View Source

For those with data hosted in or users from countries covered by GDPR or UK GDPR a privacy notice is a requirement. The minimum requirements for this include:

Identity of the data controller
- Including contact information
Purposes of data collection
The legal basis used for processing of data
The types of personal data being collected
Who the data is being shared with
How long the data is being kept for
How individuals can exercise their rights over their own personal data
How consent can be withdrawn
Where data is transferred internationally, if this is outside of the EEA how the personal data is safeguarded must be covered

This is one of two documents in the PDK that MUST be presented and agreed to by all users.

Personal data is any data set that can be taken from or combined with any source that can be used to determine information about a natural person

There are eight data protection rules that each data controller must ensure are followed [EC-DC-Oblig]:

Personal data must be processed legally and fairly.
It must be collected for explicit and legitimate purposes and used accordingly.
It must be adequate, relevant and not excessive in relation to the purposes for which it is collected and/or further processed.
It must be accurate, and updated where necessary.
Data controllers must ensure that data subjects can rectify, remove or block incorrect data about themselves.
Data that identifies individuals (personal data) must not be kept any longer than strictly necessary.
Data controllers must protect personal data against accidental or unlawful destruction, loss, alteration and disclosure, particularly when processing involves data transmission over networks. They shall implement the appropriate security measures.
These protection measures must ensure a level of protection appropriate to the data

To use the explanation given by the Information Commissioner’s Office [ICO-DPA-Def], a data controller is “a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed”. A data controller is the responsible party that must ensure that all processing of personal data complies with the GDPR. Failure to do so may result in legal repercussions. Data processors, on the other hand, process personal data solely under the direction of a data controller, who decides what personal information will be kept and to what uses it may be put.

REFEDS DP CoCo

The guidance on this page works along side The REFEDS Data Protection Code of Conduct which should be asserted in the privacy policy provided

Document development Guidance

Questions to ask yourself when defining this policy:

Who or what is your Data Controller?
Will your Research Community have a Data Protection Officer?
Which information do you need to collect on the user? Is this minimised?
Specific data collected by each service may vary. Can your Infrastructure provide a template statement for all services?

Example Document Structure

Name of the Service
Description of the Service
Data controller and a contact person	You may wish to include the Data Controller defined for the Infrastructure, rather than per-service
Data controller’s data protection officer (if applicable)
Jurisdiction and supervisory authority	The country in which the Service Provider is established and whose laws are applied. SHOULD be an ISO 3166 code followed by the name of the country and its subdivision if necessary for qualifying the jurisdiction. How to lodge a complaint to the competent Data protection authority: Instructions to lodge a complaint are available at...
Personal data processed and the legal basis
Purpose of the processing of personal data	Don’t forget to describe also the purpose of the log files, if they contain personal data
Third parties to whom personal data is disclosed	Notice clause of the Code of Conduct for Service Providers. Are the 3rd parties outside EU/EEA or the countries or international organisations whose data protection EC has decided to be adequate? If yes, references to the appropriate or suitable safeguards.
How to access, rectify and delete the personal data and object to its processing	Contact the contact personal above. To rectify the data released by your Home Organisation, contact your Home Organisation’s IT helpdesk.
Withdrawal of consent	If personal data is processed on user consent, how can he/she withdraw it?
Data portability	Can the user request his/her data be ported to another Service? How?
Data retention	When the user record is going to be deleted or anonymised? Remember, you cannot store user records infinitely. It is not sufficient that you promise to delete user records on request. Instead, consider defining an explicit period. Personal data is deleted on request of the user or if the user hasn't used the Service for 18 months
Data Protection Code of Conduct	Your personal data will be protected according to the Code of Conduct for Service Providers, a common standard for the research and higher education sector to protect your privacy

Resources

GDPR - https://gdpr-info.eu/

AARC Guidance for exchange of personal information - https://aarc-community.org/guidelines/aarc-g016/

AARC Data protection impact assessment - https://aarc-community.org/guidelines/aarc-g042/