Rena Gertz, the University’s Data Protection Officer, provides advice to researchers who receive data from European institutions.
NOTE: THE INFORMATION AND LINKS INCLUDED IN THIS POST ARE CORRECT AS OF 5 FEBRUARY 2020.
Key message
With the UK having left the EU and the transitional period expiring on 31 December 2020, we need to ensure that research involving collaborations with EU institutions can continue unhindered. Only collaborations where personal data are exchanged are affected by this, and only if the data flows from the EU institution into the UK. The UK will apply to obtain so-called adequacy status, which means that the EU will decide whether our legal regime is adequate in protecting people’s rights and freedoms. If the decision goes against the UK, then the UK will become a so-called unsafe third country and European institutions will have to put special safeguards in place before they are allowed to send personal data into the UK.
What do I need to do?
If you are going to receive research data from a European institution from which individuals can be identified (for a definition and examples see: Personal Data Definition), i.e. raw data or data that has been pseudonymised, please notify the me at dpo@ed.ac.uk as the data sharing agreement you have in place may need to be modified to bind it to European data protection law. I will then work with you and the solicitors from Edinburgh Research Office to ensure that your research can continue or go ahead without any obstacles.
Can I still send research data to Europe?
Yes, you can still send research data that allow individual participants to be identified to a European institution, as the data will enter a ‘safe’ environment, where data protection laws apply fully. No additional measures will have to be taken.
Also, if colleagues from within a European institution remotely access data held here in Edinburgh, no additional measures need to be taken.
What if the data are anonymised?
This will depend which country you receive the data from as there are different understandings of what ‘anonymised’ means. Here in the UK we consider a data set anonymised if we don’t have access to the identifying information. If we receive data from a university in Ireland with the identifying information removed and not sent along with the data, we receive anonymous data. Belgium, for example, has a different approach: if the identifiers exist somewhere, even in a different country, then the data will never be considered anonymised.
More information
Please get in touch via dpo@ed.ac.uk if you would like more information or if I can be of any further help.