data privacy in online education and research...biometrics: blood, fingerprint, dna, retinal...

$: Data Privacy in Online Education and Research...Biometrics: blood, fingerprint, DNA, retinal scanning voice,\爀伀渀氀椀渀攀椀搀攀渀琀椀昀椀攀爀†ጀ 渀漀琀搀攀昀椀渀攀搀$
UKZN INSPIRING GREATNESS

Data Privacy in Online Education and Research

Dusty-Lee Donnelly: lecturer and PhD candidate UKZN


Cambridge Analytica• The personal data

from 87 million Facebook users


Cambridge Analytica

• Germinated in University research exploring how people use emoji’s to convey emotion (Frenkel 2018)


Cambridge Analytica

• Collected more personal information than was necessary – Facebook’s OpenGraph platform allowed third

party apps to collect vast amounts of personal data, and the personal data of friends


So what?

• Right to Privacy CONSTITUTION S14

• Closely linked to dignity & autonomy• Subject to justifiable limitations

– other rights and – important interests, including the free flow of

information POPIA s2

• Heightened privacy risk handling sensitive information, profiling, automated decision making, big-data analytics & AI

Presenter

Presentation Notes

Sensitive information- “special” PI in the Act, and children. Processing types-– complex, potentially invasive, & vulnerable to misuse (deliberate or through undetected algorithmic bias).


Reasonable Expectation

0

5

10

15

20

25

30

351

2

34

5

Person A Person B

Bernstein v Bester –privacy cannot be defined in the abstract


Research Ethics

• The choice of a research topic and the conduct of research in accordance with University policy is the responsibility of the individual researcher.

• Ethics Policy & Research Code of Conduct– Intellectual Property Policy, – Contracts and Grants Policy – Other professional codes may apply

UKZN Research Ethics Policy s5.4.1


Research Ethics

• Underpinned by informed consent• In no way do the requirements for data

availability override the right to confidentiality and privacy of individuals or organisations who are the subjects of research. Ethics Policy appendix B item 3.3.6.3

Presenter

Presentation Notes

Underpinned by informed consent


Legal Framework

• Protection of Personal Information Act 4 of 2013 (POPIA)

• Operative 1 July 2020• 1 year grace period


Legal Framework

COE Convention OECD Guidelines

AU CCCDP

USCOPPA &CCPA

EUGDPR

South AfricaPOPIA

Broadly similar set of data protection principles

Presenter

Presentation Notes

May overlap, but differ in detail and enforcement. Complexity of complying with multiple legal and regulatory instruments. GDPR- but national data protection laws in each EU member country can derogate in some respects. Check both & ethics policy & code of conduct of institution & funder. GDPR will apply to any project (in South Africa) that is collecting PI of EU resident. EU funder may require GDPR compliance. US- even more complex. No omnibus federal privacy statute regulating private collection of PI. The Children's Online Privacy Protection Act of 1998 15 U.S.C. §§ 6501–6506 is a federal law, but defines child as under 13 (in SA a child is under 18, under GDPR under 16, but member states can stipulate a lower age not below 13) In the US a number of sectorial laws, such as HIPAA (health) and FERPA (educational records). State laws also apply. Califorina has CalOPPA and rececntly enacted the California Consumer Privacy Act (CCPA).


Personal Information

• information relating to an identifiable, living, natural person or

• where applicable, existing juristic person• [‘data subject’]


Examples of PI• Race, gender, sex, pregnancy, marital

status, national/ethnic/social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language, birth

• Biometrics • Location data (GPS, Wifi, photo geotag)• Address, email, tel, online identifier• Identifying numbers or name

Presenter

Presentation Notes

Biometrics: blood, fingerprint, DNA, retinal scanning voice, Online identifier – not defined. “Other particular assigned to person”. Also not a closed list. Thus likely includes (and GDPR, COPPA & CCPA apply to) eg. IP address, persistent device identifiers and smart meters or other IOT


Key Actors

• ‘responsible party’ is the person ‘alone, or jointly with others determines the purpose or means of processing’

• ‘operator’ is any person processing data on behalf of the responsible party in terms a contract

• ‘data subject’ is the person to whom the information relates – may be different to the research participant!


Scope of Legislation• ‘data processing’ includes any collection,

use or sharing of personal information• Not only automatic processing• Adequacy guarantees for transborder data

flows ch9


Conditions for Lawful Processing

• Accountability• Processing Limitation (minimality & consent)• Purpose specification• Further processing limitation• Information Quality• Openness • Security safeguards• Data subject participation POPIA part A


Data Subject Rights

• The right to have data lawfully processed in accordance with the 8 conditions s5

• Notice of collection s18

• Request access to records s23

• Request correction or deletion s24

• Notice of security compromise s22

Presenter

Presentation Notes

POPIA s22(1) reasonable grounds to believe PI has been acquired by any unauthorised person – RP must notify Regulator and data subjects as soon as reasonably possible after the discovery (unless the data subjects cannot be identified)


Basis for Lawful Processing

Consent

Contract

Legal Obligation

Interest of Data

Subject

Public Duty

Legitimate Interest

Source: POPIA s11Adapted from Leicester University Guidance Note


Failure to Comply

– Information Regulator has wide powers s40

– Imprisonment up to 10 years s107

– Fine up to R10 million s109


KEY MESSAGE

• There is no blanket exclusion for research• There are relaxations around data

retention, notice, and further processing• Exceptions will be narrowly interpreted


Retention of records

• Personal Information – not to be retained longer than necessary for the purpose

• Can be retained longer for historical, statistical or research purposes

• With appropriate safeguards against use for any other purpose s14(2)


Further Processing

• Permitted if compatible with original specified purpose, incl.

• deliberately made public OR• used solely for historical, statistical or

research purposes and• not published in identifiable form

s15(3)(b)&(e)

• Best practice to notify participants


Example• A university research department conducts

an experiment analysing changes of mood on 50 subjects, who consent for this particular project, & this specific use of the data by the university.

• Later discover this data is useful for another project focused on mental health, under the coordination of another team.

Presenter

Presentation Notes

Purposes are compatible – additional consent is not required. GDPR rec 50: is there a link between the purposes, what are the consequences for the data subject, would they reasonably expect this use? Are there appropriate safeguards? European Commission Ethics & Data Protection at 11: “The university informed the subjects and asked for new consent, following its research ethics code and the principle of fair processing”


Notice of data collection

• Unnecessary if the information is for research & will not be published in identifiable form s18(4)(f)

• This does not override institutional ethics review, and the principle of obtaining informed consent!


Special Precautions

– Religion or philosophical beliefs– Race or ethnic origins– Trade Union affiliation or political persuasion– Health or sex life or biometric information– Criminal behaviour (alleged offence or related

proceedings)– Children POPIA Part B & C

Presenter

Presentation Notes

Special Personal Information – part B of POPIA Children – part C of POPIA


Special Precautions cont.

• Consent of data subject/ parent • Limited exception for research

– in the public interest or – impossible/requires disproportionate effort to

obtain consent AND– Sufficient privacy guarantees

• Also permitted if data deliberately made public by data subject POPIA ss27-33 and 35(1)(d)&(e)

Presenter

Presentation Notes

European Commission at 13: “The fact that some data are publicly available does not mean that there are no limits to their use. [If you crawl websites or scrape social media platforms ]to create new records or files/profiles, you are processing personal data. … [If you do not] seek the data subjects’ explicit consent to the use of their data, … you must assess whether those persons actually intended to make their information public (e.g. in the light of the privacy settings or limited audience to which the data were made available). …[i.e.] they no longer have any reasonable expectation of privacy. You must also ensure that your intended use of the data complies with any terms and conditions published by the data controller.”


High Level Guidance

• Informed consent is the gold standard of ethical research

• Impossibility / disproportionate effort typically arises only if not collected directly from data subject. GDPR art 13 –vs- art 14

• Documented balancing exercise of effort to provide notice –vs- impact and effects on data subject if not given WP260 Guidelines on transparency under Regulation 2016/679

Presenter

Presentation Notes

EU Commission at 10 “Informed consent is the cornerstone of research ethics. It requires you to explain to research participants what your research is about, what their participation in your project will entail and any risks that may be involved. Only after you have conveyed this information to the participants – and they have fully understood it – can you seek and obtain their express permission to include them in your project “ The informed consent process must identify if you will use privacy invasive techniques such as behavioural profiling, audio/video recording or geo-location tracking, You must keep records documenting the informed consent procedure, including the information sheets and consent forms provided to research participants, and the acquisition of their consent to data processing Previously it was only in “relatively rare cases where research methods, conditions or objectives dictate that they are not made fully aware of the nature of the study until its completion.” However now we see that “social media platforms and other ICTs have dramatically expanded opportunities for researching human behaviour without the express consent of the subjects. “


Examples

• Large volumes of data• Age of data

– Historical research tracing lineage from large data set (20 000 names) collected 50 years ago, and with no contact details

• Safeguards– Make information about the research publically available– Adequate technical & organisational security measures– Working with pseudonymised data. – Minimising collection and retention of personal data– Data protection impact assessment(Art 29 WP WP 260 & EU Commission Ethics and Data Protection)


Can you have ‘broad consent’

• Broad consent to vaguely specified future purposes is not enough

• Voluntary• Specific• Informed• Consent is not the only lawful basis for

processing. (Staunton 2019) (Townsend & Thaldar 2019)


The Anonymous Participant?

• Pseudonymised data and aggregated data is still personal information

• POPIA applies unless the data has been de-identified (completely anonymous)

• The data is deleted unless it cannot be used or linked with other data by a reasonably foreseeable method to reidentify the data subject

Presenter

Presentation Notes

Pseudonymisation : substitute PI (e.g. name) with a unique identifier that is not connected to their real-world identity, e.g. coding or hashing data Statistical data is aggregated to different levels of granularity Not anonymous if individuals could be identified by linking to another data set European Commission at 5: “Even if your project is using only anonymised data, the origin or acquisition of the data may still raise significant ethics issues.”


Anonymity Difficult to Achieve

• 99.98% of Americans would be correctly re-identified in any dataset using 15 demographic attributes even in a heavily sampled anonymised data set

(Rocher et al, 2019)


Different obligations can apply:

• TIMING If you collect PI and then anonymise, data protection laws apply to the collection.

• PARTIES When a host institution shares an anonymised data set– recipients may be exempt from DP law (if no

risk of re-identification) but – host institution retains raw data, and must

comply fully with data protection law

Presenter

Presentation Notes

European Commission “In some instances, your host institution, funding body or publisher may require you to keep the raw data for auditing, accountability or research integrity purposes. There may be other scenarios in which a host institution has a raw dataset which it makes available to its researchers and partners in anonymised form. In these instances, while the recipients of the anonymised data may – subject to the mitigation of the risk of re-identification – be exempt from data protection requirements, the host institution is still processing personal data and must therefore ensure appropriate protection for the raw (personal) data. This includes technical and organisational measures to protect the data and the means to identify the data subjects (e.g. the keys, codes or applications used to anonymise the data) against unauthorised access or use. If you are in any doubt as to the adequacy of the technique(s) that you intend to use, you should seek advice from your DPO or a suitably qualified expert. As noted below (see Box 5), for sensitive or complex processing scenarios involving pseudonymisation or anonymisation, it may even be necessary to conduct a DPIA in order to ensure an appropriate level of data protection and minimise risk to the data subjects’ rights.”


Checklist of Principal Investigator• Will the research collect any PI? Special PI? Children?• What is the source? From DS? Public record? Other?• What is the lawful basis for processing? Consent!• What is the purpose of processing? • Is the PI necessary for this purpose?• Will the PI be used for any other purpose? • Where & for how long will data be stored?• How will PI be secured? Who will have access to it?• Do data sharing agreements & research contracts

specify how data is used, stored, shared, archived etc• Are data breach procedures in place?


Security Do’s

• are the tools/software you will use to collect, analyse and store data privacy-friendly?

• are secure communication protocols in place for emails and file sharing?

• do service provider T&Cs cover security? • is data encrypted and keys/passwords

protected? EU Commission at 18

Presenter

Presentation Notes

Also see security don’ts in EU Commission at 18


AI: the next frontier

• The big challenges are data minimisation & transparency– Train algorithms using synthetic data– Delete redundant or marginal data – From the outset of design potential hidden

data biases and the risk of discrimination or negative human rights impact must receive due consideration (COE guidance & OECD AI principles)


Conclusion & recommendations

• Regulator: approve Codes of Conduct, provide guidance, & issue exemptions

• Institutional data protection policy• Awareness & training within faculties of

ethical and legal guidelines


References• African Union Convention on CyberSecurity & Personal Data Protection• Art 29 WP WP260 Guidelines on transparency under Regulation 2016/679• Art 29 WP Opinion 05/2014 on anonymisation techniques• Bernstein and Others v Bester NO and Others 1996 (2) SA 751 (CC)• Council of Europe Convention for the protection of individuals with regard to the automatic

processing of personal data (CETS 108 & protocol ETS 181) • Council of Europe: Guidelines on AI and data protection & human rights impacts of algorithmic

systems <https://www.coe.int/en/web/data-protection/reports-studies-and-opinions#{%2220422099%22:[0]}>

• Court of Justice of the European Union, Judgment in Case C-311/18 Schrems II EU:C:2020:559• European Commission (2018) Ethics and Data Protection

<https://ec.europa.eu/info/sites/info/files/5._h2020_ethics_and_data_protection.pdf> • European Union Agency for Fundamental Rights (2018) Data Protection Handbook

<https://fra.europa.eu/en/publication/2018/handbook-european-data-protection-law-2018-edition>• General Data Protection Regulation (EU) 2016/679• OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data • OECD AI Principles• Protection of Personal Information Act 4 of 2013 (South Africa)• UKZN Research Ethics Policy CO/06/2906/07• University of Leicester Data Protection Guidance Note 12

<https://www2.le.ac.uk/offices/ias/resources/policies/gdpr/Guidance%20Note%2012%20GDPR%20and%20Research%20Data%20Quick%20Guide.pdf>

https://ec.europa.eu/info/sites/info/files/5._h2020_ethics_and_data_protection.pdf

https://fra.europa.eu/en/publication/2018/handbook-european-data-protection-law-2018-edition

https://www2.le.ac.uk/offices/ias/resources/policies/gdpr/Guidance%20Note%2012%20GDPR%20and%20Research%20Data%20Quick%20Guide.pdf


References• Bambauer, J (2019) “Cambridge Analytica and the Meaning of Privacy Harm” (White paper,

Antonin Scallia School of Law) https://pep.gmu.edu/2019/01/14/cambridge-analytica-and-the-meaning-of-privacy-harm/

• Cadwalladr, C “The great British Brexit robbery: how our democracy was hijacked” (7 May2017) The Guardian

• Cadwalladr, C “‘I made Steve Bannon’s psychological warfare tool’: meet the data war whistleblower” (18 March 2018) The Guardian

• Frenkel, S et al. “Facebook Data Collected by Quiz App Included Private Messages” (10 April 2018) The NY Times

• Kosinski, Michal, et al. "Facebook as a research tool for the social sciences: Opportunities, challenges, ethical considerations, and practical guidelines." American Psychologist 70.6 (2015): 543.

• Mourby, M et al. “Governance of academic research data under the GDPR—lessons from the UK”, International Data Privacy Law, Volume 9, Issue 3, August 2019, Pages 192–206, https://doi.org/10.1093/idpl/ipz010

• Rocher, L., Hendrickx, J.M. & de Montjoye, Y. Estimating the success of re-identifications in incomplete datasets using generative models. Nat Commun 10, 3069 (2019). https://doi.org/10.1038/s41467-019-10933-3

• Staunton, C., Slokenberga, S. & Mascalzoni, D. The GDPR and the research exemption: considerations on the necessary safeguards for research biobanks. Eur J Hum Genet 27, 1159–1167 (2019). https://doi.org/10.1038/s41431-019-0386-5

• Townsend, B & Thaldar D (2019) Navigating uncharted waters: biobanks and informational privacy in South Africa, South African Journal on Human Rights, 35:4, 329-350, DOI: 10.1080/02587203.2020.1717366

https://pep.gmu.edu/2019/01/14/cambridge-analytica-and-the-meaning-of-privacy-harm/

https://doi.org/10.1093/idpl/ipz010

https://doi.org/10.1038/s41431-019-0386-5


Interesting Reading/Audio Books

• Chertoff, M (2018) Exploding Data: Reclaiming Our Cyber Security in the Digital Age (Atlantic)

• Kaiser, B (2019) Targeted: The Cambridge Analytica Whistleblower’s Inside Story of How Big Data, Trump, and Facebook Broke Democracy and How it Can Happen Again (Harper)

• Zuboff, Shoshana (2019). The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power (Profile Books)

data privacy in online education and research...biometrics: blood, fingerprint, dna, retinal...

Documents