A Total of 19 participants attended the webinar.
2 Poll results
1. Are you working or planning to work with research data that contains personal information?
Yes: 5 responses (33 %)
No: 6 responses (40 %)
2. What do you think are examples of direct identifiers?
A: Name: 9 responses (52 %)
B: Address: 6 responses (35 %)
C: Ethnic Origin: 0
D: Medical condition: 0
Extra answer over the public chat: I think more or less all…
3 Questions raised by the audience
Q.1: Can you suggest “better” tools than Dropbox or google docs?
Q.2: What penalties do you face in Germany for data leakage? and could you please give us a link where we can read the German law for data protection?
Q.3: Is the DSGVO, the German version of what you have presented?
Q.4: Can it happen that the data leaks without me realising it?
4 Speaker’s comments and references for further reading
The data protection regulation
The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU). The German term for this regulation is: “Die Datenschutz-Grundverordnung” usually abbreviated as DSGVO. Here are the links to the German and English versions of the GDPR which was put into place on 25 May 2018 and supersedes all other national regulation in EU countries.
Personal data and identifiers
A central aim of the webinar was to raise awareness about the types of data that could constitute personal data and thus lead to the identification of persons. The difference between direct and indirect identifiers was also mentioned. The main message here was data which contain personal data must be adequately handled and researchers should take all technical and logistical steps to ensure personal data remain secure. For further reading on the topic we recommend you have a look at this introduction and take this tutorial.
We recommended not to store or manage research data sets which contain personal data via tools and services like dropbox and or google docs and other similar external services. By uploading or transferring data via these services you are sending sensitive materials to servers and locations outside Germany. This may be problematic because, on the one hand, if you have taken the decision to store personal data over these services and if these are then accessed (hacked) by unauthorized persons, you are then liable for this. On the other hand, and depending on the sensitivity degree of your data, the storing of personal data outside Germany might be strictly forbidden.
Our suggestion here is that you use the infrastructural tools provided by the University for storing your research data. In this case, both your userdata network drives as well as the Univesity’s cloud tool are securely encrypted making these tools suitable for the storing of sensitive information. Should these systems be compromised, you will at least not be directly liable because you are using the university’s infrastructure for the handling and storing of your data. Sciflow is a free to use GDPR-compliant collaborative tool for which the MLU has a license agreement. Since this company is based in Magdeburg, there are no issues with data sending outside Germany. In general, if you need to handle or transmit personal data, make sure your data sets have been adequately anonymized/pseudonymized and properly protected with encryption and passwords to minimize the risk of identification of your participants’ data by unauthorized persons. MLU-approved consent form templates (in German) for working with personal data can be found here.
If you are not sure about how to proceed with a particular issue, do get in touch with us at the Open Science Team. If we cannot immediately give you advise on the matter we will at least point you to someone else who can help. Our request here is that you ideally approach us with your questions BEFORE you start a project rather than towards the end of it.
In terms of legal procedures you must act immediately in case of a data confidentiality breach. In the event of an actual data breach, you (and the MLU) are expected to take a remedial action within 14 days of the date of the initial data breach. In the event of such a data breach, you should immediately contact the data protection officer of the MLU.
Failing to handle and protect personal data as established by the law can lead to hefty fines against infringing institutions or persons. Since a question was asked about what are the amounts for these fines, you can have a look at the sums that infringing companies/ institutions in EU countries are actually paying via tools like the GDPR Enforcement Tracker.
Daniel Brenn – Dr. Roberto Cozatl| Open Science Team | firstname.lastname@example.org | 09.10.2020
University and State Library of Saxony-Anhalt