A Risk Assessment and Legal Compliance Framework for Supporting Personal Data Sharing with Privacy Preservation for Scientific Research
In today's data-driven world, the success of cutting-edge research often hinges on the availability of high-quality data.
Author: Christos Baloukas, PhD, Senior Research Associate, ICCS
However, data providers, such as law enforcement agencies, hospitals, and other institutions, are often reluctant to share their data due to concerns about potential leaks, personal data exposure, ethical violations, and the resulting social unrest.
Moreover, the European Union (EU) has established a number of legal frameworks that aim to safeguard individuals’ fundamental rights in the context of various data processing activities while also facilitating the sharing and processing of data to enable innovation. Navigating this complex landscape can be challenging, particularly for developers with limited time and resources. Compliance involves multifaceted requirements, including consent management, data protection principles, risk assessments, and accountability measures.
To ensure safe data sharing, organisations need to implement the following three key elements: (i) privacy preservation measures that reduce or eliminate the amount of personal data present in the dataset. For example, anonymised data can still be highly useful for research. (ii) A thorough risk assessment covering potential impacts on individuals, institutions, and society, particularly for data that could have significant ethical and societal implications if misused. (iii) A comprehensive legal agreement that ensures compliance with all appropriate regulatory frameworks and reduces risks by enforcing the intended data use and legally binding the requester to prohibit other uses and activities not foreseen by the initial agreement.
Implementing those vital elements to participate in data-sharing activities requires time and expertise many organisations do not have. Therefore, they prefer to share data with a restricted set of partners, only under certain conditions, or even abstain from data sharing altogether.
In this work, we present a risk assessment and legal compliance framework that provides a comprehensive, albeit easy-to-use, way for organisations to: (i) assess and mitigate relevant risks prior to sharing datasets that include personal data, taking into account several categories of risks (technological, people-related, institutional, legal, etc.) and their potential impact not only on individuals but also on institutions and society. (ii) Generate a licence agreement that ensures legal compliance with the relevant frameworks based on the dataset itself and its intended usage, while also taking into account the proposed mitigation actions to include the necessary clauses that reduce risks related to the license agreement (unintended use, distribution to third parties, etc.).
The proposed framework has been designed to facilitate compliance with the relevant regulatory frameworks. Under European data protection law, the GDPR and LED mandate the performance of a so-called Data Protection Impact Assessment (DPIA) when the envisioned data processing activities are likely to result in a high risk to the rights and freedoms of natural persons.
As these heightened risks are particularly prominent when processing sensitive data relating to criminal offences or using new technologies such as AI applications, it is almost inevitable that the collection, processing, and sharing of FCT (Fight against Crime and Terrorism) data to support innovative research and the development of novel tools would require the execution of a DPIA. In practice, this requires the data controller to provide an extensive description of the planned processing activities, assess the risks they pose to the rights and freedoms of individuals, and take appropriate measures to mitigate these risks.
Accordingly, the scope of the proposed framework is not limited to addressing only security-adjacent threats but instead encompasses a broader field of risks in order to better support data controllers in demonstrating legal compliance. It is for this purpose that the risk assessment also includes concerns relating to the potentially adverse effects of biased datasets being used to train decision-making and support systems, as well as the impact that the processing of sensitive data might have on societal interests like equality and human rights such as privacy and non-discrimination.
Therefore, the proposed approach presents a simple and comprehensive first step for organisations without prior risk assessment experience to assess the risks of sharing their data with other partners for research and ensure legal compliance when doing so. Being aware of the various threats and the risks that these threats lead to can raise awareness and make organizations and institutes more willing to participate in data-sharing activities. Figure 1 shows the proposed framework and its various steps.
Figure 1: The Proposed Risk Assessment and Legal Compliance Framework.
This framework not only anonymises personal data but also generates a detailed risk evaluation report and a tailored license agreement for each data-sharing operation, helping organisations to participate in data-sharing activities with greater confidence and legal assurance.