The legally compliant publication of research data
The tension between publishing research data as transparently and completely as possible in the interests of scientific research and protecting the data subject in the interests of data protection raises the question: “How can personal research data be published as completely and transparently as possible while still complying with data protection regulations?”.
1. problem definition
Research plays a central role in our society. This is recognized by the European Union through Article 13 of the Charter of Fundamental Rights (CFR). As a rule, the fundamental right to freedom of research can only fully fulfill its purpose if research results are made available to the general public, and in particular to the scientific community, through publication. In particular, the scientific community must be able to check the accuracy of the published results, reproduce them, interpret them and derive its own findings from them.
It is possible that the research results may contain personal data. If these have to be published in order to make the research results verifiable, reproducible and interpretable, freedom of research comes into conflict with the fundamental right to data protection under Art. 8 CFR. In these cases, the question arises as to how the publication of personal research data can be as complete and transparent as possible while still complying with data protection requirements.
2. conflict of fundamental rights
The question of legal conformity in the publication of personal research data is of particular importance as it affects two fundamental rights: The fundamental right to freedom of research and the fundamental right to data protection.
Research has a key function in society. It is fundamental to progress and innovation, making it a matter of public interest. Art. 13 CFR guarantees the freedom of art and science, whereby science is the generic term for research and teaching. There is no legally binding definition of research at European level. Art. 13 CFR is considered to be inspired by the German Basic Law, meaning that case law can be consulted in this regard. According to this, research is an intellectual activity with the aim of gaining new knowledge in a methodical, systematic and verifiable manner, as well as reusing the data on which research results are based and the derived research results themselves for future research. In contrast, data protection law is intended to protect data subjects in the handling of their personal data, which is implemented, among other things, by the principles of data minimization and storage limitation.
If there is a conflict of fundamental rights, a balance must be struck between the affected rights. In the case of the publication of personal research data, the data subjects must be protected on the one hand and social progress through research must not be hindered on the other. This is to be achieved in the GDPR through a balancing concept of privileges and guarantees. The privileges in the processing of personal data for research purposes are implemented through exemptions from the provisions of the GDPR.
This includes, among other things, the exception to the principle of certainty for consent, which arises from Recital 33 GDPR, or the exception to the prohibition of processing of special categories of personal data pursuant to Art. 9 para. 2 lit. j GDPR. As compensation, the controller must provide appropriate safeguards for the protection of data subjects in accordance with Art. 89 para. 1 GDPR.
3. criteria for the publication of research data
For the legally compliant publication of personal research data, a number of criteria must be observed, which are explained below. The GDPR does not contain a definition of research, but merely refers to a broad interpretation. Thus, the scope of protection of Art. 13 GDPR already described must be taken into account.
The GDPR also does not define the term “publication”. However, publication can be defined as making the data accessible to an identifiable or indeterminable group of persons. In some cases, publication is understood as making data accessible to a group of people who were not previously involved. A combination of both definitions appears to make sense.
3.1 Legal basis for publication
The key factor for the lawfulness of processing personal data is the existence of a legal basis. On the basis of the prohibition with reservation of permission, the processing of personal data is only permitted under the exhaustive conditions listed in Art. 6 GDPR. If special categories of personal data are processed, the requirements of Art. 9 GDPR must also be met. Section 27 (4) BDSG is the central provision for the publication of personal research data. This is based on the opening clause of Art. 9 para. 2 lit. j GDPR, but applies to all personal data and does not only refer to the publication of special categories of personal data.
§ Section 27 (4) BDSG stipulates that the publication of research results is generally subject to the reservation of consent. An exception is only permitted in very limited cases, namely if the publication of the data is essential for the presentation of research results of contemporary history. In this case, Section 27 (4) BDSG itself forms the legal basis for publication, meaning that the consent of the data subjects is not required.
However, the exception is within very narrow limits: for example, the personal research data must initially serve to depict events of contemporary history. Events of contemporary history are potentially all current and historical events in which there is a current public interest.
In addition, the personal data would have to be indispensable for the presentation of the research results of contemporary history. This would only be the case if the research results were incomprehensible or useless without the personal data. Many areas of research will fail because of this requirement at the latest. It will therefore be necessary to obtain the consent of the data subjects before publishing personal research data. This must meet the general requirements of the GDPR for consent.
If the BDSG is not applicable to research institutions, but a state data protection law is, the requirements for the publication of research data that may be standardized there must be observed. § Section 24 (4) of the Hessian State Data Protection Act, for example, essentially adopts the provisions of Section 27 (4) BDSG.
Obtaining consent for the publication of research data initially appears to be a relatively large effort for research institutions. However, in the case of research with personal data, the data processing prior to the publication of research data is already regularly based on the consent of data subjects, so that at least the effort for future research projects that are to be based on consent should be manageable, since consent to publication could be obtained at the same time as consent to the (other) processing of the data within the framework of the research project. However, even in such cases, the implementation of the data subject’s right of withdrawal could at least lead to additional work in maintaining the already published research dataset, as the relevant entries would have to be deleted.
3.2 Suitable guarantees
The privileged processing of personal data for research purposes is subject to appropriate safeguards in accordance with Art. 89 para. 1 GDPR as part of the balancing concept of the GDPR. Pursuant to Art. 89 para. 1 sentence 1 GDPR, the controller is obliged to provide appropriate safeguards for the rights and freedoms of data subjects as a counterbalance to the privileges. In particular, technical and organizational measures should ensure compliance with the principle of data minimization.
The practical relevance of Art. 89 (1) GDPR is limited, as the content of the provision does not go beyond what is already regulated elsewhere in the GDPR. With the requirement for appropriate safeguards “in accordance with this Regulation”, Art. 89 para. 1 GDPR refers to the other provisions of the GDPR. The principle of data minimization already results from Art. 5 para. 1 lit. c GDPR. Art. 24 GDPR standardizes the fundamental obligation of the controller to take technical and organizational measures. This is specified in Art. 25 and 32 GDPR.
With regard to the publication of personal research data, it must be examined on a case-by-case basis which measures are necessary and feasible. In the context of research, it must always be checked whether the research purpose can be achieved with anonymized data. If the purpose of the processing cannot be achieved in this way, it must be checked whether pseudonymization is possible instead. When publishing personal research data, it must be checked whether the informative value of the publication is weakened by these measures. If this is the case, the original state of the data should be published in order to ensure review and further processing by the scientific community. Section 27 (1) sentence 2 BDSG also obliges the controller to take “appropriate and specific measures” in the context of processing special categories of personal data in order to protect the interests of the data subject. Section 27 para. 1 BDSG thus implements the requirements of the opening clause from Art. 9 para. 2 lit. j GDPR. § Section 27 (1) BDSG ultimately refers to Section 22 (2) sentence 2 BDSG. In addition to what is mentioned in Art. 32 para. 1 GDPR, this includes in particular measures for access, transfer and input control, sensitizing employees, appointing a data protection officer and measures to restrict access. § Section 27 (3) BDSG itself requires the anonymization of special categories of personal data as soon as this is possible for the purpose of research or statistics, unless this conflicts with the legitimate interests of the data subject.
3.2 Deletion of published research data
In accordance with the principle of storage limitation in Art. 5 para. 1 lit. e GDPR, personal data may only be stored for as long as it is necessary for the underlying purposes. If this is applied to the publication of personal research data, the question arises as to the period for which storage – and therefore publication – of the data is necessary. It must be taken into account that the research data should become part of the exchange in the scientific community in accordance with Art. 13 CFR. Based on this, new knowledge is gained that serves the general public. In order to achieve this purpose, the research data must be stored for a certain period of time. Storing data for as long as possible is fundamentally in the interest of scientific reproducibility. In this way, it can be guaranteed in the long term that the data is verifiable and available for further development. However, data retention must not be allowed to occur. In its guidelines for safeguarding good scientific practice, the German Research Foundation stipulates that research data should remain accessible and verifiable for ten years. A storage period – and publication – of the data for this period (subject to an earlier withdrawal of consent or request for deletion by data subjects) seems appropriate.
4. management of the publication of research data
When publishing data, it is generally only possible to exert very limited influence on the extent to which the data is stored, passed on and published by the persons accessing it themselves. Furthermore, the deletion of individual data records from the published data set, which may be necessary on the basis of the revocation of data subjects, can be very time-consuming. One solution to both problems could be to implement a “publication light”, so to speak, in the form of a platform in which the group of persons is not limited to the general public but to the scientific community and the persons accessing the data must register in advance and prove that they belong to the scientific community.
As part of the registration process, the accessing persons could be obliged under data protection law, among other things (depending on the usefulness for the review/interpretation/reproduction of the research results), not to store the data outside the platform and not to allow unauthorized persons access to the platform or to make the data inaccessible to unauthorized persons and to delete it after the 10-year period has expired. The platform could also be used to implement the revocation option for data subjects, which could also significantly reduce the effort required to maintain data records after revocations have been made.
Conclusion
The publication of research data is of central importance for research in order to make research results verifiable, reproducible and interpretable. If the data to be published is personal, it must be published in compliance with data protection regulations. In this context, consent (with very limited exceptions created by national law for research results on contemporary events) is the predominantly relevant legal basis.
Before publishing personal research data, it must first be checked whether this can also be done in an anonymous or at least pseudonymised form. If this is at the expense of verifiability, reproducibility and interpretability, publication of personal, non-pseudonymised data may be considered. To protect data subjects, the publication of personal research data (whether the data is pseudonymised or not) generally requires the consent of the data subjects and can only take place for a period of ten years. In order to adequately protect the data subjects and, in particular, to minimise the risk of further publication by other persons, a ‘publication light’ in the form of a platform with a limited group of persons should be sought where appropriate, in which the persons accessing the data must give assurances under data protection law before they are allowed to access the data.
