Skip to main content
SpringerLink
Log in

Protection of Personal Data in High Performance Computing Platform for Scientific Research Purposes

  • Conference paper
  • First Online:
Privacy Technologies and Policy (APF 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12703))

Included in the following conference series:

  • 766 Accesses

Abstract

The Open Science projects are also aimed at strongly encouraging the use of Cloud technologies and High Performance Computing (HPC), for the benefit of European researchers and universities. The emerging paradigm of Open Science enables an easier access to expert knowledge and material; however, it also raises some challenges regarding the protection of personal data, considering that part of the research data are personal data thus subjected to the EU’s General Data Protection Regulation (GDPR). This paper investigates the concept of scientific research in the field of data protection, with regard both to the European (GDPR) and national (Luxembourg Data Protection Law) legal framework for the compliance of the HPC technology. Therefore, it focuses on a case study, the HPC platform of the University of Luxembourg (ULHPC), to pinpoint the major data protection issues arising from the processing activities through HPC from the perspective of the HPC platform operators. Our study illustrates where the most problematic aspects of compliance lie. In this regard, possible solutions are also suggested, which mainly revolve around (1) standardisation of procedures; (2) cooperation at institutional level; (3) identification of guidelines for common challenges. This research is aimed to support legal researchers in the field of data protection, in order to help deepen the understanding of HPC technology’s challenges and universities and research centres holding an HPC platform for research purposes, which have to address the same issues.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    While before 2020 it might have seemed a utopian vision of science, the current global effort to find a vaccine for the Covid-19 virus seems to have made this vision more concrete.

  2. 2.

    Consider that only in recitals 33, 157, 159, 161, the concept of scientific research is considered separately.

  3. 3.

    Remembering, however, that the result of data processing for statistical purposes is data that can no longer be configured as personal or otherwise aggregated.

  4. 4.

    As mentioned in the previous paragraph, Art. 89 identifies safeguards and exceptions not only for scientific research, but for “processing for archiving purposes in the public interest, scientific or historical research or statistical purposes”; for clearness of exposition, the reference in this paragraph will be limited to scientific research, given the subject under investigation in this paper.

  5. 5.

    Art. 89(1) of the GDPR.

  6. 6.

    “Accordingly, under this exception, medical data collected as part of hospitalisation could not be then used for research purposes without consent”.

  7. 7.

    The ratio of the exception, which also emerges in the wording of recital 53, is that of making a public and general interest of the community prevail over the right of the individual to protection of his or her personal data belonging to personal categories.

  8. 8.

    The European Union has competence to establish provisions relating to the protection of individuals with regard to the processing of personal data in the exercise of activities falling within the scope of EU law, pursuant to art. 16(2) TFEU, reiterated in art. 2(2) GDPR, dedicated to defining the material scope of the Regulation. The conjunction of art. 6 TFEU and Title XIX TFEU, entitled “Research and Technological Development and Space”, highlights the role of support, coordination and completion of the EU, in relation to the action of MSs in this field.

  9. 9.

    Also in the Luxembourg national law the reference is always to “recherche scientifique ou historique ou à des fins statistiques”, and once again for clarity of presentation we simplify the expression, using “scientific research”.

  10. 10.

    They range from the designation of a DPO to the initial determination to the design of a data management plan.

  11. 11.

    The text of the law states: “Le responsable de traitement doit documenter et justifier pour chaque projet à des fins de recherche scientifique ou historique ou à des fins statistiques l’exclusion, le cas échéant, d’une ou plusieurs des mesures énumérées à cet article”.

  12. 12.

    Art. 35(1) GDPR: “A single assessment may address a set of similar processing operations that present similar high risks”.

  13. 13.

    Typically covered at least partially in the Acceptable Use Policy of the ULHPC platform, see: https://hpc.uni.lu/users/AUP.html.

  14. 14.

    Consider the identification of the controllers and processors: if, generally, for each research project, the individual Principal Investigator (PI) should be considered the controller, and the HPC service provider, i.e., the HPC Team, the processor, it must be emphasised that the situation becomes more complicated when the PI is a researcher at the University which itself provides the HPC service. Although the roles of controller and processor are held by two different subjects, they belong to the same organisation that is responsible for both.

  15. 15.

    Art. 5(1)c GDPR.

  16. 16.

    More precisely, changelogs-based auditing capabilities relevant for the GDPR compliance are featured starting recent released versions of Lustre (2.11) and GPFS/Spectrumscale (5.0), the reference filesystems deployed in HPC facilities including the ULHPC.

  17. 17.

    Art. 65(1)8° Luxembourg law on the protection of personal data.

  18. 18.

    ELIXIR, a distributed infrastructure for life-science information, https://elixir-europe.org/.

  19. 19.

    See CSC, a non-profit state enterprise located in Finland: https://research.csc.fi/data-management-planning.

  20. 20.

    An interesting reflection on these issues has been conducted with the Research Center “Area Science Park”, in Trieste (Italy), which holds an integrated environment of cloud computing and HPC capabilities, called “Ecosystem Orfeo”: https://www.areasciencepark.it.

References

  1. Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. In: OJ L119/1 (2016). https://data.europa.eu/eli/reg/2016/679/oj

  2. Council Regulation (EU) 2018/1488, establishing the European High Performance Computing Joint Undertaking. In: OJ L 252 (2018). https://data.europa.eu/eli/reg/2018/1488/oj

  3. Beretta, F.: Cycle of (digital) knowledge production in historical sciences. In: Cappelluti, F., et al. (eds.) Open Science: Rethinking Rewards and Evaluation the Key to Change? Zenodo (2020). https://doi.org/10.5281/zenodo.4141447

  4. Commission Recommendation (EU) 2018/790 on access to and preservation of scientific information. In: OJ L 134, 31 May 2018 (2018). https://data.europa.eu/eli/reco/2018/790/oj

  5. UNESCO, First draft of the UNESCO Recommendation on Open Science (2020). https://en.unesco.org/science-sustainable-future/open-science/recommendation. Accessed 03 Feb 2021

  6. Ayris, P., et al.: Realising the European open science cloud. European Union (2016). https://doi.org/10.2777/940154

  7. European Commission, European Cloud Initiative - Building a competitive data and knowledge economy in Europe, COM/2016/178 final (2016). https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:52016DC0178

  8. Saunders, G., et al.: Leveraging European infrastructures to access 1 million human genomes by 2022. Nat. Rev. Genet. 20(11), 698 (2019). https://doi.org/10.1038/s41576-019-0156-9

  9. Budroni, P., Burgelman, J.-C., Schouppe, M.: Architectures of knowledge: the European open science cloud. ABI Tech. 39(2), 131 (2019). https://doi.org/10.1515/abitech-2019-2006

    Article  Google Scholar 

  10. Wilkinson, M.D., et al.: The FAIR guiding principles for scientific data management and stewardship. Sci. Data 3(1), 4 (2016). https://doi.org/10.1038/sdata.2016.18

    Article  Google Scholar 

  11. Hodson, S., et al.: Turning FAIR into reality: final report and action plan from the European Commission expert group on FAIR data. European Union (2018). https://doi.org/10.2777/1524

  12. European Data Protection Supervisor (EDPS), A Preliminary Opinion on data protection and scientific research (2020). https://edps.europa.eu/sites/edp/files/publication/20-01-06_opinion_research_en.pdf. Accessed 03 Feb 2021

  13. Boniolo, G.: Il pulpito e la piazza. Democrazia, deliberazione e scienze della vita. Cortina Editore, Torino (2010)

    Google Scholar 

  14. Sjöberg, C.M.: Scientific research and academic e-learning in light of the EU’s legal framework for data protection. In: Corrales, M., Fenwick, M., Forgó, N. (eds.) New Technology, Big Data and the Law, pp. 43–63. Springer, Singapore (2017). https://doi.org/10.1007/978-981-10-5038-1_3

    Chapter  Google Scholar 

  15. Ducato, R.: Data protection, scientific research, and the role of information. Comput. Law Secur. Rev. 37 (2020). https://doi.org/10.1016/j.clsr.2020.105412

  16. Ienca, M., et al.: How the general data protection regulation changes the rules for scientific research. European Parliamentary Research Service (EPRS), Scientific Foresight Unit (STOA) (2019). https://doi.org/10.2861/17421

  17. Manis, M.L.: The processing of personal data in the context of scientific research. The new regime under the EU-GDPR. Biolaw J. 3 (2017). https://doi.org/10.15168/2284-4503-259

  18. Barfield, W., Pagallo, U.: Advanced Introduction to Law and Artificial Intelligence. Edward Elgar Publishing, Cheltenham (2020)

    Book  Google Scholar 

  19. Aurucci, P.: Legal issues in regulating observational studies: the impact of the GDPR on Italian biomedical research. Eur. Data Protect. Law Rev. 5(2), 197–208 (2019). https://doi.org/10.21552/edpl/2019/2/9

    Article  Google Scholar 

  20. Loi du 1er août 2018 portant organisation de la Commission nationale pour la protection des données et du régime général sur la protection des données (Luxembourg Data Protection Law) (2018). https://data.legilux.public.lu/eli/etat/leg/loi/2018/08/01/a686/jo

  21. Trefois, C., Alper, P., Jones, S., Becker, R., et al.: Data protection impact assessment: general LCSB approach for processing research data. Internal report (2018)

    Google Scholar 

  22. Ganzinger, M., Glaab, E., et al.: Biomedical and clinical research data management. In: Systems Medicine: Integrative, Qualitative and Computational Approaches, vol 3. Academic Press (2021)

    Google Scholar 

  23. European Data Protection Board (EDPB), Guidelines on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak, 03 (2020). https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-032020-processing-data-concerning-health-purpose_en. Accessed 03 Feb 2021

  24. Durante, M.: Computational Power: The Impact of ICT on Law. Society and Knowledge. Routledge, London (2021)

    Book  Google Scholar 

  25. Pagallo, U., Casanovas, P., Madelin, R.: The middle-out approach: assessing models of legal governance in data protection, artificial intelligence, and the web of data. Theory Pract. Legislation 7(1) (2019). https://doi.org/10.1080/20508840.2019.1664543

  26. Pagallo, U.: The legal challenges of big data: putting secondary rules first in the field of EU data protection. Eur. Data Prot. L. Rev. 3 (2017). https://doi.org/10.21552/edpl/2017/1/7

  27. University of Leicester. https://le.ac.uk/ias/policies-and-resources. Accessed 03 Feb 2021

  28. ULC. https://www.ucl.ac.uk/data-protection/data-protection-overview/online-training/data-protection-online-training. Accessed 03 Feb 2021

  29. NIST SP 800–30 Rev. 1: Guide for Conducting Risk Assessments, Technical report (2012). https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final. Accessed 03 Feb 2021

  30. ISO/IEC 27002:2013: Information technology, Security techniques, Code of practice for information security controls. https://www.iso.org/standard/54533.html. Accessed 03 Feb 2021

Download references

Author information

Authors and Affiliations

  1. CIRSFID, University of Bologna, Via Galliera 3, 40121, Bologna, Italy

    Ludovica Paseri

  2. FSTM, University of Luxembourg, 2, Avenue de l’Université, 4365, Esch-sur-Alzette, Luxembourg

    Sébastien Varrette & Pascal Bouvry

Authors
  1. Ludovica Paseri
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sébastien Varrette
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Pascal Bouvry
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ludovica Paseri .

Editor information

Editors and Affiliations

  1. University of Oslo, Oslo, Norway

    Nils Gruschka

  2. Department of Computer Science, University of Porto, Porto, Portugal

    Luís Filipe Coelho Antunes

  3. Goethe University Frankfurt, Frankfurt, Germany

    Kai Rannenberg

  4. ENISA, Athens, Greece

    Prokopios Drogkaris

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Paseri, L., Varrette, S., Bouvry, P. (2021). Protection of Personal Data in High Performance Computing Platform for Scientific Research Purposes. In: Gruschka, N., Antunes, L.F.C., Rannenberg, K., Drogkaris, P. (eds) Privacy Technologies and Policy. APF 2021. Lecture Notes in Computer Science(), vol 12703. Springer, Cham. https://doi.org/10.1007/978-3-030-76663-4_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-76663-4_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-76662-7

  • Online ISBN: 978-3-030-76663-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation