Best practices in sharing research data between private entities and researchers

Reading Time: 4 minutes

Authors:  

Dr Rachel Finn | Director, Data Protection & Cyber-risk Services / Head of Irish Operations

Date: 22 May 2020

Innovation and scientific progress is contingent on data sharing and innovative uses of information. Valuable data silos often lie in the hands of private entities, public institutions, such as universities and research institutes, or even within different departments of an organisation. Research requires high volumes of data combined with high data utility,  contingent on the diversity, volume and nature of data. It also requires financial resources, adequate infrastructure and professional expertise.

Companies, public authorities and researchers are the key players in innovative research and data sharing takes place among these stakeholders. Data may be shared among these players for different research scenarios and to facilitate the use of different technologies and expertise. In research settings, data protection law continues to apply to data uses for research purposes and access to data is conditional and regulated.

In this piece, we outline the basic requirements that apply to the data collaborations between private entities, public authorities and researchers. We draw on the guidance released by the Future of Privacy Forum for consultation and our experience in designing privacy-enhancing and compliance mechanisms for data sharing between companies and research institutions.

Critical considerations in sharing research data

Organisations already hold personal data that may have a research value. Nonetheless, the research uses of personal data are subject to specific rules. Before an entity shares personal data with other entities, they should:

  • Consider the applicable legal framework, including the General Data Protection Regulation (GDPR). Data sharing for research purposes may be regulated by specific legal acts. For example, specific requirements may apply for specific types of confidential data, e.g., medical data.
  • Identify the role and relationship framework between the data exporter and data recipient under data protection law, i.e., whether they are the processor, controller or joint controllers.
  • Ensure that the data sharing, either as part of the original or further processing, relies on a lawful basis.
  • Assess whether it is necessary and proportionate to share this data with external entities.
  • Conduct due diligence before sharing personal data to researchers. Data suppliers should request sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the data subjects. For example, accredited researchers, adherence to codes of conduct and the involvement of ethics oversight boards may enhance GDPR compliance.
  • Allow research with the data they hold for legitimate and ethical uses only. Even if they are not involved in the subsequent processing by researchers, it is important not to enable illegal, unethical or harmful data processing. Data suppliers should have a clear understanding of the nature, duration and impact of the research data uses, as the project develops.

A toolset of guiding principles

Whether the data recipient acts as a processor on behalf of the data supplier, decides the means and purposes of data processing as a data controller, or acts as a joint controller with the data supplier, an agreement should be in place to regulate their relationship. Although each data sharing initiative is different and the specific conditions should be taken into account, the core data protection roles and responsibilities of each party should be detailed.

  • The applied retention periods should be specified and monitored for each party.
  • The application of security measures, such as encryption, and the responsible parties for these measures should be specified. Data suppliers could also consider engaging a trusted third party to de-identify data before providing data to researchers.
  • Responsibilities about the information of data subjects and the handling of personal data breaches and data subjects’ rights should be allocated.
  • Specific uses of personal data should be covered in the agreement, such as contacting the concerned data subjects, open access data or personal data in publications.
  • Where there are concerns about the potential research uses, the parties could agree on oversight and monitoring mechanisms, such as ethical and privacy boards.
  • Where data subjects have provided freely given, specific, informed and unambiguous consent to this data sharing, their personal data may be shared with researchers. The same applies where the law requires or allows the sharing of personal data for research purposes.
  • If the above does not apply, personal data should be de-identified before their sharing. This may decrease data utility, but it also minimises the risks to the fundamental rights and freedoms of individuals. In this case, data recipients should be forbidden from attempting to re-identify the shared data.
  • Onward data transfers by the researchers should be agreed in writing.
  • If the recipient researchers are a data processor, they should also comply with Article 28 of the GDPR.
  • A data management plan could accompany the main agreement to detail the sources of data, the categories of data subjects, the permissible uses, and the data protection reassurances from the data supplier (e.g., appointment of a DPO).
  • Contractual terms should cover the intellectual property and liability issues, especially if artificial intelligence is applied and a new product or service is created.

It is important that data sharing practices are GDPR compliant and responsible, both where the data transaction is of a permanent and ongoing relationship or a one-off case. Trilateral Research has evaluated and designed innovative solutions, responsible practices and compliance safeguards for sharing research data between different stakeholders.

Trilateral offers data sharing agreement and compliance support services to enhance data governance and data protection practices within your organisation. For more information on how Trilateral can support you, please refer to our list of services or get in touch with one of our advisors for support on your compliance journey.

Related posts