OpenAIRE, the European Open Science infrastructure, recently organised two public webinars within the Legal Policy Webinar series. They were live streamed on April 29th and May 4th and the recordings, including slides, are available here. The aim was to provide a legal perspective on research data regulation (e.g. ownership, access, processing, storing, reuse, licensing, etc) both from a copyright and data protection (GDPR) point of view.
Presenters in both events were OpenAIRE’s experts Thomas Margoni (Senior Lecturer in IP and co-director of CREATe at the School of Law, University of Glasgow), Prodromos Tsiavos (Senior Legal Advisor – ARC/ Head of Digital and Innovation – Onassis Group), and Jacques Flores Dourojeanni (Research Data Management Consultant Utrecht University Library). They offered a legal and practical overview of research data regulation and of the contributions (e.g. FAQs, Guides, Fact-sheets, etc) that OpenAIRE has developed in this area. In light of the current health crisis some of the practical examples discussed were focused on biomedical sciences and medical data.
The first presenter, CREATe’s Thomas Margoni, discussed how copyright and related rights to copyright classify and regulate data. His presentation concentrated on the aspect of data ownership, i.e., whether non-personal data can be owned and, if yes, by whom. Dr Margoni effectively subdivided the issue into three sub-categories: data as such (structured and unstructured data), databases (a collection of systematically or methodically arranged and individually accessible data), and data contained in works of authorship (e.g. information contained in a scientific article).
Data as such is commonly excluded from copyright protection. International and national copyright laws are clear that ideas, procedures, methods of operation, mathematical concepts and the like are not protected by copyright law. Only original expressions which constitute intellectual creations attract protection (see e.g. Arts. 2 WCT, 9(2) TRIPs, Art. 2 Berne and most legal traditions requiring originality). Factual information and data as such commonly fall short of these requirements. Regarding databases, the EU SGDR (Sui Generis Database Right) protects original and non-original databases whose making required a substantial investment in obtaining, verifying or presenting (but not in creating) the data. In this case, protection is against acts of extraction and reuse of substantial amounts of data. The third sub-category, information contained in a work, is usually not protected as such. Nevertheless, often an authorisation (e.g. exception, licence, etc) is necessary due to the fact that in the digital environment most uses require the making of a copy (even if temporary, indirect or in part) which is often an infringement of the copyright in the underlying work. This explains the importance of exceptions and limitations such as the Text and Data Mining (TDM) exceptions contained in some national and, more recently, in Union law. However it also highlights a paradox: information that is not afforded protection due to its crucial importance for fundamental rights such as freedom of expression and scientific enquiry becomes de facto protected in the digital environment when it is contained in qualifying works.
Finally, Dr Margoni offered a brief overview of the guides and other supporting material developed by OpenAire to assist researchers, research performing and research funding institutions in developing their own research and research policies in order to achieve the fundamental goals of Open Science.
In the following presentation, Dr Prodromos Tsiavos provided an overview of the relationship between research data and the General Data Protection Regulation (GDPR). After a brief review of GDPR objectives, namely the need to balance lawful personal data processing with the free flow of data within the Digital Single Market, Dr Tsiavos discussed the legal elements of personal data relevant for research. He focused primarily on the fundamental aspect of the correct identification of the proper legal basis to process data for research purposes.
In addition, Dr Tsiavos highlighted how the ethical framework also plays an essential role, because it sets forth additional rules for researchers that often complement and supersede legal requirements. Article 89 GDPR provides a definition of scientific research and under which circumstances it may form the basis for lawful processing of personal data. Dr Tsiavos also discussed the extent to which research could fall under the scope of public interest, where he emphasised the form of further processing and the need to ensure appropriate safeguards (e.g. data pseudonymization) are in place. Moreover, Dr Tsiavos examined how to process special categories of data – previously known as “sensitive data” – a category of particular importance in the post COVID19 era. Specifically, in relation to the legal basis, Dr Tsiavos provided an example to explain how public interest, contract and consent can be applied in scientific data processing. In this case, tracing the life cycle of personal data is vital, particularly in the form of a detailed data management plan, including data collection, data management and also data sharing.
Regarding data subject rights, Dr Tsiavos firstly stressed that the data subject must be informed particularly where data aren’t obtained from the data subject. Secondly, he analysed the definition of data erasure and provided the way in which such right may be exempt in the case of processing for purposes of scientific research. Thirdly, it was highlighted that even when the data subject objects to such processing, researchers may reject these objections if the processing is necessary for reasons of public interest, and at the same time the exercise of such right renders research impossible. Additionally, national laws may provide further derogations from the GDPR for data processing necessary for scientific research. Finally, Dr Tsiavos analysed some representative questions and cases posed by the participants to the webinar.
Jacques Flores Dourojeanni (Research Data Management Consultant Utrecht University Library) was the third and last speaker. Following up on the previous presentation, Flores Dourojeanni explained how personal data may be lawfully collected in a research setting. He highlighted that, within universities, informed consent is commonly used as the legal basis for processing personal data since it fulfils both the legal and ethical obligations that researchers hold towards their participants.
Flores Dourojeanni elaborated further on the significance of the purpose limitation principle. He explained that the GDPR distinguishes between two types of data use: primary and secondary use. Primary use relates to data collected directly for a specific research purpose whereas secondary use relates to the further processing of data that is already collected. This secondary use of data is important since it provides a means to compliantly re-use personal data for research purposes. Nevertheless, the GDPR allows the secondary use of data for research purposes only if appropriate technical and organisational measures are applied to ensure that the privacy of the data subjects is adequately protected. These include but are not limited to pseudonymization, minimization, encryption and access control.
In the last part of the presentation, Flores Dourojeanni gave some practical advice on how to formulate informed consent forms to facilitate data sharing. He stressed the need to be granular about the personal data collected and transparent about the methods used to process the data. Moreover, he warned researchers to avoid making promises which would be very difficult or impossible to maintain, such as fully anonymizing the data or promising to destroy the data. True anonymization, per the GDPR, is quite difficult to achieve and often devalues the power of the data, whereas promising to destroy the data works against the original aim to share this data with other researchers.
The two webinars, which were similar in content, were tailored respectively to PhD students and researchers (the first), and to research support staff (the second). Accordingly, small variations, especially in the examples provided towards the end may be found. These events were organised on behalf of the OpenAIRE Policy and Legal Task Force. The Task Force aims to enhance competencies and raise awareness on different relevant open science topics. To foster this cultural change towards Open Science, the Task Force has produced – in addition to the webinars – a number of resources to support stakeholders such as policy templates for RPOs and RFOs, checklist for policies, guides on GDPR, copyright, licensing and reuse of research data as well as blogs focusing on its activities. The National Open Access Desks (NOADs) are active members of the Task Force and have a key role in reaching out to a broad and diverse user base.
More than 600 researchers and research staff actively participated over the two days, submitting questions and following up on specific aspects of the presentations. This shows how important and timely these topics are, and how fundamental the contribution of OpenAIRE in this field is.