ALL Metrics
-
Views
-
Downloads
Get PDF
Get XML
Cite
Export
Track
Case Study

Data protection record of processing activities and privacy notice generator toolkit by EMBL’s European Bioinformatics Institute

[version 1; peer review: 2 approved with reservations]
PUBLISHED 05 May 2022
Author details Author details
OPEN PEER REVIEW
REVIEWER STATUS

This article is included in the EMBL-EBI collection.

Abstract

EMBL-EBI, Europe's biomolecular data hub, is a world leader in managing and analysing big data in biology and making it freely available to scientists worldwide. Researchers can access the open data resources and related services of EMBL-EBI by submitting minimal personal data. In May 2018, following the enforcement of the European Data Protection Regulation (GDPR), EMBL adopted the EMBL Internal Policy no. 68 on General Data Protection. It reflects European data protection principles while remaining within the bounds of EMBL's international legal status. As a result of GDPR and EMBL's Internal Policy No. 68 coming into force, 190 EMBL-EBI user-facing services that processed personal data in 2018 were required to have Records of Processing Activities (RoPA) and Privacy Notices (PN). EMBL-EBI's solution was to develop a Data Protection Engine (DPE) that automatically generates RoPA and PN when a service owner answers a series of questions. In addition to maintaining a centrally located database for RoPAs and PNs, the DPE tracks changes to the documents, as well as providing versioning and time-stamped updates. It is the aim of this article to share the EMBL-EBI IT department’s experience with designing and implementing the DPE and providing a toolkit to let others develop a similar solution and benefit from our experience. Implementation steps, benefits, challenges, opportunities, and practices are discussed and critically analysed.

Keywords

Data protection, personal data, GDPR, research infrastructures, intergovernmental organisations, privacy notice, record of processing activities.

Introduction

The European Molecular Biology Laboratory (EMBL) is the leading intergovernmental laboratory for life science research in Europe. Aimed at advancing the study and understanding of molecular biology, training young scientists and fostering innovation in science and technology alike. It has six sites in five host nations - one of which is EMBL’s European Bioinformatics Institute (EMBL-EBI).

EMBL is an intergovernmental organisation, subject to international public law, entrusted with a number of privileges and immunities necessary for its functions. Accordingly, it has the power to self-regulate data protection. Such self-regulation is necessary to take account of EMBL’s status as an intergovernmental organisation, and its focus on scientific research beyond national borders.1 The EMBL Internal Policy no. 68 on General Data Protection defines EMBL's self-regulation in response to the requirements of the European General Data Protection Regulation (GDPR), which came into force in May 2018.2

As a result of GDPR and the coming EMBL Internal Policy no. 68 requirements, EMBL-EBI had to prepare nearly 200 Records of Processing Activities (RoPA) and Privacy Notices (PN) for data processing activities, including scientific and IT services, within less than four months. To expedite and automate this process, EMBL-EBI developed the Data Protection Engine (DPE), which uses a set of questions and templates to automatically generate all the required documents.

Steps to design the Data Protection Engine

To simplify the design of the DPE, we used a form to collect the necessary information from Service Owners regarding their data processing activities in order to generate RoPAs and PNs automatically. The information collected in the form is used to complete templates for RoPAs and PNs.

With the templates and questionnaire ready, we defined the DPE workflow to facilitate collaboration between staff, service owners, and data protection specialists.

As soon as the workflow design was complete, the implementation began, and notifications were added to improve workflow management.

Creating the templates for Records of Processing Activities

The RoPAs are inventories of the personal data that is being processed and how it is being processed. In our analysis, we determined that we needed at least two RoPA templates: one for EMBL-EBI to use as a data controller, the other for EMBL-EBI to use as a data processor. On occasion, EMBL-EBI acts as a joint data controller, but these cases are not as common. In such cases, EMBL-EBI will share the data controller RoPA template with other controllers so they can use it to jointly define the content and shape.

The template for EMBL-EBI as a data controller reflects that it is processing the personal data and determines the purposes and means of the processing of personal data (see Template 1, Extended data3). There are three main sections in the template: data controller information, data processor information, and data protection impact assessment.

The template for EMBL-EBI as a data processor reflects that it is processing the personal data on behalf of a data controller, and the purposes and means of the processing of personal data defined by the data controller (see Template 2, Extended data3). There are two main sections in the template: data processor information, and data protection impact assessment.

The information required to fill out the RoPA templates has been identified, and different scenarios have been considered. The options included in the templates also reflect some of the most common scenarios, such as the types of personal data processed and their purposes.

Creating the templates for Privacy Notices

The PN offers data subjects (in our case service users) information about how an organisation processes personal data and complies with data protection principles. Two PN templates were created. The first PN template is for use by EMBL-EBI when it is a data controller, and it collects personal data directly from data subjects. The second template is to be used when EMBL-EBI is a data controller and it collects personal data indirectly, such as when another organisation provides the data. When EMBL-EBI performs the function of a joint data controller, it shares the PN template with other controllers in order to define content and structure jointly.

The PN template for a data controller who obtains personal data directly from data subjects (see Template 3, Extended data3) and the PN template for a data controller who does not obtain personal data directly from data subjects (see Template 4, Extended data3) have the same structure. Both include seven sections: who controls the personal data and how to contact them, the lawful basis for processing personal data, how personal data is collected and used, who has access to the personal data, data transfers to third parties or international organisations, data retention, and data subject rights.

Different cases have been analysed to determine what information is needed to fill out the PN templates. The options included in the templates also reflect some of the most common scenarios, like who will have access to the personal data.

Summary of the documents to be generated by the DPE

In different scenarios, different results will be generated by the DPE. Mainly, we have to consider where the personal data comes from in addition to the freedom to decide how the data is to be processed. Documents generated by the DPE are summarised in Table 1.

Table 1. Outcomes produced by the Data Protection Engine (DPE), mainly Privacy Notices (PN) and Records of Processing Activities (RoPA) based on the personal data origin and level of freedom for European Molecular Biology Laboratory-European Bioinformatics Institute to decide how to process it.

Personal data obtained from usersPersonal data not obtained from users (e.g. from other organisations)
EMBL-EBI decides how to process personal dataRoPA as a Data Controller
PN for data obtained from data subjects
RoPA as a Data Controller
PN for data not obtained from data subjects
EMBL-EBI has to agree with other organisations how to process the personal dataRoPA as a Joint Data Controller
PN for data obtained from data subjects (they will be generated using the DPE manual mode)
RoPA as a Joint Data Controller
PN for data not obtained from data subjects
EMBL-EBI processes the personal data based on instructions from other organisationsRoPA as a Data Processor
PN for data obtained from data subjects
RoPA as Data Processor

In the case of EMBL-EBI being a Joint data controller with other organisations, both the RoPA and the PN will be created using the DPE manual mode, a mode developed to create tailored documents.

Creating the Data Protection Engine questionnaire

The questionnaire includes all questions necessary to obtain the information that can be used to complete the templates, as well as some information that is useful for monitoring purposes or to communicate with an appropriate contact.

Because the DPE was created when the GDPR was to come into force and there was a high level of uncertainty regarding the exact requirements, we wanted a comprehensive questionnaire to allow us to expand the RoPAs and PNs as needed.

The questionnaire (see Template 5, Extended data3) includes nine main sections that include data on the data processor or data controller, basic information on the service that processes the personal data, sources of personal data, personal data processing responsibilities, time limits for erasure of personal data, technical and security measures used to protect personal data, a short data protection impact assessment, and the lawful basis for processing personal data.

The questions are written considering EMBL and EMBL-EBI, however they can be easily adapted to request information about the processing of personal data by other organisations, as can the templates.

Designing the EMBL-EBI Data Protection Engine workflow

The key aim of the DPE is to facilitate the creation and review of RoPAs and PNs and to coordinate the interactions of the many roles involved: service owner, team leader and data protection administrator (DP Admin). The service owner is the operational contact for the service. A service owner reports to the team leader, who is ultimately responsible for the service processing personal data. Data protection administrators provide support to the service owner and team lead on all data protection questions and review the information they provide in the DPE.

The following workflow shows how to use the DPE, from reading the user guidelines to publishing the RoPA and PN with the automatic mode, when the questionnaire generates the RoPA, and when the content needs to be customised (Figure 1).

ca594cb1-9b50-4c5b-9fe9-f90019f4f549_figure1.gif

Figure 1. Data Protection Engine (DPE) Workflow to create automatic or tailored Records of Processing Activities (RoPA) and Privacy Notices (PN).

The workflow involves actions by Data Protection Administrator (DP Admin), Service Owner and Group Team Leader (GTL) among others. This figure is an original figure produced by the authors for this review article.

The process for manual and automatic creation is nearly identical, with only one difference: the second step for manual creation already requires the involvement of the data protection specialist, who holds the role of DP Admin, and reviews all responses to the questionnaire, called the DPE record. When the manual mode is selected, there is a warning displayed to the users saying “Manual mode will freeze all the answers to the questionnaire not being able to be modified later and keep all the selected values. Only the Data Protection administrator can edit the Record of Processing Activities and Privacy Notice manually”.

Manual creation also has the disadvantage that any changes to the RoPA and PN will have to be made manually. Automatic creation, on the other hand, only requires updating relevant fields in the questionnaire to generate new versions of these documents.

There are notifications going to the Service Owner, Team Leader, and Data Protection Administrators, as we can see from the workflow. To ensure that there is always someone available to assist DPE users, the notifications to the Data Protection Administrators can include a list of people.

Data Protection Engine current status and future work

In January 2022, we had 259 Records of Processing Activities and Privacy Notices, of which 10 were customised. Overall, the DPE has proved its usefulness with the vast majority of data processing activities following common patterns. Our decision to provide a manual option for the few uncommon cases that cannot be covered with the automatic approach appears justified.

In the near future, we intend to improve notifications and send reminders to the data protection support team if requests aren't handled after one day. Additionally, we would like to make the options provided by the questionnaire regarding personal data retention periods more specific.

It will also be necessary to review the templates with the EMBL Data Protection Officer in the long term, since the requirements of EMBL IP 68 and GDPR are clearer today.

In the future, the DPE could be expanded as a data protection service hub by designating Data Protection Assessment as a separate entity from RoPA and PN, including links to documentation and training for EMBL staff, on demand video training for new joiners, and gathering together all the guidelines and instructions for implementation that we have collected over the years.

Conclusion

The toolkit includes the questionnaire to collect information from service owners and store it in a central repository, the templates to generate RoPA and PN, a recommendation to offer the possibility to create manual RoPAs and PN if they need to be tailored, for example if a specific format or look and feel is required, and the workflow designed to develop the DPE. This project saved EMBL-EBI considerable time and helped standardise data protection practices, and we are confident that it can help other organisations as well.

Data availability

Underlying data

No underlying data are associated with this article.

Extended data

Open Science Framework: Supplementary materials for the Data Protection Record of Processing Activities and Privacy Notice generator toolkit by EMBL’s European Bioinformatics Institute. https://doi.org/10.17605/OSF.IO/S856G.3

This project contains the following extended data:

  • - 01-DP-Article-Template1-RoPA-Data Controller.docx

  • - 02-DP-Article-Template2-RoPA-DataProcessor.docx

  • - 03-DP-Article-Template3-PN-DataFromDataSubject.docx

  • - 04-DP-Article-Template4-PN-DataNotFromDataSubject.docx

  • - 05-DP-Article-Questionnaire.docx

Data are available under the terms of the Creative Commons Attribution 4.0 International license (CC-BY 4.0).

Comments on this article Comments (0)

Version 1
VERSION 1 PUBLISHED 05 May 2022
Comment
Author details Author details
Competing interests
Grant information
Copyright
Download
 
Export To
metrics
Views Downloads
F1000Research - -
PubMed Central
Data from PMC are received and updated monthly.
- -
Citations
CITE
how to cite this article
González Ferreiro M and Newhouse S. Data protection record of processing activities and privacy notice generator toolkit by EMBL’s European Bioinformatics Institute [version 1; peer review: 2 approved with reservations]. F1000Research 2022, 11:500 (https://doi.org/10.12688/f1000research.121363.1)
NOTE: If applicable, it is important to ensure the information in square brackets after the title is included in all citations of this article.
track
receive updates on this article
Track an article to receive email alerts on any updates to this article.

Open Peer Review

Current Reviewer Status: ?
Key to Reviewer Statuses VIEW
ApprovedThe paper is scientifically sound in its current form and only minor, if any, improvements are suggested
Approved with reservations A number of small changes, sometimes more significant revisions are required to address specific details and improve the papers academic merit.
Not approvedFundamental flaws in the paper seriously undermine the findings and conclusions
Version 1
VERSION 1
PUBLISHED 05 May 2022
Views
6
Cite
Reviewer Report 09 May 2023
Harshvardhan Pandit, School of Computing, ADAPT Centre, Dublin City University, Dublin, Leinster, Ireland 
Approved with Reservations
VIEWS 6
The article describes a case study where an organisation has fulfilled its obligation to manage ROPA and Privacy Notices based on the GDPR. The use of document templates to manage collection and approval processes within the organisation is described, and ... Continue reading
CITE
CITE
HOW TO CITE THIS REPORT
Pandit H. Reviewer Report For: Data protection record of processing activities and privacy notice generator toolkit by EMBL’s European Bioinformatics Institute [version 1; peer review: 2 approved with reservations]. F1000Research 2022, 11:500 (https://doi.org/10.5256/f1000research.133226.r170480)
NOTE: it is important to ensure the information in square brackets after the title is included in all citations of this article.
Views
19
Cite
Reviewer Report 12 May 2022
Mikael Linden, CSC - IT Center for Science, Espoo, Finland 
Approved with Reservations
VIEWS 19
Having the documentation required by GDPR, such as Privacy Notice (PN) and Records of Processing Activities (RoPA), is a non-trivial task in an organisation like EMBL-EBI which has hundreds of personal data filing systems. The paper describes a tool and ... Continue reading
CITE
CITE
HOW TO CITE THIS REPORT
Linden M. Reviewer Report For: Data protection record of processing activities and privacy notice generator toolkit by EMBL’s European Bioinformatics Institute [version 1; peer review: 2 approved with reservations]. F1000Research 2022, 11:500 (https://doi.org/10.5256/f1000research.133226.r137469)
NOTE: it is important to ensure the information in square brackets after the title is included in all citations of this article.

Comments on this article Comments (0)

Version 1
VERSION 1 PUBLISHED 05 May 2022
Comment
Alongside their report, reviewers assign a status to the article:
Approved - the paper is scientifically sound in its current form and only minor, if any, improvements are suggested
Approved with reservations - A number of small changes, sometimes more significant revisions are required to address specific details and improve the papers academic merit.
Not approved - fundamental flaws in the paper seriously undermine the findings and conclusions
Sign In
If you've forgotten your password, please enter your email address below and we'll send you instructions on how to reset your password.

The email address should be the one you originally registered with F1000.

Email address not valid, please try again

You registered with F1000 via Google, so we cannot reset your password.

To sign in, please click here.

If you still need help with your Google account password, please click here.

You registered with F1000 via Facebook, so we cannot reset your password.

To sign in, please click here.

If you still need help with your Facebook account password, please click here.

Code not correct, please try again
Email us for further assistance.
Server error, please try again.