What does General Data Protection Regulation (GDPR) mean in practice for Social Sciences and Humanities researchers? How can we ensure that appropriate measures are taken when dealing with personal data in the day-to-day research activities? These are some of the main questions that were discussed during the hybrid workshop “Data Protection in research practice: The GDPR and the ELDAH Consent Form Wizard” organised by SSHOC and the DARIAH ELDAH Working Group on the 13th of October 2021.
Koraljka Kuzman Šlogar (Institute of Ethnology and Folklore Research / DARIAH-HR) introduced the workshop with a presentation of the Ethics and Legality in the Digital Arts and Humanities (ELDAH) Working Group. Created in 2017 to work on ethical and legal issues, this DARIAH Working Group gathers 40+ members from 18 countries. Most of them are researchers and cultural heritage experts, and a few legal experts complete this team. In addition, ELDAH works in close collaboration with other groups such as the CLARIN Legal and Ethical Issues Committee or CESSDA. The scope of expertise of ELDAH revolves around intellectual property rights and licensing, data protection, privacy, research ethics and scholarly conduct. Besides running regular workshops for scholars, ELDAH also produces recommendations, training and information materials, and has created the Consent Form Wizard that will be demonstrated and tested during the workshop.
The second part of the workshop consisted of an introduction to data protection and the General Data Protection Regulation (GDPR) given by Walter Scholger (University of Graz / CLARIAH-AT / CLIC) and Pawel Kamocki (IDS Mannheim / CLARIN-D / CLIC). Following a short formal and legal introduction, Walter and Pawel highlighted some conceptual distinctions as well as basic concepts used in the GDPR.
After the introduction, Pawel and Walter entered into the details of the principles that apply to data processing as they are described in Article 5 of the GDPR. The first of these principles is Lawfulness and means that in order to comply with the GDPR, data processing has to have a legal basis (listed in Art. 6). The most commonly used in research are consent and legitimate interest or public interest.
Fairness and Transparency are other important data protection principles. They ensure that data has to be processed in good faith and that any information about processing data must be freely accessible and easy to understand.
Another principle is Purpose limitation which states that personal data can only be processed for a clearly defined purpose. There is an exception for research with appropriate safeguards here, because if it is for research and/or archiving processes, data that were legitimately collected for other purposes can be reused.
Data minimisation comes next, covering the idea that data collection and processing are limited to what is necessary for purposes for which data are processed.
According to the Accuracy principle (or data quality), if data are not accurate, the data subject needs to have the possibility to rectify the data.
Storage limitation is an important principle in the sense that personal data can only be stored for a limited period of time. However, in the context of research and archiving, with appropriate safeguards, personal data can be stored for a longer period of time, if the purpose (for example long-term archiving of historical records or accountability of research data) justifies it. Finally, Integrity and Confidentiality (or security requirements for data storing), as well as Accountability (record of data processing activities) were presented by Walter and Pawel to close this presentation of the data protection principles.
Pawel then highlighted the rights of data subjects in the GDPR, detailing which rights have to be safeguarded by the data controller and which exceptions could be considered for archiving, research and statistical purposes.
Finally, mandatory information to be provided to data subjects was summarised by Pawel and Walter to better explain the background of the Consent Wizard Form and before closing the first part of the workshop.
Information to be provided to data subjects - slide presented during the workshop
The discussion, organised in breakout rooms online and with one group of participants onsite before gathering again in plenary, was an opportunity to highlight the following topics.
Because consent definition and collection is a central part of the GDPR application for researchers, ELDAH developed a Consent Form Wizard based on the most common scenarios encountered by SSH researchers to support and ease the obtention of valid consent for data processing. Vanessa Hannesschläger (Austrian National Library / CLARIAH-AT / CLIC), who developed the tool together with Pawel Kamocki and Norbert Czirjak (OEAW) presented the tool to the participants.
DARIAH ELDAH Consent Form Wizard homepage - screenshot
While presenting the CWF, Vannessa highlighted the following important points.
After Vanessa’s presentation, participants were able to test the tool, in small groups, based on their own use-cases.
Thanks to the testing session of the Consent Wizard Form, a couple of bugs were identified, and some suggestions to improve the website were made. For example, participants suggested changing the ‘scientific research’ wording into ‘research’ to be more inclusive towards GLAM in-house researchers. In addition, the recurring question of how to legally locate global institutions like UNESCO was brought up, and because international organizations in the GDPR are treated like third countries, this option should be added to the CWF. Beyond these specific questions, the last plenary part of the workshop was also an opportunity to sum up the main take-aways and share feedback between both participants and presenters.
Written by Laure Barbot, with contributions from Edward Gray, Erzsébet Tóth-Czifra, Walter Scholger and Kristina Pahor de Maiti.