General description of the scenario
Christian is a Danish researcher, while Miriam is a Portuguese scientist. Both are developing a new project. They are collecting and processing reliable data about people for scientific purpose, and so are subject to European data privacy legislation that protects citizens’ rights, namely the GDPR.
Before research can be performed, Christian and Miriam have to address the Research Ethics Committee (REC), a panel of experts and independent body, which shall give the approval to the purpose and source of their research project.
When addressing the REC, Christian and Miriam shall show that he has collected all the signed informed consents from the participants (which provide for all the needed information about the project, risks, effects, etc.) and all the information sheet which contains the legal basis for processing data. If the legal basis is consent, such an information sheet will contain the consent for processing.
Then, they must explain the process of data capturing and of pseudonymization, by specifying how personal data about people are replaced by a combination of characters and kept separately. They also give indications about activity records, access control, log-in, backup, recovery, network security.
Once obtained the authorization by the REC to do so, Christian and Miriam may import personal data into a research database.
They can thus start conducting their research.
Step-by-step instructions
At the end of his analysis and studies, Christian does not need to share personal data about people, and so the project is ended. If he does not need to retain data any further, he deletes them. Instead, if he needs to retain them for example for verifying the research results, he has to check if the legal basis for processing them is still valid. In case that the legal basis was consent, if it is expired but can be recollected, Christian shall recontact people and after their reconsent, he could retain data; otherwise, if it is not possible to reconsent, Christian shall permanently archive data.
Miriam, instead, at the end of the study results needs to share personal data about people. She must verify if the purpose is in line with the sharing, if the research participants were informed about the sharing, if the legal basis is appropriate for such sharing. In case that the conditions are respected, Miriam can conclude the contract with the recipient institution: in particular, Miriam shall draft a Data Transfer Agreement defining data transfer and use in a precise and compliant manner and shall submit such Data Transfer Agreement to the REC for approval.
Once the REC approves, Data Transfer Agreement can be signed by both parties (Miriam and the recipient). The need to generate new pseudonyms or to anonymise data can be discussed, followed by a risk assessment.
After deciding how to proceed with sharing, the operation of export or on-site sharing with partner can occur. Miriam shall make a record of the occurred export or on-site sharing and make aware the REC about it.
Outcome
In general, both Christian and Miriam must continuously verify the compliance of data management and the respect of institutional rules. If needed, they must update contact information for data subjects. In front of the REC, Christian and Miriam shall also offer a proper evaluation of used privacy technologies, taking into account technological developments and if some potentially comparable data are publicly available: any change in the project dataset, due to technological advancements, or any editability of data or any database modification (for instance the clinical data management system, CDMS, that stores data of a clinical trial) shall be communicated to the REC and properly examined.