1.9 What are relevant legislations concerning data archiving?

In European data archives, the archiving process is regulated by both national laws and international regulations

 

Image presenting different actors, a researcher, an archivist, public body, all thinking about different legal and ethical challenges for data archiving

The main legal issues in European data archives relate to intellectual property rights, such as copyright law, and the sharing of personal data.

Basic legal questions you can ask about research data

A data archive needs information about:

  • who the owner of the data is (IPR = Intellectual Property Rights),
  • whether any copyright issues have been resolved,
  • whether the researcher has obtained permission from all rights holders,
  • whether research data includes (sensitive) personal data, and if so…
  • whether formal (valid) consent for sharing research data has been obtained from research participants.

Copyright

Copyright is an internationally recognised form of intellectual property right, which arises automatically as a result of original work such as research. It does not need to be registered to apply to a piece of work.

Research data can contain copyrighted output in spreadsheets and other forms of originally selected and organised data, in publications, reports, and computer programs. Copyright does not cover the underlying facts, ideas or concepts, but only the particular way in which the research outputs have been expressed. The right lies with the author of the work, or with their relevant institution - different organisations will have different policies on intellectual property. More information and useful tips are available in the chapter 'Copyright' of the Data Management Expert Guide (CESSDA Training Team 2017-2022).

The role of a data archivist is to ensure that rights issues are resolved before accepting the data and documentation. Often, the data depositor is the owner of all deposited materials, but some datasets are more complicated.  A combination of research disciplines or different research approaches with various authors or a collaboration with commercial partners can result in a complex structure of research materials with various proprietary differences. All included parties must permit storage and sharing of data and/or other research outputs.

A common misunderstanding is that because the material is openly available on the internet, it can also be archived. Public material can still be under copyright, and the original owner will have to give permission for the archiving of the data.

GDPR and handling personal data

The European General Data Protection Regulation of the European Union (2016/679) (GDPR) includes rules that organisations must follow to protect the personal information they collect. Archives must adhere to data protection requirements when managing or sharing personal data. Personal data are defined within the legislation as ‘any information relating to an identified or identifiable natural person’ whereby the person can be identified directly or indirectly (GDPR.eu 2019). Moreover, GDPR applies only to living persons.

Personal data must be processed in accordance with six principles that you can read more about in 'DMEG - Chapter 5 ‘Protect’ (CESSDA Training Team 2017-2022). 

Archives typically handle two types of personal data: 

  1. Personal data in research data:
    direct or indirect identifiers of research participants within the research data that the archives store, and

  2. Personal data in administrative data:
    personal data of users of the different archival services, such as names of depositors and visitors in search of research data.

Personal data in research data

The GDPR contains the so-called ‘research exemption’  which entails that some of the principles above are differently applied, when you collect and process personal data for research purposes.

Since the GDPR applies only to personal data, the first question to always ask is: “Have personal data been processed in the study?”. If the answer is no, then the GDPR does not apply.

Personal data according to the GDPR:

Personal data means any information relating to an identified or identifiable natural person ('data subject')

'any information':

  • Objective or subjective
  • Any format
  • Accurate or inaccurate

'relating to':

  • Directly relating (including name)
  • Indirectly relating (not primary aim)

'an identified or identifiable':

  • Identified: directly differentiating one from the other
  • Identifiable: indirectly identifying by combining multiple information sources

'natural person':

  • Alive
  • Not including 'legal persons' (i.e., companies)

Depending on the nature and research design of a study, data that reaches the archive can either be 'raw' or already processed (pseudonymised, anonymised, aggregated etc.). Data archivists will follow the rule: “As open as possible, as closed as necessary”, meaning they strive towards open data sharing as far as possible under the data protection laws. The data archive must have protocols and policies in place for receiving and storing data safely.

The GDPR allows for the sharing of personal data without restrictions when the researcher has received explicit consent from the research participants. However, national legislation such as in for instance Germany may still prohibit sharing. The use of information sheets and especially consent forms is important if you seek to comply with the GDPR, as this defines the handling of the collected data. Archives usually demand a template of the study’s consent form in order to determine how data have to be prepared for dissemination. You can read more about this in the 'DMEG - Chapter 5 ‘Protect’ (CESSDA Training Team 2017-2022).

Personal data in administrative data

Users of archival services also share personal data with the archive, when they create an account or log in to deposit or access data. A data archive must have a public data policy in place that provides sufficient details to its users about the personal data collection and processing, which must be done confidentially, transparently and lawfully, such as:

  1. Who is the data controller/data protection officer and who can be contacted in case of questions, 
  2. How and for what purposes personal data is processed, and 
  3. What are the rights of users of the archival services.

 

Find out more about your archive

Here are some questions you can ask yourself to learn more about your archive:

  • Does your archive provide support regarding privacy-sensitive data, complying with GDPR?
  • Are there national laws and codes of conduct in research in addition to GDPR that are important for your work?
  • How does your archive handle ‘raw’ and processed (pseudonymised, anonymised, aggregated etc.) data?

 

Expert tips

Watch this video about the GDPR and research (Summers et al. 2019).

 

« Previous | Next »