Personal data can be shared by providing a copy of the data or by granting access to the data. In either case, it is necessary to assess whether the controller has the right to share the personal data. The most typical cases of data sharing are set out below.
4.3.1. Data processing in a research group
Where the representatives of the university, i.e. the data controller, process personal data based on an employment relationship, there are no additional restrictions on such processing under the GDPR. However, general principles such as purpose limitation, minimisation and security (see 1.5) must be kept in mind, which do not allow personal data to be shared with every university employee. Thus, the need for each individual researcher to process personal data must be agreed upon within the research team or the university. For example, the data management plan can list the researchers who have access to personalised data, those who pseudonymise, those who keep the pseudonymisation secret and those who only process pseudonymised data. The data may then only be shared with the researchers identified in the data management plan.
Not all members of the research team may have an employment contract with the university. In this case, they must be authorised to process personal data.
4.3.2. Data processing in collaboration with several research institutions
For larger projects, the responsibility for personal data may be shared between research institutions, in which case attention needs to be paid to their roles and duties. As a general rule, agreements between research institutions should clearly specify the division of responsibilities for data protection and how personal data will be shared. Data protection principles must be respected, according to which personalised data are not accessible to all partners in the project but only to those whose task is to process them. Where possible, data should only be shared between partners in pseudonymised form and using secure solutions.
4.3.3. Data processing in cooperation between the supervisor and the supervisee
In the case of supervision within the university, there are no direct restrictions on sharing personal data, as both the supervisor and the supervisee are representatives of the controller, i.e. the university. Their cooperation and data sharing must be transparent: if the supervisor also sees personalised data, data subjects cannot be promised that no one but the supervisee will process personal data.
4.3.4. Sharing data with other researchers, publishers, repositories or the public
The preferred solution for sharing personal data with a wider audience is to anonymise them beforehand. If this is not possible for some reason, transferring personal data to third parties requires a legal basis – without this, personal data cannot be shared. In addition, it may be a good idea to ask the subjects for broad consent, i.e. for storing and sharing pseudonymised data for possible future research. If personal data are to be shared under section 6 of the Personal Data Protection Act without consent, this should be done in a pseudonymised form.
In addition, the recipient of the personal data must ensure adequate protection. To this end, a separate contract may be concluded with the recipient, setting out the conditions for using personal data, including the division of responsibility between the parties who will have access to the data. For example, it may be possible to place personal data in an open data repository for storage but restrict access to them, ensuring their confidentiality. Before using the repository, it should be ensured that it has data protection terms and conditions in place, which can be found in the terms of use of the service or in a separate document. Many scientific journals also ask authors to provide a data access statement (see 4.3.5).
While the responsibility for the unauthorised sharing of personal data lies with the researcher who has done so, this responsibility inevitably extends to the university as the data controller, which must record and report the data breach (see 3.5).
4.3.5. Conditions for sharing data with publishers
One prerequisite of open science is that the data used in a research project are accessible to all other researchers, either to validate previous research or for completely new studies. To this end, many publishers have established data sharing policies which, if accepted, require authors of articles to share data with other researchers.
It has become a new practice for publishers to require researchers to fill in a data access statement when publishing research articles, describing whether, where and how research data are available to other researchers. Three options for the use of personal data can be included:
- If the data are already public, the statement should indicate where they are located (in a repository of scientific data or another open data environment);
- If the data are to be requested from the authors, the statement should indicate that they will only be shared upon request. It is also possible to set additional conditions, for example, that the request can only be made by a researcher with a PhD or by the principal investigator of a study. Such conditions presuppose that there is a good reason why the data cannot simply be disclosed. The researcher requesting the data will be subject to a confidentiality agreement before the transfer of the data;
- If the data cannot be shared, the reasons why this is not possible or allowed must be explained in the statement. One reason may be the need to protect people’s privacy.