Research data from human subjects that is not of an anonymized nature is considered personal data and as such it is subject to the EU GDPR regulation. For research projects, the GDPR entails, among others, increased record keeping requirements throughout the data lifecycle, starting from data’s collection through to its deposition to repositories for secondary use – typically under controlled-access regimes. The said records are expected to contain a GDPR-oriented characterisation of data subjects and data sets, the legal grounds and the nature of data processing, the parties involved, allowed data uses and retention periods as well as logs of report-worthy activities in the data lifecycle, such as data transfers.
ELIXIR Luxembourg and ELIXIR Switzerland are two ELIXIR nodes that have developed open source tools to assist biomedical research teams with GDPR record keeping. Since a couple of years, these tools, namely DAISY and ERPA, have been in active use in respective ELIXIR nodes and some others. Despite serving a similar GDPR requirement, these two tools have different target end users and consequently differences in the information they ultimately capture. The development teams of the two tools have been in contact since early days and have been monitoring the direction each tool is taking.
In this project we propose the following:
(1) perform a critical and comparative review of the underlying information models of DAISY and ERPA. During this review we will take into account past experience in using our tools as well as guidelines which have shaped our tools in the first place, i.e guidance on GDPR record keeping published by relevant sector-specific, national and EU authorities.
(2) create a checklist for the reporting of biomedical research activities and the human datasets that they have produced. We will develop this guideline in the style of Minimum Information Checklists that researchers are already familiar with.
We foresee that the produced checklist can be used on its own for the manual reporting of projects and resulting human datasets, particularly in scenarios where the data is to be shared for secondary use. In addition, the guideline can be picked up by the developer teams of DAISY and ERPA to eventually upgrade them and introduce new interoperability features into these tools.
Whether it be in Luxembourg, Switzerland, Germany or elsewhere in Europe, the GDPR compliant handling of research data in an accountable manner is a daily challenge faced by data stewards/managers. The outcoming guideline will be made publically available so everyone, including de.NBI partners, can validate their current processes for recording GDPR specific information and refine them to adhere to a data model based on years of experience.