Description and analysis of the General Data Protection Regulation (GDPR) impact in relation to research in general and for selected countries is necessary in defining relevant documents and procedures. Further, there is a need to compare national implementation to identify if and how national variations reinforce existing legal barriers and restrictive practices or support open access and reusability of research data within the context of European Open Science Cloud (EOSC). The GDPR encourages the use of approved codes of conduct as a tool to ensure correct legal application and demonstrate compliance with the GDPR. This gives the scientific community a new opportunity to create a formal common framework to demonstrate compliance and facilitate harmonization of data-sharing rules and practices e.g., in relation to research.
The Task 5.3 of the SSHOC project investigates the impact of the GDPR and its implications for crossborder research in Europe. The legal and ethical issues related to open access will be addressed, along with reusability of research data, and legal implementation of the FAIR principles. The purpose of the workshop held within this task was to share experiences about code of conducts, and to address the possible need for creation of code of conducts in the research sector. The overall aim was to initiate the work on a SSH GDPR Code of Conduct to be handed over to and finalised in Task 8.3 of the SSHOC project, which handles Legal and Ethical Issues.
The partners of Task 5.3 (CESSDA/NSD, DARIAH, CESSDA/DNA, and CNR) carried out a digital, three hours Stakeholder Workshop about a Social Science and Humanities Code of Conduct on the 17 March 2021. The workshop was organized as a combination of presentations by speakers followed by questions or comments. The last part of the workshop consisted of a thorough discussions of six prepared questions with 35 participants from the research sector. The discussions in the breakout rooms were moderated by task members.
First, two members of Task 5.3 presented “Results from the Report on the impact of the GDPR and its implications for EOSC” and “Anatomy of a Code of Conduct and Implications for GDPR” respectively. Secondly, Michaela Theresia Mayrhofer from BBMRI ERIC held a presentation about the creation of a Code of Conduct for health research. The presentations were followed by a Q&A session. The most important outcome from the breakout rooms were the discussions about the use of consent as legal basis for processing personal data in research. It was addressed that the creation of information/consent form can be difficult and that the term voluntary can be questioned. It was also questioned if a legitimate interest could be a suitable legal ground in some cases, compared to public interest, and that appropriate D5.19 - v1.3 4 legal ground should be decided based on the context and planned research. It was also addressed that providing information to participants and facilitate their rights set in GDPR might be the most important action points, regardless of which legal ground is being used. Further, it was a common understanding that national regulation regarding safeguards in accordance with Art. 89 (1), might be handled differently. It was considered as beneficial to have clear guidelines regarding which safeguards to perform when processing personal data in research. It was highlighted, that challenges regarding reuse and sharing of personal data can often be a result of former information provided to participants, and that many problems could be removed if researchers in the future gathered broad consents. Thus, the workshop included interesting presentations and discussions and will inspire the further work of initiating a SSH Code of Conduct for the project team.
The presentations and the following discussions showed that creation of a code of conduct is a complex task. The importance of a structured work when creating a code of conduct, but also the will from the relevant sector when taking the initiative to creating one was emphasized. Thus, it was especially valuable that some of the workshop participants expressed their will to be included in the initiative of creating a SSH code of conduct. The crossing field and implications of ethics and privacy turned out to be especially relevant when processing personal data in research. Also, the need for mapping possible appropriate safeguards when processing personal data and addressing how to better facilitate reuse and sharing of personal data in the research environment was highlighted.