using personal data in research projects: legal aspects of data protection

Using personal data in research projects: Legal aspects of data protection

Diana Dimitrova,ICRI, KU Leuven

Diana.dimitrova@law.kuleuven.be

About eVACUATE

Aim: to address the needs of the safety of citizens during complex evacuation processes;

Ultimate goal: to identify, designate and sustain an Active Evacuation Route (AER);

Funding: FP7, Security call; Duration: 4 years, April 2013 – March 2017; Consortium: 19 partners; 4 Validation demos at the end.

Personal data processing in the EU: Legal Framework

Directive 95/46/EC:

Transposed in all 28 EU Member States => currently 28 national data protection laws;Provides some exceptions for research;Under review: Proposed General Data Protection Regulation, Art. 6(2) j Art. 83 new basis for processing data for research purposes + harmonization.

Research projects and personal data

Personal data: “Any information relating to an identified or identifiable natural person […] who can be identified, directly or indirectly […].” Art. 2 (a) Directive 95/46/EC

Personal data in eVACUATE: video images, location data, social networks, sensitive data (e.g. disability, health data).

What is data processing?

“Any operation or set of operations which is performed upon personal data, whether or not by automatic means […].” Art. 2 (b) Directive 95/46/EC

Requirements for data processing:

Definition of roles of partners for each separate operation: Controller – project partner who determines the means

and purposes of processing; Processor – partner who processes personal data on

behalf of controller; To exchange the data controller and processor(s) should

sign an agreement.

Requirements for data processing: Legality and controller obligations

For research projects the most likely ground is informed consent (Art. 7 (a)), which can be withdrawn;

Transparency: Privacy statements should be provided to volunteers;

Data security; Notifications.

Requirements for data processing: Principles