Ethical review of research and DPIA

The EU General Data Protection Regulation (the “GDPR”) requires that an assessment of the impact of the planned processing of personal data be carried out, where the processing is likely to result in a high risk to the rights and freedoms of individuals. (GDPR Article 35(1)).

The GDPR refers to such assessment as a “data processing impact assessment”. The term is abbreviated as the “DPIA”.

• GDPR Article 35(3) lists examples of situations where a DPIA is mandatory. However, the list is non-exhaustive and a DPIA may be required also with regards to other processing situations.
• For research, Article 35(3)(b) is of particular interest. It provides that a DPIA is required in respect of plans to process on a large scale
  • special categories of data, or
  • personal data relating to criminal convictions and offences.

Special categories of data include:

1. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership;
2. the processing of genetic data or biometric data for the purpose of uniquely identifying a natural person, or
3. data concerning health, or
4. data concerning a natural person's sex life or sexual orientation.

Factors to be taken into account when considering if the processing would be on a large scale (according to the EU’s Article 29 Data Protection Working Party):

• the number of data subjects concerned, either as a specific number or as a proportion of the relevant population;
• the volume of data and/or the range of different data items being processed;
• the duration, or permanence, of the data processing activity;
• the geographical extent of the processing activity.

For more detailed explanation on which factors contribute to the need to carry out a DPIA, see guidelines published by the EU’s Article 29 Data Protection Working Party (now the European Data Protection Board):

Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679

https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611236

The above Guidelines also list other scenarios, where a high risk may arise to the data subjects, and hence where a DPIA may also be required. Examples of the scenarios listed in the Guidelines include:

• processing data of vulnerable data subjects (which include for example children, employees, mentally ill persons, asylum seekers, the elderly, patients);
• matching or combining datasets, for example originating from two or more data processing operations performed for different purposes and/or by different data controllers in a way that would exceed the reasonable expectations of the data subject; and  
• innovative use or applying new technological or organizational solutions, like combining use of finger print and face recognition for improved physical access control.

Further, section 31 of the Finnish Data Protection Act requires a DPIA to be carried out if any special categories of data are to be processed AND any of the rights of the data subjects under the GDPR (Articles 15, 16, 18 and 21) would be deviated from. Note that the DPIA must be submitted to the office of the Finnish Data Protection Ombudsman before the start of the planned processing activities when DPIA is made due to a deviation of data subjects' rights.

GDPR  requires evaluation of the impacts and describtion of the releval action for the impact  GDPR 35 article 7

DPIA is also required based on Finnish Data protection Act 31 §, if research handles special category personal data and deviates from the data subjects rights indicated in GDPR

• Template for DPIA, 
  • Template: DPIA for research purposesWhen preparing DPIA you need to consult the data protection officer in Aalto  (GDPR 35 article in section 2 ).
• DPIA needs to be made known to the Office of data protection ombudsman via Aalto data protection officer if there is a deviation of data subjects rights

The DPIA shall be carried out before the start of the planned processing activities. It is to be added as appendix in the research ethics statement request

Article 35

Data protection impact assessment

1. Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.

2. The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment.

3. A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of:

(a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;

(b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or

(c) a systematic monitoring of a publicly accessible area on a large scale.

….

7.  The assessment shall contain at least:

(a) a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;

(b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes;

(c) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and

(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.

- - -

9.  Where appropriate, the controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations.

- - -

11. Where necessary, the controller shall carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by processing operations.

Article 36

Prior consultation

1. The controller shall consult the supervisory authority prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.

2. Where the supervisory authority is of the opinion that the intended processing referred to in paragraph 1 would infringe this Regulation, in particular where the controller has insufficiently identified or mitigated the risk, the supervisory authority shall, within period of up to eight weeks of receipt of the request for consultation, provide written advice to the controller and, where applicable to the processor, and may use any of its powers referred to in Article 58. That period may be extended by six weeks, taking into account the complexity of the intended processing. The supervisory authority shall inform the controller and, where applicable, the processor, of any such extension within one month of receipt of the request for consultation together with the reasons for the delay. Those periods may be suspended until the supervisory authority has obtained information it has requested for the purposes of the consultation.

…