Managing Sensitive Data in the Era of Open Data

A big issue of Open Data is that even though everyone is in favor of it, not as many scientists actually share their data. According to Pablo Diaz, Postdoc at FORS, and Marieke Heers, Senior Researcher at FORS, there are some general challenges to data sharing on a subjective level (e.g. habits, personal views, career), practical level (e.g. lack of know-how, discipline specific guidelines), and normative level (e.g. charters, rights, legal obligations).

In their talk, the speakers focused on one particular challenge, namely on how sensitive data can be managed and shared in the era of Open Data. Sensitive data is, in the eyes of the law, a special category of data. Its processing is subject to strict rules and principles. The most important aspect to realize about data protection is that it is first and foremost about the protection of people, not data. Diaz and Heers outlined the legal framework governing the processing of sensitive data in Switzerland (FADP) and Europe (GDPR). In Switzerland, there are different laws on cantonal and federal level. Which laws apply when depends on the place of the data controller’s establishment, his or her legal status, the geographical location of the data collection, and the sector of activity. Sometimes it is also possible that several laws apply, e.g. Swiss and EU laws.

Because people are at stake, informed consent about any processing of personal data, anonymization, and data protection impact assessment is crucial. While risk assessment and anonymization is not in all cases necessary, informed consent is always mandatory. Furthermore, the two speakers demonstrated how broad the notion of personal data is: anything can be sensitive depending on the context. Therefore, when dealing with sensitive data, it has to be managed with extra care in any case. There is no one-size fits all strategy and risk assessment can help to evaluate the potential impact on the subject, and the magnitude and likelihood of a risk. According to this assessment, an appropriate data protection and openness strategy must be put in place, including e.g. an anonymization strategy and access control. Researchers have to develop a practical sense of these strategies and decisions always have to be in good faith.

• Slides: Sensitive research data →