Page History

For those with data hosted in or users from countries covered by GDPR or UK GDPR a privacy notice is a requirement. The minimum requirements for this includeare:

• Identity of the data controller
  • Including contact information
• Purposes of data collection
• The legal basis used for processing of data
• The types of personal data being collected
• Who the data is being shared with
• How long the data is being kept for
• How individuals can exercise their rights over their own personal data
• How consent can be withdrawn
• Where data is transferred internationally, if this is outside of the EEA how the personal data is safeguarded must be covered

...

There are eight data protection rules that each data controller must ensure are followed [EC-DC-Oblig]:

• Personal data must be processed legally and fairly.
• It must be collected for explicit and legitimate purposes and used accordingly.
• It must be adequate, relevant and not excessive in relation to the purposes for which it is collected and/or further processed.
• It must be accurate, and updated where necessary.
• Data controllers must ensure that data subjects can rectify, remove or block incorrect data about themselves.
• Data that identifies individuals (personal data) must not be kept any longer than strictly necessary.
• Data controllers must protect personal data against accidental or unlawful destruction, loss, alteration and disclosure, particularly when processing involves data transmission over networks. They shall implement the appropriate security measures.
• These protection measures must ensure a level of protection appropriate to the data

To use the explanation given by the Information Commissioner’s Office [ICO-DPA-Def], a data controller is “a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed”. A data controller is the responsible party that must ensure that all processing of personal data complies with the GDPR. Failure to do so may result in legal repercussions. Data processors, on the other hand, process personal data solely under the direction of a data controller, who decides what personal information will be kept and to what uses it may be put.

Templates of privacy notices

REFEDS DPCoCo v2 example

The REFEDS DPCoCo provides a tabular template for service providers to present their privacy notice. This 12-point notice ticks all the requirements of the GDPR in a way that is consistent and can (almost) be parsed by machines, although it is not very readable by people. The advantage of it is that all service providers that use the REFEDS DPCoCo template can be compares, and it makes it 'easier' to create combined notices (e.g. in the line of AARC-G083):

• https://wiki.refeds.org/display/CODE/Privacy+Notice+Template 

WLCG Example

The Worldwide LHC Computing Grid (WLCG) notice is an example of a federated infrastructure where there is no single point of control and no single controller. It relies on the concept of controller-to-controller transfer of data and the fact that all parties (service providers and AAI platform) are bound by a common policy framework, overseen by the WLCG Management Board. However, a formally liable monitoring body cannot be identified - this is a very common case for research collaborations. It follows the 'BCR-like' model described in AARC-G016:

• http://wlcg-docs.web.cern.ch/wlcg-docs/?dir=policy/security

Jisc Example

The UK research and education organisation Jisc uses a privacy notice that emphasises readability and - through folding text sections - helps end-users understand how their data is used. Aimed at external data subjects, it targets the same audience type as many research collaborations, while also fulfilling all the GDPR and UK ICO requirements:

• https://www.jisc.ac.uk/website/privacy-notice

REFEDS DP CoCo Document development Guidance

The guidance on this page works along side The side the REFEDS Data Protection Code of Conduct which should be asserted in the privacy policy provided

...

Questions to ask yourself when defining this policy:

• Who or what is your Data Controller?
• Will your Research Community have a Data Protection Officer?
• Which information do you need to collect on the user? Is this minimised? 
• Specific data collected by each service may vary. Can your Infrastructure provide a template statement for all services?

Example Document Structure

...

Name of the

Service

...

Description of the Service

...

Data controller and a contact person

...

You may wish to include the Data Controller defined for the Infrastructure, rather than per-service

...

Data controller’s data protection officer (if applicable)

...

Jurisdiction and supervisory authority

...

The  country  in  which  the  Service  Provider  is  established  and  whose laws  are applied. SHOULD  be  an ISO  3166  code followed  by  the  name  of the  country  and  its subdivision if necessary for qualifying the jurisdiction.

How to lodge a complaint to the competent Data protection authority: 

Instructions to lodge a complaint are available at...

...

Personal data processed and the legal basis

...

Purpose of the processing of personal data

...

Don’t forget to describe also the purpose of the log files, if they contain personal data

...

Third parties to whom personal data is disclosed

...

Notice clause of the Code of Conduct for Service Providers.

Are   the   3rd   parties   outside   EU/EEA   or   the   countries   or   international organisations  whose  data  protection  EC  has  decided  to  be  adequate?  If  yes, references to the appropriate or suitable safeguards.

...

How to access, rectify and delete the personal data and object to its processing

...

Contact the contact personal above. To rectify the data released by your Home Organisation, contact your Home Organisation’s IT helpdesk.

...

Withdrawal of consent

...

If personal data is processed on user consent, how can he/she withdraw it?

...

Data portability

...

Can the user request his/her data be ported to another Service? How?

...

Data retention

...

When  the  user  record  is  going  to  be  deleted  or  anonymised? Remember,  you cannot  store  user  records  infinitely.  It is not  sufficient  that  you  promise  to delete user records on request. Instead, consider defining an explicit period.

Personal  data  is  deleted on  request  of  the  user  or  if  the  user  hasn't  used  the Service for 18 months

...

Data Protection Code of Conduct

...

Your  personal  data  will  be  protected  according  to  the Code  of  Conduct  for Service  Providers,  a  common standard  for  the  research  and  higher  education sector to protect your privacy

Resources

Resources

GDPR - https://gdpr-info.eu/

• GDPR - https://gdpr-info.eu/
• https://wiki.refeds.org/display/CODE/Data+Protection+Code+of+Conduct+Home

• AARC Guidance for exchange of personal information - https://aarc-community.org/guidelines/aarc-g016/
• AARC Data protection impact assessment - https://aarc-community.org/guidelines/aarc-g042/