Abstract
The Open Science projects are also aimed at strongly encouraging the use of Cloud technologies and High Performance Computing (HPC), for the benefit of European researchers and universities. The emerging paradigm of Open Science enables an easier access to expert knowledge and material; however, it also raises some challenges regarding the protection of personal data, considering that part of the research data are personal data thus subjected to the EU’s General Data Protection Regulation (GDPR). This paper investigates the concept of scientific research in the field of data protection, with regard both to the European (GDPR) and national (Luxembourg Data Protection Law) legal framework for the compliance of the HPC technology. Therefore, it focuses on a case study, the HPC platform of the University of Luxembourg (ULHPC), to pinpoint the major data protection issues arising from the processing activities through HPC from the perspective of the HPC platform operators. Our study illustrates where the most problematic aspects of compliance lie. In this regard, possible solutions are also suggested, which mainly revolve around (1) standardisation of procedures; (2) cooperation at institutional level; (3) identification of guidelines for common challenges. This research is aimed to support legal researchers in the field of data protection, in order to help deepen the understanding of HPC technology’s challenges and universities and research centres holding an HPC platform for research purposes, which have to address the same issues.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
While before 2020 it might have seemed a utopian vision of science, the current global effort to find a vaccine for the Covid-19 virus seems to have made this vision more concrete.
- 2.
Consider that only in recitals 33, 157, 159, 161, the concept of scientific research is considered separately.
- 3.
Remembering, however, that the result of data processing for statistical purposes is data that can no longer be configured as personal or otherwise aggregated.
- 4.
As mentioned in the previous paragraph, Art. 89 identifies safeguards and exceptions not only for scientific research, but for “processing for archiving purposes in the public interest, scientific or historical research or statistical purposes”; for clearness of exposition, the reference in this paragraph will be limited to scientific research, given the subject under investigation in this paper.
- 5.
Art. 89(1) of the GDPR.
- 6.
“Accordingly, under this exception, medical data collected as part of hospitalisation could not be then used for research purposes without consent”.
- 7.
The ratio of the exception, which also emerges in the wording of recital 53, is that of making a public and general interest of the community prevail over the right of the individual to protection of his or her personal data belonging to personal categories.
- 8.
The European Union has competence to establish provisions relating to the protection of individuals with regard to the processing of personal data in the exercise of activities falling within the scope of EU law, pursuant to art. 16(2) TFEU, reiterated in art. 2(2) GDPR, dedicated to defining the material scope of the Regulation. The conjunction of art. 6 TFEU and Title XIX TFEU, entitled “Research and Technological Development and Space”, highlights the role of support, coordination and completion of the EU, in relation to the action of MSs in this field.
- 9.
Also in the Luxembourg national law the reference is always to “recherche scientifique ou historique ou à des fins statistiques”, and once again for clarity of presentation we simplify the expression, using “scientific research”.
- 10.
They range from the designation of a DPO to the initial determination to the design of a data management plan.
- 11.
The text of the law states: “Le responsable de traitement doit documenter et justifier pour chaque projet à des fins de recherche scientifique ou historique ou à des fins statistiques l’exclusion, le cas échéant, d’une ou plusieurs des mesures énumérées à cet article”.
- 12.
Art. 35(1) GDPR: “A single assessment may address a set of similar processing operations that present similar high risks”.
- 13.
Typically covered at least partially in the Acceptable Use Policy of the ULHPC platform, see: https://hpc.uni.lu/users/AUP.html.
- 14.
Consider the identification of the controllers and processors: if, generally, for each research project, the individual Principal Investigator (PI) should be considered the controller, and the HPC service provider, i.e., the HPC Team, the processor, it must be emphasised that the situation becomes more complicated when the PI is a researcher at the University which itself provides the HPC service. Although the roles of controller and processor are held by two different subjects, they belong to the same organisation that is responsible for both.
- 15.
Art. 5(1)c GDPR.
- 16.
More precisely, changelogs-based auditing capabilities relevant for the GDPR compliance are featured starting recent released versions of Lustre (2.11) and GPFS/Spectrumscale (5.0), the reference filesystems deployed in HPC facilities including the ULHPC.
- 17.
Art. 65(1)8° Luxembourg law on the protection of personal data.
- 18.
ELIXIR, a distributed infrastructure for life-science information, https://elixir-europe.org/.
- 19.
See CSC, a non-profit state enterprise located in Finland: https://research.csc.fi/data-management-planning.
- 20.
An interesting reflection on these issues has been conducted with the Research Center “Area Science Park”, in Trieste (Italy), which holds an integrated environment of cloud computing and HPC capabilities, called “Ecosystem Orfeo”: https://www.areasciencepark.it.
References
Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. In: OJ L119/1 (2016). https://data.europa.eu/eli/reg/2016/679/oj
Council Regulation (EU) 2018/1488, establishing the European High Performance Computing Joint Undertaking. In: OJ L 252 (2018). https://data.europa.eu/eli/reg/2018/1488/oj
Beretta, F.: Cycle of (digital) knowledge production in historical sciences. In: Cappelluti, F., et al. (eds.) Open Science: Rethinking Rewards and Evaluation the Key to Change? Zenodo (2020). https://doi.org/10.5281/zenodo.4141447
Commission Recommendation (EU) 2018/790 on access to and preservation of scientific information. In: OJ L 134, 31 May 2018 (2018). https://data.europa.eu/eli/reco/2018/790/oj
UNESCO, First draft of the UNESCO Recommendation on Open Science (2020). https://en.unesco.org/science-sustainable-future/open-science/recommendation. Accessed 03 Feb 2021
Ayris, P., et al.: Realising the European open science cloud. European Union (2016). https://doi.org/10.2777/940154
European Commission, European Cloud Initiative - Building a competitive data and knowledge economy in Europe, COM/2016/178 final (2016). https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:52016DC0178
Saunders, G., et al.: Leveraging European infrastructures to access 1 million human genomes by 2022. Nat. Rev. Genet. 20(11), 698 (2019). https://doi.org/10.1038/s41576-019-0156-9
Budroni, P., Burgelman, J.-C., Schouppe, M.: Architectures of knowledge: the European open science cloud. ABI Tech. 39(2), 131 (2019). https://doi.org/10.1515/abitech-2019-2006
Wilkinson, M.D., et al.: The FAIR guiding principles for scientific data management and stewardship. Sci. Data 3(1), 4 (2016). https://doi.org/10.1038/sdata.2016.18
Hodson, S., et al.: Turning FAIR into reality: final report and action plan from the European Commission expert group on FAIR data. European Union (2018). https://doi.org/10.2777/1524
European Data Protection Supervisor (EDPS), A Preliminary Opinion on data protection and scientific research (2020). https://edps.europa.eu/sites/edp/files/publication/20-01-06_opinion_research_en.pdf. Accessed 03 Feb 2021
Boniolo, G.: Il pulpito e la piazza. Democrazia, deliberazione e scienze della vita. Cortina Editore, Torino (2010)
Sjöberg, C.M.: Scientific research and academic e-learning in light of the EU’s legal framework for data protection. In: Corrales, M., Fenwick, M., Forgó, N. (eds.) New Technology, Big Data and the Law, pp. 43–63. Springer, Singapore (2017). https://doi.org/10.1007/978-981-10-5038-1_3
Ducato, R.: Data protection, scientific research, and the role of information. Comput. Law Secur. Rev. 37 (2020). https://doi.org/10.1016/j.clsr.2020.105412
Ienca, M., et al.: How the general data protection regulation changes the rules for scientific research. European Parliamentary Research Service (EPRS), Scientific Foresight Unit (STOA) (2019). https://doi.org/10.2861/17421
Manis, M.L.: The processing of personal data in the context of scientific research. The new regime under the EU-GDPR. Biolaw J. 3 (2017). https://doi.org/10.15168/2284-4503-259
Barfield, W., Pagallo, U.: Advanced Introduction to Law and Artificial Intelligence. Edward Elgar Publishing, Cheltenham (2020)
Aurucci, P.: Legal issues in regulating observational studies: the impact of the GDPR on Italian biomedical research. Eur. Data Protect. Law Rev. 5(2), 197–208 (2019). https://doi.org/10.21552/edpl/2019/2/9
Loi du 1er août 2018 portant organisation de la Commission nationale pour la protection des données et du régime général sur la protection des données (Luxembourg Data Protection Law) (2018). https://data.legilux.public.lu/eli/etat/leg/loi/2018/08/01/a686/jo
Trefois, C., Alper, P., Jones, S., Becker, R., et al.: Data protection impact assessment: general LCSB approach for processing research data. Internal report (2018)
Ganzinger, M., Glaab, E., et al.: Biomedical and clinical research data management. In: Systems Medicine: Integrative, Qualitative and Computational Approaches, vol 3. Academic Press (2021)
European Data Protection Board (EDPB), Guidelines on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak, 03 (2020). https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-032020-processing-data-concerning-health-purpose_en. Accessed 03 Feb 2021
Durante, M.: Computational Power: The Impact of ICT on Law. Society and Knowledge. Routledge, London (2021)
Pagallo, U., Casanovas, P., Madelin, R.: The middle-out approach: assessing models of legal governance in data protection, artificial intelligence, and the web of data. Theory Pract. Legislation 7(1) (2019). https://doi.org/10.1080/20508840.2019.1664543
Pagallo, U.: The legal challenges of big data: putting secondary rules first in the field of EU data protection. Eur. Data Prot. L. Rev. 3 (2017). https://doi.org/10.21552/edpl/2017/1/7
University of Leicester. https://le.ac.uk/ias/policies-and-resources. Accessed 03 Feb 2021
ULC. https://www.ucl.ac.uk/data-protection/data-protection-overview/online-training/data-protection-online-training. Accessed 03 Feb 2021
NIST SP 800–30 Rev. 1: Guide for Conducting Risk Assessments, Technical report (2012). https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final. Accessed 03 Feb 2021
ISO/IEC 27002:2013: Information technology, Security techniques, Code of practice for information security controls. https://www.iso.org/standard/54533.html. Accessed 03 Feb 2021
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Paseri, L., Varrette, S., Bouvry, P. (2021). Protection of Personal Data in High Performance Computing Platform for Scientific Research Purposes. In: Gruschka, N., Antunes, L.F.C., Rannenberg, K., Drogkaris, P. (eds) Privacy Technologies and Policy. APF 2021. Lecture Notes in Computer Science(), vol 12703. Springer, Cham. https://doi.org/10.1007/978-3-030-76663-4_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-76663-4_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-76662-7
Online ISBN: 978-3-030-76663-4
eBook Packages: Computer ScienceComputer Science (R0)