d5.1.6 second open call ethics review report v1.0

8/13/2019 D5.1.6 Second Open Call Ethics Review Report v1.0

1/24

This deliverable carries out a first Ethics Review Report of the 2nd Open Call experiments inthe EXPERIMEDIA project. The ethics review of the 2nd Open Call experiments wasconducted by the legal partner in the project KU Leuven, together with the Ethical

Advisory Board and the Data Protection Coordinator. This deliverable provides a summaryof the ethical and legal issues identified in the 2nd Open Call experiments, their ethicalassessment and the recommendations articulated for the specific experiments. Finally, the

deliverable includes an Appendix section listing the relevant material that provided guidanceto the project partners in EXPERIMEDIA and that was taken into consideration during theethical and legal assessment (e.g. the Ethical Guidelines for undertaking ICT research in FP7projects).

D5.1.6

Second Open Call Experiments Ethics Review

Report

2014-01-13

Aleksandra Kuczerawy (ICRI - KU Leuven)

Joyce Verhaert (ICRI - KU Leuven)

Prof. Peggy Valcke (ICRI - KU Leuven)

www.experimedia.eu


2/24

EXPERIMEDIA Dissemination level: PU

Copyright and other members of the EXPERIMEDIA consortium 2013-14 2

Project acronym EXPERIMEDIA

Full title Experiments in live social and networked media experiences

Grant agreement number 287966

Funding scheme Large-scale Integrating Project (IP) Work programme topic Objective ICT-2011.1.6 Future Internet Research and Experimentation

(FIRE)

Project start date 2011-10-01

Project duration 36 months

Activity 5 Legal, sustainability and promotion

Workpackage 5.1 Legal, ethical and regulatory framework

Deliverable lead organisation KU Leuven

Authors Aleksandra Kuczerawy (KU Leuven) Joyce Verhaert (KU Leuven)

Peggy Valcke (KU Leuven)

Reviewers Stephen C Phillips (IT Innov)Sandra Murg (JRS)

Version 1.0

Status Final

Dissemination level PU: PublicDue date 2013-10-31

Delivery date 2014-01-13


3/24



Table of Contents

1. Executive Summary ............................................................................................................................ 4

2. Introduction ........................................................................................................................................ 5

3. Ethical Assessment of the Experiments ......................................................................................... 7

3.1. SmartSkiGoggles ....................................................................................................................... 7

3.2. iCaCot ......................................................................................................................................... 9

3.3. Carviren .................................................................................................................................... 12

3.4. Qualisys ..................................................................................................................................... 14

3.5. PlayHist ..................................................................................................................................... 16

4. Conclusion ......................................................................................................................................... 18

Appendix A. Ethical Guidelines for undertaking ICT research in FP7 ...................................... 19

Appendix B. Legal requirements for privacy and data protection ............................................... 20

Appendix C. Checklist for the Experimenters ................................................................................ 23


4/24



1. Executive Summary

The presented deliverable provides a report of an ethical review of the 2nd Open Callexperiments, which was conducted by the legal partner in the project KU Leuven, together

with the Ethical Advisory Board and the Data Protection Coordinator. The deliverable providesa brief summary of the ethical and legal issues identified in the 2nd Open Call experiments. Thepresented experiments are thoroughly described in Deliverables D4.10.1 (SmartSkiGogglesExperiment problem statement and requirements), D4.11.1 (iCaCot Experiment problemstatement and requirements), D4.12.1 (Carviren Experiment problem statement andrequirements), D4.13.1 (Qualisys Experiment problem statement and requirements), and D4.14.1(PlayHist Experiment problem statement and requirements). The presented deliverable providesthe ethical assessment of the specific experiments and the recommendations issued by ICRI -KU Leuven, EAB and DPC. Finally, the deliverable includes an Appendix listing the relevantmaterial that provided guidance to the project partners in EXPERIMEDIA and that was takeninto consideration during the ethical and legal assessment (e.g. the Ethical Guidelines forundertaking ICT research in FP7 projects).


5/24



2. Introduction

EXPERIMEDIA conducts research with human participants and is, in particular, interested inhuman behaviour and experience with Future Internet technologies to understand how to

provide meaningful collective experiences to individuals and society.

Given that participants in social and networked media research should have confidence in theexperiments, good research is only possible if there is mutual respect and confidence betweenexperimenters and participants. Some areas of human experience and behaviour, however, maybe beyond the reach of experiments, observations or other forms of investigation. They may,moreover, raise ethical considerations, which is the reason why EXPERIMEDIA provides anethics management process.

Such ethics management process is achieved through a cooperation of all the technical partners

of the EXPERIMEDIA project, with the legal partner KU Leuven under the guidance of theEthical Advisory Board and the Data Protection Coordinator. The role of the Data ProtectionCoordinator is assumed by Prof. Jos Dumortier, a leading expert on privacy and data protection.

The Ethical Advisory Board (EAB) is composed of 5 external independent experts, who areasked to analyse the 2nd Open Call experiments concerning ethics and data protection. Theirrole is to review the experiment, propose modifications (if needed), identify potential risks and toprovide suggestions on how risks could be mitigated.

Members of the EAB include:

Name Affiliation

Mrs Marit Hansen Independent Centre for Privacy ProtectionSchleschwig-Holstein - ULD (Germany)

Dr Eleni Kosta TILT, Tilburg Unviversity for Law, Technology,and Society (The Netherlands)

Dr Jeanne-Pia Mifsud Bonnici University of Groningen (The Netherlands)

Mr Jean Louis Pierquin Ple MIPI (France)

Dr Olli Pitknen Helsinki Institute for Information Technology -

HIIT (Finland)

The presented deliverable is an effect of cooperation between the 2nd Open Call partners withthe legal partner (KU Leuven) and the Ethical Advisory Board and the Data ProtectionCoordinator. The cooperation started immediately after the 2nd Open Call partners joined theConsortium. During a training workshop in October 2013 these new partners attended a legaltutorial during which the relevance of legal and ethical compliance was explained, as well as therules and principles that should be followed. The discussions continued from there on via emailsand teleconferences during which the legal partner and the members of the EAB provided their

feedback and comments. The first draft of the experiments description tog ether with the ethicschecklist was delivered by the end of November 2013. These two documents were discussed in


6/24



the Ethical Advisory Board and data Protection Coordinator meeting on 3 December 2013. Thepresented deliverable is a result of the discussions held so far. These discussions, however, willcontinue until the end of the experimentation period.

The current deliverable provides a short and to-the-point presentation of the experiments'concepts, key values, identified issues, and recommendations articulated by EAB, DPC and ICRI- KU Leuven. The proper implementation of the recommendations will be monitored by ICRI -KU Leuven throughout the project lifetime.


7/24



3. Ethical Assessment of the Experiments

3.1. SmartSkiGoggles

Key information on the experiment:

The SmartSkiGoggles experiment takes place in Schladming resort, Austria.

The SmartSkiGoggles experiment is aimed at finding out whether ski goggles displaying data areaccepted by skiers, and under which circumstances. The experiment analyses how the usage ofsuch goggles influences behaviour on the slopes and which kind of information is requested bythe skiers.

Participants of the experiment are provided with the ski goggles and have to download anapplication (Android phones only). The usage of the application as well as the context (e.g. timeand location) is being tracked. This provides information on which functionalities are useful, andin what context they are used.

One of the tested functionalities concerns providing information about waiting for the ski lifts. This involves installing cameras (as well as other mechanisms) at the lift entry points.

Public tweets from Twitter will be obtained, with specific search terms (e.g. #schladming). Thesetweets are displayed in the ski goggles display. No information from the SNS account of the

users will be collected.Users are participating on the basis of their consent. Personal data (names, emails, location data)is collected and stored by the experimenter. This data is only relevant at the research phase(organizational purposes) and will not be required in the exploitation phase. At the exploitationphase similar data might be obtained for the goggles users, however this will constitute a new setof data, with regard to different group of individuals.

Notification and consent requirements:

Provide notification about cameras installed at the lifts entry points. Signs with the relevantinformation (purpose, contact point, more information, etc.) will be displayed in visibleplaces.

Users participating actively in the experiment (testing the goggles) provide their writtenconsent. Participants also have to give consent when downloading the app. The consentform will provide relevant info on the areas covered, purpose, responsible entity, contactpoint, how long the images are kept, etc.

Concerns and comments of the EAB and DPB:

Participation of minors : Minors are not participating in the experiment.


8/24



Data collection: Personal data, such as names and email addresses is collected solely fororganizational purposes. The main goal is to make sure that the goggles given to the users for theexperiment are returned. This data will not be used for other purposes. Location data is requiredto analyse the proposed functionalities, the time and context in which they are used.

Scale of recordings : The cameras are used solely to provide information about the waiting time forthe lifts. Cameras are employed next to other tools, such as real-time usage data from theturnstiles. The aim is to test the best method to provide this type of information. The images willbe deleted right after the analysis (counting heads). The images are stored for a minimum time(e.g. some minutes). The images are not analysed to recognise faces. Signs with the relevantinformation will be placed next to the cameras with the required information.

Downloading of the app: It is available for downloading to everyone, but an explicit consent isrequired. In the consent form they should be requested to confirm that they are at least 18. Thisconsent form, however, should not ask for the birth date.

Participating volunteers: The experimenter should try to pre-acquire participants. Those participants will have direct interface and will be fully informed about the experiment. It will be done withthe help of the local tourist office as well as Evolaris Living lab database.

Data storage: The collected data will be deleted after the experiment has ended and all necessaryanalytics for related dissemination activities (e.g. publications) are finished. Further research, ifnecessary, will be conducted on anonymized data.

Other purposes than scientific research: If such need occurs, it should be mentioned in the consentform. This would include also dissemination, valorisation purposes; as well as possible furtherprocessing by other controllers from within the consortium (in this case we might need 3controllers Evolaris, Schladming, IT Innovation). If such further research is required, use ofpersonal data from the experiments should be avoided. If this is not possible, a controller controller agreement is signed.

Exclusivity: This concerns all the experiments at Schladming, the reviewers pointed out that theyare aimed at users of an expensive ski resort who, moreover, need to have Android smartphones.

Image collection : Goggles do not work as camera, do not have a recording tool (e.g. to takepictures).

Disturbance: According to the initial tests users did not find the screen in the goggles distracting. There should be no disturbance while skiing.

Formal requirements:

Data controller: Evolaris, possibly together with Schladming (in later stage also ITInnovation or other partner of the consortium);

Notifications to the national DPAs of the controllers;

Notification to the Schladming users about the recordings that will be provided next tothe cameras, should include all the relevant information (see above);


9/24



Consent form for the users actively participating in the experiment (testing goggles) withall the relevant information;

Terms & Conditions of the service with the limitations; Specification of the purpose, most likely broader than just scientific research, should

cover as well dissemination, valorisation but possibly also further research on FMIrequirements;

Cameras should be visible and accompanied by the relevant information; Clear policy on participation of minors: minors not allowed; Point of contact on the site should be communicated to the participants in case of

questions/ concerns/ objections; Points of contact at the later stage should be indicated in the information provided

(Evolaris but possibly also Schladming); Language of the communication: English and German.

3.2. iCaCot


The iCaCot experiment takes place at two locations at a specific region in Schladming resort, Austria. In the first experimental run and the 1st part of the second experimental run, thelocation is a dedicated training area on the Reiteralm. In the 2nd part of the second experimental

run, the location is the Planai Funpark. The iCaCot experiment consists of placing a set of cameras around a certain area on the skislopes, and by providing innovative technology that allows users to use their smartphones to panand zoom within the footage recorded by these cameras. Users can see and record their own skiadventures without having to hold a camera themselves. By placing these cameras at strategiclocations such tools can even be used for training and coaching purposes.

Recorded camera footage is processed to make it suitable for streaming to smartphone devices.Users have to actively download an application on their smartphone (iPhone only) that allows

them to access the camera footage. U sers dont have to log in to use the application, and nopersonal data is collected from the devices. Users are given a possibility to upload the videos with their performance to YouTube or Social Networking Sites such as Facebook. No personaldata from the SNS is collected. Unique identifier is attributed to a device.

Users are participating on the basis of their consent. Personal data (recorded images) is collectedand stored by the experimenter.


Provide notification that recordings will be taking place on a particular date. The images will be captured in a setting where users are normally expected to be captured (e.g. for


10/24



security reasons). This information will be announced and addressed in the locationitself. Also, information will be provided when purchasing tickets (additional sheet withrelevant info on the areas covered, purpose, responsible entity, contact point, how longthe images are kept, etc.);

For download and active use of application explicit consent is required. Participants haveto give consent when downloading the app otherwise it will not work. Consent form willprovide relevant info on the areas covered, purpose, responsible entity, contact point,how long the images are kept, etc.


Participation of minors: Participation of minors is allowed but subject to the written consent of theirparents/ guardians. All the necessary information is provided to the parents/ guardians. Fromthe age of 13, consent is given by both parents/ guardians and the minor.

Scale of recordings: Everyone entering the area is recorded. Users of the slopes are informed aboutit. It is suggested that area selected for the experiment should be removed from the main tracks

which would eliminate random users. Moreover, those who do not wish to be recorded shouldbe able to enjoy the facilities without too great inconvenience as they could just avoid the area.Recording individuals who did not provide their explicit consent is acceptable, when they are inthe background, and not in the focus of the recordings. This allows for enabling social andsharing functions, as foreseen in the 2nd half of the second experiment period.

Downloading of the app: In the first and 1st half of the second experiment run, the installation onparticipant's devices, e.g. those of the trainers, will be explicitly performed and monitored. In the2nd half of the second experimental run, the application is available for everyone for download,but they will have to provide explicit consent. In the consent form they should be requested toconfirm that they are at least 18 or that they have a permission of their parents/ guardians. Thisconsent form, however, should not ask for the birth date. No other interference than as usualapp download.

Participating volunteers: The experimenter should try to pre-acquire participants. Those participants will have direct interface and will be fully informed about the experiment.

Further publishing of the recordings: This possibility is not restricted to the individuals own image. There is no such technical restriction, no barriers to publish. For this reason participants (whodownload the app) should be informed in Terms & Conditions that they shouldnt be uploading content which does not concern them as the main actor. Users responsibility and possibleliability for such publications should be indicated. Sharing or publishing content concerningother individuals requires authorisation of the individuals in questions. Participants should beinformed that they should only share/publish images of themselves. Incidental presence ofothers (e.g. in the background) would not consider great interference but the main subject shouldbe the consenting individual.

Data storage: Data will be kept until the end of the experiment. This excludes content that wasspecifically shot for dissemination purposes, with friendly users or participants that have given


11/24



their consent for such usage a priori. The content which is published on YouTube or socialnetworks is out of control of the experimenters. Videos might be kept for longer to show atdemonstrations, used for valorisation and dissemination. Such dissemination will not havecommercial purposes, it will be limited to closed events (industry, scientific). Participants need tobe informed about this as well (not in a small font).

Possibility to block certain content: In case of drastic or embarrassing content (skiing accident) or when someone complains that their image is processed and objects such use.

Other purposes than scientific research: If such need occurs, it should be mentioned in the consentform. This would include also dissemination, valorisation purposes; as well as possible furtherprocessing by other controllers from within the consortium (in this case we might need 3controllers TNO, Schladming, IT Innovation). If such further research is required, use ofpersonal data from the experiments should be avoided. If this is not possible, controller controller agreement is signed.

Exclusivity: this concerns all the experiments at Schladming, the reviewers pointed out that theyare aimed at users of an expensive ski resort who, moreover, need to have iPhones.


Data controller: TNO, possibly together with Schladming (in later stage also ITInnovation or other partner of the consortium);

Notifications to the national DPAs of the controllers; Notification to the Schladming users about the recordings that will be provided with the

ticket, should include all the relevant information (see above); Notification for the parents/ guardians of the participating minors; Consent form for the app with all the relevant information; Terms & Conditions of the service with the limitations to inform the users e.g. about

their responsibility not to infringe others rights; Specification of the purpose, most likely broader than just scientific research, should


Areas where experiment will be conducted shall be selected in a way that individuals whodo not want to be recorded could still use the facilities;

Areas should be clearly indicated so no mistakes or incidental entries are made; Clear policy on participation of minors: not allowed unless consent by parent/ guardian

given; Point of contact on the site should be communicated to the participants in case of


(TNO but possibly also Schladming); Language of the communication: English and German.


12/24



3.3. Carviren


The Carviren experiment takes place in CAR, Sant Cugat, Spain.

The goal of Carviren (CAR Virtual Network) is to allow remote, real-time and consultationmode in sports training to improve the process through the Rapid Feedback.

Athletes representing three disciplines (Swimming, Gymnastics and Taekwondo), coaches andtechnical staff from CAR participate to improve the performance and the training process. Inorder to achieve this, Realtrack Systems (RTS) will process physical data (acceleration, speed,power, impacts, force, etc.) and two physiological types of data: Heart Rate and Blood Oxygenduring the training. The experiment starts with the mock-up data, only in the second stage realdata is used.

No data from any Social Networks is obtained. A control and private social networking site willbe created (using the SCC module or another one that will be designed) and used only by actorsof CARVIREN Experiment to test the potential it could have. In this particular case, user stats,not personal data, will be monitored. Another possibility is to create a private group onFacebook. This option will be analyzed further if such need occurs. In particular, the use ofexisting profiles and personal data from thereof will have to be examined.

Users are participating on the basis of their consent. Some of the processed data can includesensitive personal data (health data) therefore the consent is written.


Athletes provide their consent to CAR, who organizes the experiment and acts as datacontroller. RTS acts as data processor. Controller-processor contract is signed betweenCAR and RTS. Consent form contains information on the purpose of the experiment,data that is processed, responsible entity, contact point, etc.


Participation of minors : Most of the athletes at CAR are minors. Their consent, as well as consent oftheir parents, to train in CAR, to have their data (also sensitive data) processed and to participatein specific EXPERIMEDIA experiments is handled by CAR and its legal department as part ofits ordinary operation protocol.

Data collection: Real identity of the participants, as well as email addresses, need to be revealed toprovide meaningful feedback to the athletes and coaches. Other types of data include physicaldata (acceleration, speed, power, impacts, force, etc.) and two physiological types of data: HeartRate and Blood Oxygen. The latter ones are considered to be sensitive data (health data) in this

context.


13/24



Access to data : Part of the experiment is to assign roles to the participants (e.g. athletes, coaches,and technical staff) and define their access permissions based on the role. Members of one group(role) will be able to view only specified content, e.g. coaches can see performance of the athletesin their discipline, athletes can view their own performance only (or of their team, depending onthe nature of the discipline, e.g. in synchronized swimming they need to see the whole routineand not solely one swimmer). It should be clarified to the participants who can see their videos.Moreover, participants are asked not to share information with people outside the experiment or

with different roles (Non-disclosure agreements are signed). The role of parents, in case ofminors, could be also considered.

In case of private group on Facebook: Access will be restricted. Also, no videos or otherpersonal data (in particular no sensitive data) will be uploaded to Facebook. Only links to the

videos, if necessary.

Data analysis: The software developed by RTS solely analyses the raw data. This data will not beinterpreted by RTS. Especially, no medical analysis of the health state of the participants isperformed. Such interpretation will be left to professionals (coaches, technical staff).

Data storage: Data is stored at CAR. It is accessed by RTS throughout the experiment lifetime. After the end of the experiment it is kept by CAR as it might be relevant for coaches to consultthis data in future to continue improving the training and the performance of the athletes. Thisdata storage is reflected in the CAR consent form.

Other purposes than scientific research: If such need occurs, it should be mentioned in the consentform. This would include dissemination, and valorisation purposes; as well as possible furtherprocessing by other controllers from within the consortium (in this case we might need 2controllers CAR, IT Innovation). If such further research is required, use of personal datafrom the experiments should be avoided. If this is not possible, controller controller agreementis signed.

Exclusivity: the experiment is aimed at a very special group professional athletes. Theexperiment, at the current stage, is not aimed at recreational sport performance.


Data controller: CAR; RTS acts as data processor, controller-processor contract is signed between CAR and

RTS; Experiment is covered by the CARs notification to the Catalan DPA; Consent form for the athletes with all the relevant information; Terms & Conditions of the service (CARVIREN network) with the limitations to inform

the users e.g. about their responsib ility not to infringe others rights; Specification of the purpose, most likely broader than just scientific research, should



14/24



Point of contact on the site is communicated to the participants in case of questions/concerns/ objections;

Points of contact at the later stage should be indicated in the information provided (CARbut possibly also RTS);

Language of the communication: English and Spanish.

3.4. Qualisys


The Qualisys experiment takes place in CAR, Sant Cugat, Spain.

The 3DRSA (3D Remote Sport Health Analysis) experiment intents to provide biomechanicalservices outside the common laboratory environment by screening athletes on the training sites.

Data stored are 3D motion capture data, including video. Additionally, anthropometric data(height, weight) of each athlete as well as test relevant clinical data is stored. Motion data ofspecialised clinical test is screened to determine biomechanical risk factors for the athlete (withparticular focus on knee lesions). The content of the data is scientifically evaluated in order toestablish biomechanical models used in screening methods.

No data from any Social Networks is obtained.

Users are participating on the basis of their consent. Some of the processed data can include

sensitive personal data (health data) therefore the consent is written.


Athletes provide their consent to CAR, who organizes the experiment and acts as datacontroller. Qualisys acts as data processor. Controller-processor contract is signedbetween CAR, Qualisys and Qualisys scientific consultant (Bertram M ller) whoconducts the experiment at the CAR premises. Controller processor contract containsconfidentiality clause. Consent form contains information on the purpose of theexperiment, data that is processed, responsible entity, contact point, etc.


Participation of minors: Most of the athletes at CAR are minors. Their consent, as well as consent oftheir parents, to train at CAR, to have their data (also sensitive data) processed and to participatein specific EXPERIMEDIA experiments is handled by CAR and its legal department as part ofits ordinary operation protocol.

Data collection: Real identity of the participants, as well as email addresses, need to be revealed toprovide meaningful feedback to the athletes and coaches. Other types of data include 3D motion

capture data, and video, anthropometric data of each athlete as well as test relevant clinical data. The latter ones are considered to be sensitive data (health data) in this context.


15/24



Access to data: Different groups of participants (e.g. athletes, coaches, technical staff,biomechanical service) obtain access permissions depending on their role. Members of onegroup will be able to view only specified content: CAR Technical Staff - full control over all data;CAR Biomechanical Service - clinical data of athletes participating in the experiment; Qualisys -clinical data of athletes participating in the experiment; Coaches - only to their athletics data;

Athletes - only to their own data.

It should be clarified to the participants who can see their videos.

Data storage : Data is stored at CAR. As CAR is a Sports performance centre, data will be used forfuture analysis for improving general training aspects. Therefore data will be stored for furtheruse, if not explicitly expressed by individuals.

Data processed by Qualisys (Bertram Mller) is subject to individual and additional agreement ofeach athlete. It will be used for scientific analysis and will be deleted or rendered anonymous

when the purpose of the experiment is achieved.

The data storage is reflected in the CAR consent form. Transmission from CAR to Qualisys ishighly encrypted.

Consequences of the risk assessment for the athlete: What is the consequence if an athlete is told thatthere is a risk or no risk of lesion? Since the assessment is conducted outside of the performanceseason there is no direct impact on competition. The final decision is always made by the coachand the athlete. The 3DRSA experiment only provides additional information.

Other purposes than scientific research: If such need occurs, it should be mentioned in the consentform. This would include dissemination, and valorisation purposes; as well as possible furtherprocessing by other controllers from within the consortium (in this case we might need 2controllers CAR, IT Innovation). If such further research is required, use of personal datafrom the experiments should be avoided. If this is not possible, controller controller agreementis signed. Additional choice will be given to the participants for using the data in a scientificcontext and for dissemination of the methodologies developed. This will be separate and notinfluence any other participation.

Exclusivity: the experiment is aimed at a very special group professional athletes. Theexperiment, at the current stage, is not aimed at recreational sport performance but such use

would be possible in the future.


Data controller: CAR; Qualisys acts as data processor, controller-processor contract is signed between CAR,

Qualisys and Qualisys scientific consultant (Bertram Mller) who conducts theexperiment at the CAR premises;

Experiment is covered by the CARs notification to the Catalan DPA; Consent form for the athletes with all the relevant information;


16/24



Specification of the purpose, most likely broader than just scientific research, shouldcover as well dissemination, valorisation but possibly also further research on FMIrequirements;

Point of contact on the site is communicated to the participants in case of questions/

concerns/ objections; Points of contact at the later stage should be indicated in the information provided(CAR, Bertram Mller, Qualisys);

Language of the communication: English and Spanish.

3.5. PlayHist


The PlayHist experiment takes place in FHW, Athens, Greece.

The aim of the PlayHist experiment is to analyse the use of gamification technology with 3Davatars for history learning. This will be done by developing a 3D interactive and collaborativegame that will take advantage of the documentation, exhibitions and 3D content alreadydeveloped at the FHW and the technological features provided by the EXPERIMEDIA facilityas the 3DCC module for avatar creation.

The purpose is to compare the effects of using gamification provided by the PLAYHISTexperiment with respect to the facilities currently available at the museum. In order to achievethis during the experiment participants will be assigned to two different groups:

One group of visitors will attend the venue in the traditional way, i.e. playing with the interactivefilm already available at the venue. Another group of visitors will play a 3D game, which plot willbe aligned to one of the interactive movies already exhibited at the venue. The users in thesecond group will be given tablets that are required to play the game. They will be able to createtheir own avatars by taking their own picture with the tablet.

At the end participants from the both groups fill in a questionnaire. The questionnaire isanonymous.

No connection to Social Networks is foreseen.

Users are participating on the basis of their consent. Personal data (names, pictures) is collectedfrom the second group by the experimenter. Pictures used for creating avatars will be deletedafter the game is finished. Names are collected solely for organizational purposes (return of thedevices).



17/24



Provide notification to all the participants in the experiment (both groups) about itspurpose, responsible entity, contact point, etc.

Users from the second group of the experiment (using tablets) provide their writtenconsent. Consent form will provide relevant info on the purpose, responsible entity,contact point, how long the images are kept, etc.


Participation of minors: Minors are not participating in the experiment.

Data collection: Personal data, such as names is collected solely for organizational purposes. Themain goal is to make sure that the tablets given to the users for the experiment are returned. Thisdata will not be required for other purposes. The consent form, signed by the participants, canbe returned to them after they have returned the tablet.

Pictures are collected solely to personalize the avatars of the second group of the participants,they are not kept after the participants finish playing the game. The images will be erasedimmediately. This can be done automatically, when the game is finished, or the participants couldbe asked to delete the images themselves.

Data storage: The collected personal data will be deleted after the game has finished. Furtherresearch will be conducted on the basis of anonymous data.

Other purposes than scientific research : personal data of the participants is destroyed immediately afterthey finish the game. This means that any further research, either by Tecnalia or otherconsortium partners, will not involve personal data. There are, hence, no restrictions.


Data controller: Tecnalia, possibly together with FHW; Notifications to the national DPAs of the controllers; Notification to all the participants (both groups) should include all the relevant

information (see above); Consent form for the participants from the second group of the experiment (testing

tablets) with all the relevant information; Clear policy on participation of minors: minors not allowed; Point of contact on the site should be communicated to the participants in case of


(Tecnalia but possibly also FHW); Language of the communication: English and Greek.


18/24



4. Conclusion

It can be concluded that, in the 2nd Open Call, the EXPERIMEDIA project is on the right trackto ensure the ethical and legal compliance of the five new experiments. This is achieved through

cooperation between all the technical partners of the project with the legal partner from KULeuven. The management of this process is additionally enhanced by the guidance offered to theproject partners by the Ethical Advisory Board and the Data Protection Coordinator, whichkeeps a close eye on the progress within the project.

During the first year of the project the EAB and DPC expressed several concerns about possibleethical and data protection issues related to the experiments. They included, for example, socialinclusion, participation of children, as well as unaware individuals, indispensability of personaldata processing to conduct experiments, specification of the purpose of the processing ofpersonal data (if involved), informing the users about the relevant aspects of the experiment, andobtaining their consent in an informed and unambiguous way. These concerns were taken intoaccount in the further stage of the project, particularly in the preparation of the 2nd Open Call.For example, the ethical checklist (Appendix C) which was prepared during the previous EAB/DPC meeting was filled in by the candidates for the 2nd Open Call before their final selection.Moreover, attention to legal and ethical issues was strongly emphasized since the beginning ofthe 2nd Open Call, for example through a legal tutorial during a training workshop. This led tohigher awareness of the new partners and allowed them to better prepare the experiments byimplementing certain principles from the start.

According to the members of the EAB, the descriptions of the experiments that were deliveredto them together with the ethical checklists showed that the experimenters are well aware of therelevant ethical and legal issues. It was also noticed that they present a responsible approach andare willing to accommodate the rights of the participating individuals. It was considered veryhelpful that there are meetings organized during which the project partners and the EAB/ DPCcan discuss any aspects of the experiments that might still be unclear. The assistance offered tothem resulted in a great level of compliance with the ethical principles and applicable laws.


19/24



Appendix A. Ethical Guidelines for undertaking ICTresearch in FP7

The present guidelines are derived from the Ethical Guidelines for undertaking ICTresearch in FP7. 1

1) Are the researchers taking a responsible approach? As the Ethical Guidelines point outin Paragraph 2.1, researchers need to be aware of the principles of the Charter ofFundamental Rights of the European Union 2 and especially the principles of dignity,freedom, equality, solidarity, citizens rights and justice.

2) Are issues of individuals privacy and autonomy taken care of? The Ethical Guidelinesare clear that ICT research must comply with Article 8 of the European Human RightsConvention3. To be able to done so researchers need to:

a) Identify sensitive implications of their proposals for privacy and autonomy;b) Carry out a prior assessment of risks to privacy and autonomy the research may

expose individuals to;c) Identify potential actions proportionate to the risk/harm;d) Recognise that volunteers have a right to remain anonymous;e) Comply where applicable with national Data Protection legislation;f) Ask for informed consent from volunteers after informing the volunteers of the

purpose, procedures and outcomes of the research and advising them of thepossibility to withdraw/or modify participation;

g) Identify whether the volunteers are in situations where they are more vulnerable thanin normal situations;

h) Ensure that research outcomes are reported in a way that does not contravene theright to privacy and data protection;

i) Evaluate the implications (for personal privacy) of the intended use of the researchoutcomes.

3) Are there particularly sensitive areas that need further consideration? Paragraph 3.1 ofthe Ethical Guidelines identifies particular ICT applications that require specificguidance. These include: ICT implants and wearable computing; eHealth and genetics;and ICT and Bio/Nano-electronics.

1 Ethical Guidelines for undertaking ICT research in FP7, ftp://ftp.cordis.europa.eu/pub/fp7/docs/guidelines-annex5ict.pdf . 2 European Union (2000). Charter of Fundamental Rights of the European Union. OJ (2000) C 364/1.3 Council of Europe (1950). Convention for the Protection of Human Rights and Fundamental Freedoms, CETSNo. 005, 04 November 1950.
ftp://ftp.cordis.europa.eu/pub/fp7/docs/guidelines-annex5ict.pdfftp://ftp.cordis.europa.eu/pub/fp7/docs/guidelines-annex5ict.pdfftp://ftp.cordis.europa.eu/pub/fp7/docs/guidelines-annex5ict.pdfftp://ftp.cordis.europa.eu/pub/fp7/docs/guidelines-annex5ict.pdfftp://ftp.cordis.europa.eu/pub/fp7/docs/guidelines-annex5ict.pdfftp://ftp.cordis.europa.eu/pub/fp7/docs/guidelines-annex5ict.pdf


20/24



Appendix B. Legal requirements for privacy and dataprotection

Basic data protection requirements: Actors identified as data controllers must be aware of the precise definitions of national

data protection legislation applicable to the processing under their control. Collaboration with the competent national Data Protection Authority will ensure a correctunderstanding of the specific national implementation of the definitions of the applicablenotions.

The data subjects free, informed, specific and unambiguous consent must be obtainedfor legitimate processing of personal data. While such consent is only one of the possiblejustification grounds for legitimate personal data processing, it will in most cases be the

only viable justification ground for personal data processing with relation to theEXPERIMEDIA experiments. (Further on consent, see infra).

Fair and lawful processing of personal data must demonstrate legality or transparency. The purposes of the processing of personal data must be clearly indicated in advance. The processing of personal data may only include relevant and non-excessive data, in

relation to the specified purposes. Data must be collected for a specified, explicit andlegitimate purpose and may not be further processed in a way incompatible with thosepurposes. Duration of data storage must be limited and stored data must be destructedonce the purpose for which that data was collected has been attained.

Data minimization can also be achieved by employing methods for anonymisation orpseudonymisation of personal data. Here, data unlinkability should be kept in mind aslinkability could lead to the identification of a particular data subject.

The data controller must ensure sufficient information to the data subject. The data controller must ensure that the data subject can fully enforce his right of access,

his right to correction and his right to object. The data controller must ensure confidentiality and security of the processing of personal

data under his control. Due notification must be made to the competent national Data Protection Authority (or

Authorities), in compliance with national legislation. Data transfers to third States must comply with applicable legislation.

Consent requirements:

Carefully drafted privacy policies and consent forms must ensure compliance to therequirement of consent and the right to information. Note that such privacy policies andconsent forms must be compliant with national data protection legislation. For instance,certain jurisdictions require written consent, while others allow for implicit consent inmany cases.

User-friendliness should be the focal point in obtaining the data subjects consent. Whileunintelligible texts may lead to the data subject not reading a privacy policy or consent


21/24



form, elaborate procedures to grant consent may result in the data subject refrainingfrom using such service, thus damaging the business of the data controller. A balancebetween the interests of both parties should therefore be struck.

When dealing with minors, elderly and/or persons with a mental illness, the data

controller is advised to seek consent from both the data subject and its statutory or legalguardians. The general legal capacity of the data subject determines its capacity toconsent.

Informed consent must be given freely. In order to determine whether the data subj ectsconsent was given freely, one must analyse the external pressure exercised on hisdecision. Positive persuasion cannot invalidate his freely given consent, while negativecoercion will invalidate his consent as it could not have been given freely.

Consent should be limited in time and should be renewed for continuously on-goingprocessing of personal data. Consent should also be revocable.

Confidentiality and security:

In the processing of personal data, the data controller must restrict access to thispersonal data to the persons that need such access for the processing they perform underhis authority. Such access need to comply with the proportionality principle, meaningthat no user may be awarded access to more data than strictly required for his processingtasks.

In order to achieve proportional access control, the data controller must provide fordifferentiated access levels for different user groups in order to ensure proportionality.

This must be combined with an access procedure that includes registration,identification, authentication and authorization.

In the processing of personal data, the data controller must adopt appropriate and stateof the art technical and organizational measures to ensure data security. Also theprocessor must be bound to such security policy.

Such security policy should include, inter alia, actions to be taken in case of data breach,the use of cryptography to protect data and audit trails to log and trace data access anduse. These security policies should also take into account user-friendliness and shouldrequire minimal user effort. When using audit trails, the data controller must define thepurposes and scope of this logging and make transparent who can access these logs as

audit trails constitute personal data processing. While previous requirements only apply in the context of the processing of personal data,

adherence thereto in other cases of security and access management is stronglyrecommended as they provide valuable minimal requirements.

Regardless of the technology used, the data subject should be made fully aware of thepresence of the technology and of its activities and of the possibility for deactivation.

As geolocation data must be viewed as personal data, the processing thereof mustcomply with the principles of the Data Protection Directive and its nationalimplementations.


22/24



Prior informed consent must be obtained for the processing of geolocation data, as this will mostly be the only viable justification ground for the processing of this data. Thisconsent must be revocable and must be regularly renewed.

Geolocation services should be switched off by default. The user should be made aware

of active geolocation services. The user should also be given the option to choose thegranularity of his consent. The user should also be given the option to opt-out fromdatabases containing Wi-Fi access points.


23/24



Appendix C. Checklist for the Experimenters

Checklist for general ethical issues:

It must be specified what the key values are behind the service/application; It must be specified what the conditions are for participating;

It must be specified where the data will be located; It must be specified what the content is of the processing of data; It must be specified what the purpose is of the processing of the data; It must be specified what the data lifetime is; It must also be specified how the informed consent is obtained; It must be specified whether the consent must be written or not, whether a pop-up

screen type is considered to be good enough;

It must be specified who the participants of the experiments are.

Checklist for location data issues:

It must be specified whether or not it is necessary to store the personal data; It must be specified when the data should be stored; It must be specified whether the user have any choice; It must be specified if the consent can be withdrawn; It must be specified whether or not the data will be erased; It must be specified whether it is possible for the user to opt-out for one day, or it must

be stated that such an opt -out is a permanent yes or no choice. In the former case, itmust be reviewed how long you can keep the information when the server is switchedoff;

It must be specified whether a user can use a pseudonym which changes every day; It must be specified who has access to the data, whether if it is only the administrators or

also other persons, e.g. the stalkers-case; It must be specified if there is an admin log for every data file. It must also be specified

who can change these log files, who can access them and who can delete them; It must be specified for how long the log data are stored; It must be specified if the administrator can manipulate them.

Checklist for profiling issues:

It must be specified whether if it is possible to connect the data from different locations; It must be specified what about the use of the data for profiling: is location data used to

reach other inferences: e.g. is the person rich? Does he live nearby? It must be specified if the processing of the data is only for improvement of content or

also for tracking characteristics/traits of persons;

It must be specified if the service needs to know the real identity of the users or can theyuse nicknames;


24/24


It must be specified to which other data sets the feedback of the users will be linked to. This consideration was made since the linking of the users feedback on differentinformation feeds can be useful to learn whether it is always the same user.

It is necessary to log who accessed the ECC. It must be clear who can access what data,

alter that data or delete it.Checklist for tracking issues:

It must be specified whether the user will be followed between two usages of the serviceor not. This question is asked since in case of tracking stricter requirements will apply. Itmust therefore be carefully reconsidered whether such tracking is really necessary;

Location should only be stored when the user asks for information about a location not otherwise, e.g. not while being on the move in between the locations about whichinformation is asked.

Checklist for consent issues:

If consent is given for participating in the experiment with a mobile application, it mustbe specified what happens when the mobile phone is given to someone else;

It must be specified whether the user must be reminded of his given consent every day. WP29 recommends to remind the user about it once every month (but this has to bechecked with the Austrian, Spanish and Greek law);

The practical implementation of giving consent: it is not necessary to have the real nameof the user since the email address can be used to offer a user channel to exercise the

users rights; Potentially there can be two user groups: a group with and one group without anaccount. Inform user during app installation about the informed consent. It is importantto list the assumptions/limitations of risks of the project.

Checklist for anonymisation issues:

Some data cannot (automatically) be anonymised (e.g. textual feedback which refers tonames, photos and videos where applicable);

It must be specified where the data will be kept, whether it is in one territorial location or

more. In this matter it must also be reviewed if there is a cross-border exchange.

d5.1.6 second open call ethics review report v1.0

Documents