D7.8 Continuous Monitoring of Legal Ethical Definitions, and Compliance and Measures against Improper Use of Data, Version 3

Authors

Andrew Muddiman, Deborah Markham, Kerstin Junge, Christian Reuter, Thomas Ludwig, Rajendra Akerkar, Massimo Cristaldi, Federico Sangiorgio

Abstract

EmerGent aims to understand the impact of social media in emergencies, thus will potentially be dealing with large quantities of social media data. To ensure the project is respecting the privacy of social media users the EmerGent consortium must be aware of, and compliant with, European laws on data protection and privacy. Thus, we are continually monitoring the relevant laws, and this document provides a summary of our findings to date. It also provides information about measures that will be in place to prevent improper use or disclosure of the data, as well as ensuring forensic readiness of our system. To allow us to continually consider and evaluate data protection risks, an updated Privacy Impact Assessment is provided which will be used for the remainder of the project for identifying, assessing and recording risks. This document builds on and updates deliverables D7.6 Continuous Monitoring of Legal Ethical Definitions, and Compliance and Measures against Improper Use of Data Version 1 and D7.7 Continuous Monitoring of Legal Ethical Definitions, and Compliance and Measures against Improper Use of Data Version 2.

Purpose of the Document

This deliverable provides a description of the European Data Protection and Privacy laws relevant to the EmerGent project. In section 2, we discuss the introduction of the General Data Protection Regulation (GDPR) which was published in the Official Journal of the European Union (accessible at http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2016:119:TOC) on 04/05/2016 and became binding on 25/05/2016. European Union members will need to incorporate it in their national laws within 24 months from the date of publication.

This is the regulation for data protection laws in each EU country; in section 3 we will look at how it will affect the laws in the UK where the technical infrastructure is initially hosted. In section 4, we look at the role of controllers and processors and the suggested assignments within the EmerGent project. In section 5, we also explain the measures we are taking to ensure compliance with these legal requirements throughout the project. In particular, we include a detailed discussion on security measures that we will implement in our system to prevent improper use, improper data disclosure and mission creep (data used for unintended purposes by project partners or a third party), as well as provide forensic readiness.

Additionally, in section 6, we confirm the guidelines for the project’s Privacy Impact Assessment, which allows a more thorough evaluation and mitigation of the risks than was previously in place. Having this procedure in place ensures we have a process for identifying, assessing and recording risks, and that all partners have a clear understanding of the necessary steps to be taken. This is the final version of this deliverable that accounts for the evolution of the law, and further requirements for M40.

In section 7, we introduce the controls that we have created to handle data breaches and subject access and data requests as well as how we will comply with the “right of erasure”.

Lastly, in section 8 we look at the state of the art and best practice in ethical research and innovation and discuss its potential effects on the EmerGent project.