Processing of personal data in scientific research 1

Processing of personal data in scientific research 1 Juridische Dienst

Privacy and scientific research: overview 1. What are personal data 1. 1 Personal data 1. 2 Special categories of personal data 2. Legislation protecting privacy 2. 1 General legislation protecting privacy 2. 2 Before and after GDPR 3. Personal data in scientific research 3. 1 Privacy review integrated in ethical review 3. 2 PRET application form 3. 3 Info and contact 2 Juridische Dienst KU Leuven

1. What are personal data? 3 Juridische Dienst KU Leuven

What are personal data? Personal data is any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be directly or indirectly identified. Examples of ordinary personal data include a person’s name, address, e -mail address, photo, national register number, ID number, IP address, staff number, personal or work phone number (Who’s who), health data, login data, identification cookies, account number, CV, log data (e. g. cafeteria, car park, web browsing), camera images, staff files, payroll data, professional expenses, etc. ) 4 Juridische Dienst KU Leuven

Special categories of personal data • Processing of special categories is prohibited in principle, however, possible in the context of scientific research • Special category data (formerly also known as ‘sensitive personal data’) consist of Ø data revealing political opinions, Ø religious or philosophical beliefs, Ø racial/ethnic origin, Ø trade union membership, Ø health, Ø genetic or biometric data (fingerprint, iris scan, etc. ), Ø sexual orientation or behaviour. Ras of ethnische afkomst • Special categories of personal data Ø data relation to criminal convictions or offences Ø national identification number 5 Juridische Dienst KU Leuven

2. Legislation protecting privacy 6 Juridische Dienst KU Leuven

Legislation protecting privacy BEFORE EU: Directive 95/46/EG Belgium: Act concerning Privacy of 8 december 1992 NOW EU: from 25 May 2018 into force: General Data Protection Regulation (GDPR) Belgium: from 5 September 2018 into force: “de wet betreffende de bescherming van natuurlijke personen met betrekking tot de verwerking van persoonsgegevens” (Act concerning protection of natural persons in relation to processing of personal data) 7 Juridische Dienst KU Leuven

Before and after GDPR • European Directive European Regulation (most principles were already applicable beforehand) • Uniformity in Europe • Focus on own responsibilities: record of processing activities replaces declaration to national privacy commission • Penalties : Data Protection Authority with : - active inspection services and administrative court (before only acting on the basis of formal complaints); - administrative and financial sanctions 8 Juridische Dienst KU Leuven

3. Personal data in scientific research 9 Juridische Dienst KU Leuven

Privacy review integrated in ethical review 10 Unit Privacy and Ethics/SSEC CTC / EC Research • Including DPO scientific research (Toon Boon) • In cooperation with DPO University Hospitals (Griet Verhenneman) • PRET application form • Privacy review without ethical review • Privacy review together with ethical review • GDPR questionnaire CTC Juridische Dienst KU Leuven

GDPR compatibility and scientific research • Privacy review per research project • Integrated in ethical review • PRET application form Ø Intelligent form – all questions at once Ø This feeds the record of processing activities for scientific research Ø Necessary and sufficient • Systematic dialogue with relevant services (Research Coordination, LRD, …) • Inventarisation of good practices (FAQ), problems etc. on continuous basis 11 Juridische Dienst KU Leuven

Privacy and ethics check : flow • Submission by researcher through tool (see next pages – already treated in session of March 17) • Possibilities : a) Only Ethical check asked for – Unit privacy and ethics will nevertheless check for use of personal data. b) Only Privacycheck asked for -> Unit privacy and ethics will check – Additional information needed? – If possible final approval. If complex : escalation via SMEC and eventually even Steering Committee of Univ c) Mixed check -> First check by Unit privacy and ethics (procedure b) and afterwards transfer to SMEC for ethical check 12 Juridische Dienst KU Leuven

PRivacy en Ethiek (PRET) https: //www. kuleuven. be/pret en https: //www. kuleuven. be/pret/en 13 Juridische Dienst KU Leuven

PRET: manual 14 Juridische Dienst KU Leuven

PRET (2) General info 15 Juridische Dienst KU Leuven

PRET (2) General info 16 Juridische Dienst KU Leuven

PRET: Anonymisation / pseudonymisation Pseudonymised data are and will remain personal data. 17 Juridische Dienst KU Leuven

PRET: Sharing, importing and exporting data Please ask the lawyers of the department which also supervised the conclusion of the main agreement (e. g. LRD or the Central Purchasing unit) how to proceed with the processing agreement. It is possible that a template processing agreement can be used or that the template has to be adapted. In the latter case, a substantive legal review will be necessary. 18 Juridische Dienst KU Leuven

PRET: legal basis 19 Juridische Dienst KU Leuven

Important elements to consider • Do I have to do with personal data? Special-sensitive? • Data minimization : - do I need all these data (need to know vs. nice to know)? - anonymous data > pseudonomised > recognisable (longitudinal research) - time period to keep the data recognisable (beware of audio or video) • Sharing of data (beware : non-EU; agreements) 20 Toon Boon - Juridische Dienst KU Leuven

Important elements to consider • Primary vs. secundary use of data (“in line with informed consent”? ) • Vulnerable people involved? (minors, …) • Large scale of set up? (not only purely numerical) • Technical safety measures (USB/laptop? … Google Drive etc…->Box) : see instructions and if necessary Wim Van Holder 21 Toon Boon - Juridische Dienst KU Leuven

Important elements to consider • Transparant communication (information brief – informed consent ; contact information and information concerning execution of people’s rights). Explain when deception is necessary • Derogation from people’s rights necessary? (access, copy, correction; withdrawal) • Basis for processing : (general interest!!!, informed consent, legal obligation, contractual need). 22 Toon Boon - Juridische Dienst KU Leuven

Important elements to consider • General interest as basis for processing : - important deviation from people’s rights (no withdrawal of data; no new processing of data) - elements of appreciation : public financing; publication of results • Data Protection Impact Assessment (GEB) : special data, vulnerable people involved, large scale processing… Necessary when 2 categories indicated 23 Toon Boon - Juridische Dienst KU Leuven

Recap – privacy and research • Registration of processing activity of personal data obligatory : through PRET-(or CTC-)questionnaire • Privacy incident or data breach : If persons accidentally gain access to personal data or if personal data are accidentally altered or destroyed, this constitutes a data breach or privacy incident. Report via ‘procedure Databreach’ • All IT-applications need to comply with IT-security standards. 24 Toon Boon - Juridische Dienst KU Leuven

Info and contact • www. kuleuven. be/privacy • Staff Unit Privacy and Ethics pret@kuleuven. be 25 Juridische Dienst KU Leuven