects with Ethics/Institutional Review Board approval or some can only be used within a specific research field. diff --git a/pages/your_tasks/gdpr_compliance.md b/pages/your_tasks/gdpr_compliance.md index 09072947d..3d1f826b3 100644 --- a/pages/your_tasks/gdpr_compliance.md +++ b/pages/your_tasks/gdpr_compliance.md @@ -76,4 +76,4 @@ Record your data processing. To meet GDPR's accountability requirement you shoul * [BBMRI-ERIC's Ethical Legal Societal Issues (ELSI) Knowledge Base](https://www.bbmri-eric.eu/elsi/knowledge-base/) contains a glossary, agreement templates and guidance. * [Data Information System DAISY](https://daisy-demo.elixir-luxembourg.org/) is software tool from ELIXIR that allows the record keeping of data processing activities in research projects. * [DAWID](https://dawid.elixir-luxembourg.org) is a software tool from ELIXIR that allows generation of tailor-made data sharing agreements - * [Tryggve ELSI Checklist](https://scilifelab-data-guidelines.readthedocs.io/en/latest/docs/general/sensitive_data.html) is a list of Ethical, Legal, and Societal Implications (ELSI) to consider for research projects on human subjects. + * [Tryggve ELSI Checklist](https://scilifelab-data-guidelines.readthedocs.io/en/latest/docs/general/data_sensitivity.html) is a list of Ethical, Legal, and Societal Implications (ELSI) to consider for research projects on human subjects. From d3ae1aae85c37a3b6db0e8252d382fd8656236ca Mon Sep 17 00:00:00 2001 From: bedroesb Date: Wed, 23 Aug 2023 11:09:29 +0200 Subject: [PATCH 15/19] correct redirect --- pages/your_tasks/data_sensitivity.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/your_tasks/data_sensitivity.md b/pages/your_tasks/data_sensitivity.md index 8b6ca0707..35f48fcae 100644 --- a/pages/your_tasks/data_sensitivity.md +++ b/pages/your_tasks/data_sensitivity.md @@ -3,7 +3,7 @@ title: Data sensitivity contributors: [Rob Hooft, Yvonne Kallberg, Pinar Alper, Markus Englund, Thanasis Vergoulis, Robert Andrews, Nazeefa Fatima] description: How to identify the sensitivity of different research data types page_id: sensitive -redirect_from: data_sensitivity +redirect_from: sensitive_data related_pages: tool_assembly: [tsd, covid-19, transmed] training: From 3fa67339f2b663d8d714a22a9decad612e83f0ca Mon Sep 17 00:00:00 2001 From: Vilem Ded Date: Wed, 23 Aug 2023 13:22:04 +0200 Subject: [PATCH 16/19] move GDPR content from data security to separate page --- pages/your_tasks/data_security.md | 55 ----------------------------- pages/your_tasks/gdpr_compliance.md | 13 ++++--- 2 files changed, 6 insertions(+), 62 deletions(-) diff --git a/pages/your_tasks/data_security.md b/pages/your_tasks/data_security.md index c67c36a90..673f40ee6 100644 --- a/pages/your_tasks/data_security.md +++ b/pages/your_tasks/data_security.md @@ -72,58 +72,3 @@ To protect your research data, code, and other information assets you should est * Policies are an important component of data management and they are essential for information security. Organisations use policies to announce to their staff and third parties the expectations, roles and responsibilities in data handling. Policies typically cover data classification, storage/backup, transfer, retention/archival, deletion/destruction, acceptable use of IT platforms and the reporting of security incidents and data breaches. In some cases research data requirements would be addressed in dedicated policies. Therefore, at the planning phase, it is important to understand institutional data policies applicable to the project’s data. If the data is considered sensitive as per the institutional data classification, this will have an impact on the IT platforms that can be used to store and transmit the data as well as the specific procedures to be followed. * Information inventories and documentation is another requirement for projects dealing with sensitive data. At the planning phase you should identify the various categories of data that will be processed in the project e.g. personal health and biomedical data, sensitive habitat data, IP restricted data from the industry. You should document which platforms will be used to process the data and the applicable security measures in case certain measures are applied to restricted classes of data. See the next section for GDPR-specific documentation requirements. See the [Data Sensitivity](/data_sensitivity) page for more information on sensitive data. * [ISO/IEC 27001](https://en.wikipedia.org/wiki/ISO/IEC_27001) is an international information security standard adopted by data processing centres worldwide. Some universities and research institutes also acquire an ISO 27001 certification for their IT environments. Such certifications allow institutions to consistently and thoroughly identify information security risks and put in place best practice information security controls. These controls would include all above mentioned technical and organisational safeguards and more. - - -## How do you protect research data under GDPR? - -### Description - -Where scientific research involves the processing of data concerning people in the European Union (EU), it is subject to the {% tool "eu-general-data-protection-regulation" %} (GDPR). The GDPR applies a ["special regime"](https://edps.europa.eu/sites/edp/files/publication/20-01-06_opinion_research_en.pdf) to research, providing -derogations from some obligations given appropriate criteria are met and safeguards are in place. The criteria is to follow standards in research method and ethics, as well as to aim societal benefit rather than serving private interests in research. -The safeguards are a multitude and include: - * data collection with informed consent under ethical oversight and accountability; - * ensuring lawful processing and exchange of human-subject information; - * putting in place organisational and technical data protection measures such as encryption and pseudonymisation. - -The practical impact of the GDPR on research is, then, establishing these safeguards within projects. - -### Considerations - -Seek expert help for the interpretation of GDPR legal requirements to practicable measures. - * Research institutes appoint Data Protection Officers (DPO). Before starting a project you should contact your DPO to be informed of GDPR compliance requirements for your institution. - * Each EU country has its own national implementation of the GDPR. If your project involves a multi-national consortium, the requirements of all participating countries need to be met and you should inform the project coordinator of any country-specific requirements. - * Legal offices in research institutes provide model agreements, which cater for various research scenarios and consortia setups. You should inform your local legal office of your project's setup and identify the necessary agreements to be signed. - -Assess your project under the GDPR. - * Determine your GDPR role. Are you a data controller, who determines the purposes and means of the processing, or, are you a data processor, who acts under instructions from the controller? - * If you are a controller, you need to check whether your processing poses high privacy risks for data subjects, and if so, perform a Data Protection Impact Assessment (DPIA). - * The GDPR lists certain data e.g. race, ethnicity, health, genetic, biometric data as [special category](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/how-my-personal-data-protected/how-data-my-religious-beliefs-sexual-orientation-health-political-views-protected_en), requiring it's heightened protection. Your research will be considered high risk processing if it involves special category data or if it includes some specified types of processing. - * A DPIA is often a pre-requisite for ethics applications. Your DPO or local ethics advisory board can help determine whether your project requires a DPIA. - * Performing the DPIA while writing the DMP will allow you to reuse information and save time. - * An outcome of the DPIA will be a listing of risks and corresponding mitigations. Mitigations identify the data protection measures you'll adopt, both technical organisational. - -Apply technical and organisational measures for data protection. These include: - * institutional policies and codes of conduct; - * staff training; - * user authentication, authorisation, data level access control; - * data privacy measures such as pseudonymisation, anonymisation and encryption, - * arrangements that will enable data subjects to exercise their rights. - -Record your data processing. To meet GDPR's accountability requirement you should maintain records on the following: - * project stakeholders and their GDPR roles (controller, processor); - * purpose of your data processing; - * description of data subjects and the data; - * description of data recipients, particularly those outside the EU; - * logs of data transfers to recipients and the safeguards put in place for transfers, such as data sharing agreements; - * time limits for keeping different categories of personal data; - * description of organizational and technical data protection measures. - -### Solution - - * [European Data Protection Supervisor's "Preliminary opinion on Data Protection and Scientific Research"](https://edps.europa.eu/sites/edp/files/publication/20-01-06_opinion_research_en.pdf) - * {% tool "bbmri-eric-s-elsi-knowledge-base" %} contains a glossary, agreement templates and guidance. - * {% tool "daisy" %} and {% tool "erpa" %} are software tools from ELIXIR that allows the record keeping of data processing activities in research projects. - * {% tool "dawid" %} is a software tool from ELIXIR that allows generation of tailor-made data sharing agreements - * {% tool "dpia-knowledge-model" %} is designed to leverage {% tool "data-stewardship-wizard" %} to perform DPIA. - * {% tool "tryggve-elsi-checklist" %} is a list of Ethical, Legal, and Societal Implications (ELSI) to consider for research projects on human subjects. - diff --git a/pages/your_tasks/gdpr_compliance.md b/pages/your_tasks/gdpr_compliance.md index 3d1f826b3..ddac23129 100644 --- a/pages/your_tasks/gdpr_compliance.md +++ b/pages/your_tasks/gdpr_compliance.md @@ -41,7 +41,7 @@ The practical impact of the GDPR on research is, then, establishing these safegu Seek expert help for the interpretation of GDPR legal requirements to practicable measures. * Research institutes appoint Data Protection Officers (DPO). Before starting a project you should contact your DPO to be informed of GDPR compliance requirements for your institution. - * Each EU country has its own national implementation of the GDPR. If your project involves a multi-national consortium, the requirements of all participating countries need to be met and you should inform the project coordinator of any country-specific requirements. + * Each EU country has its own national implementation of the GDPR. If your project involves a multi-national consortium, the requirements of all participating countries need to be met and you should inform the project coordinator of any country-specific requirements. * Legal offices in research institutes provide model agreements, which cater for various research scenarios and consortia setups. You should inform your local legal office of your project's setup and identify the necessary agreements to be signed. Assess your project under the GDPR. @@ -70,10 +70,9 @@ Record your data processing. To meet GDPR's accountability requirement you shoul ### Solution - * [EU General Data Protection Regulation](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN). * [European Data Protection Supervisor's "Preliminary opinion on Data Protection and Scientific Research"](https://edps.europa.eu/sites/edp/files/publication/20-01-06_opinion_research_en.pdf) - * [GDPR-Carpa - A Luxembourgish certification mechanism according to the GDPR criteria](https://cnpd.public.lu/en/actualites/national/2022/06/adpoption-gdpr-carpa.html) - * [BBMRI-ERIC's Ethical Legal Societal Issues (ELSI) Knowledge Base](https://www.bbmri-eric.eu/elsi/knowledge-base/) contains a glossary, agreement templates and guidance. - * [Data Information System DAISY](https://daisy-demo.elixir-luxembourg.org/) is software tool from ELIXIR that allows the record keeping of data processing activities in research projects. - * [DAWID](https://dawid.elixir-luxembourg.org) is a software tool from ELIXIR that allows generation of tailor-made data sharing agreements - * [Tryggve ELSI Checklist](https://scilifelab-data-guidelines.readthedocs.io/en/latest/docs/general/data_sensitivity.html) is a list of Ethical, Legal, and Societal Implications (ELSI) to consider for research projects on human subjects. + * {% tool "bbmri-eric-s-elsi-knowledge-base" %} contains a glossary, agreement templates and guidance. + * {% tool "daisy" %} and {% tool "erpa" %} are software tools from ELIXIR that allows the record keeping of data processing activities in research projects. + * {% tool "dawid" %} is a software tool from ELIXIR that allows generation of tailor-made data sharing agreements + * {% tool "dpia-knowledge-model" %} is designed to leverage {% tool "data-stewardship-wizard" %} to perform DPIA. + * {% tool "tryggve-elsi-checklist" %} is a list of Ethical, Legal, and Societal Implications (ELSI) to consider for research projects on human subjects. From 170c98dd3d0f8eaa95866b074b25267f68d054d3 Mon Sep 17 00:00:00 2001 From: Vilem Ded Date: Thu, 24 Aug 2023 14:05:50 +0200 Subject: [PATCH 17/19] remove personal data related links to DSW from data_security page --- pages/your_tasks/data_security.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/pages/your_tasks/data_security.md b/pages/your_tasks/data_security.md index 673f40ee6..428c074f4 100644 --- a/pages/your_tasks/data_security.md +++ b/pages/your_tasks/data_security.md @@ -11,10 +11,6 @@ training: registry: TeSS url: https://tess.elixir-europe.org/search?q=data+protection#materials dsw: -- name: Will you collect any data connected to a person, "personal data"? - uuid: 49c009cb-a38c-4836-9780-8a8b3dd1cbac -- name: Do you need a Data Protection Impact Assessment? - uuid: 8915bd25-db22-4ed6-bcc8-b1bbdc52989e - name: What technical and procedural safeguards have been established for processing the data? uuid: a30f5047-33c1-45a7-8b3f-b1b90c364fc9 From 9c65f078b595e6e309cca2cc16326ed6f67e7946 Mon Sep 17 00:00:00 2001 From: Federico Bianchini <72258479+bianchini88@users.noreply.github.com> Date: Thu, 31 Aug 2023 12:31:17 +0200 Subject: [PATCH 18/19] Update gdpr_compliance.md Minor grammar/spelling improvements --- pages/your_tasks/gdpr_compliance.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/pages/your_tasks/gdpr_compliance.md b/pages/your_tasks/gdpr_compliance.md index ddac23129..df4c35e6c 100644 --- a/pages/your_tasks/gdpr_compliance.md +++ b/pages/your_tasks/gdpr_compliance.md @@ -28,7 +28,7 @@ faircookbook: ### Description -Where scientific research involves the processing of data concerning identifiable people in the European Union (EU), it is subject to the General Data Protection Regulation (GDPR). The GDPR applies a ["special regime"](https://edps.europa.eu/sites/edp/files/publication/20-01-06_opinion_research_en.pdf) to research, providing derogations from some obligations given appropriate criteria are met and safeguards are in place. The criteria is to follow standards in research method and ethics, as well as to aim societal benefit rather than serving private interests in research. +Where scientific research involves the processing of data concerning identifiable people in the European Union (EU), it is subject to the General Data Protection Regulation (GDPR). The GDPR applies a ["special regime"](https://edps.europa.eu/sites/edp/files/publication/20-01-06_opinion_research_en.pdf) to research, providing derogations from some obligations given appropriate criteria are met and safeguards are in place. The criteria are to follow standards in research method and ethics, as well as to aim for societal benefit rather than serving private interests in research. The safeguards are a multitude and include: * data collection with informed consent under ethical oversight and accountability; @@ -47,16 +47,16 @@ Seek expert help for the interpretation of GDPR legal requirements to practicabl Assess your project under the GDPR. * Determine your GDPR role. Are you a data controller, who determines the purposes and means of the processing, or, are you a data processor, who acts under instructions from the controller? * If you are a controller, you need to check whether your processing poses high privacy risks for data subjects, and if so, perform a Data Protection Impact Assessment (DPIA). - * The GDPR lists certain data e.g. race, ethnicity, health, genetic, biometric data as [special category](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/how-my-personal-data-protected/how-data-my-religious-beliefs-sexual-orientation-health-political-views-protected_en), requiring it's heightened protection. Your research will be considered high risk processing if it involves special category data or if it includes some specified types of processing. - * A DPIA is often a pre-requisite for ethics applications. Your DPO or local ethics advisory board can help determine whether your project requires a DPIA. + * The GDPR lists certain data e.g. race, ethnicity, health, genetic, biometric data as [special category](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/how-my-personal-data-protected/how-data-my-religious-beliefs-sexual-orientation-health-political-views-protected_en), requiring heightened protection. Your research will be considered high-risk processing if it involves special category data or if it includes some specified types of processing. + * A DPIA is often a prerequisite for ethics applications. Your DPO or local ethics advisory board can help determine whether your project requires a DPIA. * Performing the DPIA while writing the DMP will allow you to reuse information and save time. - * An outcome of the DPIA will be a listing of risks and corresponding mitigations. Mitigations identify the data protection measures you'll adopt, both technical organisational. + * An outcome of the DPIA will be a listing of risks and corresponding mitigations. Mitigations identify the data protection measures you will adopt, both technical and organisational. Apply technical and organisational measures for data protection. These include: * institutional policies and codes of conduct; * staff training; * user authentication, authorisation, data level access control; - * data privacy measures such as pseudonymisation, anonymisation and encryption, + * data privacy measures such as pseudonymisation, anonymisation and encryption; * arrangements that will enable data subjects to exercise their rights. Record your data processing. To meet GDPR's accountability requirement you should maintain records on the following: @@ -66,13 +66,13 @@ Record your data processing. To meet GDPR's accountability requirement you shoul * description of data recipients, particularly those outside the EU; * logs of data transfers to recipients and the safeguards put in place for transfers, such as data sharing agreements; * time limits for keeping different categories of personal data; - * description of organizational and technical data protection measures. + * description of organisational and technical data protection measures. ### Solution * [European Data Protection Supervisor's "Preliminary opinion on Data Protection and Scientific Research"](https://edps.europa.eu/sites/edp/files/publication/20-01-06_opinion_research_en.pdf) * {% tool "bbmri-eric-s-elsi-knowledge-base" %} contains a glossary, agreement templates and guidance. - * {% tool "daisy" %} and {% tool "erpa" %} are software tools from ELIXIR that allows the record keeping of data processing activities in research projects. - * {% tool "dawid" %} is a software tool from ELIXIR that allows generation of tailor-made data sharing agreements + * {% tool "daisy" %} and {% tool "erpa" %} are software tools from ELIXIR that allow the record-keeping of data processing activities in research projects. + * {% tool "dawid" %} is a software tool from ELIXIR that allows the generation of tailor-made data-sharing agreements * {% tool "dpia-knowledge-model" %} is designed to leverage {% tool "data-stewardship-wizard" %} to perform DPIA. * {% tool "tryggve-elsi-checklist" %} is a list of Ethical, Legal, and Societal Implications (ELSI) to consider for research projects on human subjects. From 597bd11094e9298ce0dad7629be071d4bd037805 Mon Sep 17 00:00:00 2001 From: bedroesb Date: Thu, 31 Aug 2023 13:14:44 +0200 Subject: [PATCH 19/19] add gdpr_compliance --- _data/sidebars/data_management.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/_data/sidebars/data_management.yml b/_data/sidebars/data_management.yml index 260863ced..f0cbfdb0b 100644 --- a/_data/sidebars/data_management.yml +++ b/_data/sidebars/data_management.yml @@ -92,6 +92,8 @@ subitems: url: /metadata_management - title: Existing data url: /existing_data + - title: GDPR compliance + url: /gdpr_compliance - title: Identifiers url: /identifiers - title: Licensing