Sharing and re-using personal data is one of the key activities within our HBM4EU project. These personal data are obviously subject to the GDPR (General Data Protection Regulation). Since the GDPR clearly impacts our work and the way in which data can be shared we are organising a number of short awareness sessions, each of them focusing on a specific topic.
These sessions will last no longer than one hour and will be given by our Data Protection Officer Koert Van Espen, who has an extensive experience in privacy and information security in research.
HBM4EU Data Protection Awareness Session 1: Anonymisation versus Pseudonymisation
Truly anonymous data is no personal data and therefore the GDPR is not applicable. However, truly anonymous data is very difficult to achieve – most likely, at most your data will be pseudonymous. In this awareness session, we will explain the differences, and some techniques to make data really anonymous.
- Data minimisation principles
- Anonymisation versus pseudonymisation: consequences
- Anonymisation techniques
HBM4EU Data Protection Awareness Session 2: Data Processing Impact Assesment (DPIA) – What, When, How, and Who?
A DPIA, or Data Processing Impact Assessment, helps to identify and minimise the data protection risks and is an instrument to demonstrate GDPR compliance. However, this GDPR is pretty vague in defining when exactly such DPIA has to be made. In this awareness session, we will explain the purpose of a DPIA, draw the circumstances in which such assessment should be made, and show some useful tools to conduct this.
- Purpose of a DPIA
- When should a DPIA be made?
- Necessary elements of a DPIA
- Practicalities – tools, role of DPO
- Next steps
HBM4EU Data Protection Awareness Session 3: Secondary use of data for scientific research
Research on personal (health) data is often done on data initially collected for another purpose (“secondary use”). The distinction between scientific research based on primary or secondary usage of health data is very important with respect to the legal basis for the processing, the information obligations, and the purpose limitation principle. In this awareness session, the consequences of secondary use will be explained (for instance, how to cope with the information obligations in case of “old” data).
- Scientific research: clarification in the context of GDPR
- Secondary use: meaning and examples
- Legal base for processing: consent, or other?
- Transparency and information to data subjects
- Purpose limitation and presumption of compatibility
- Data subject rights