Sharing data in the light of the new data protection law

The duty to inform is the main change.

Not really. Security remains the watchword. The idea is to comply with the highest standards in force, and to design for safety right from the start (by default).

In addition, you should avoid working with cloud-based storage solutions that are based in countries with insufficient levels of protection. Besides, outsourcing storage is data communication.

There is no retroactive effect. Anything done in the past under the old legal framework remains legal. Current processing, on the other hand, must comply with the new laws (note that universities are subject to cantonal law).

It depends. If you are affiliated with a federal institution, federal law applies. If you are affiliated with a cantonal institution, cantonal law applies. If you are a private person carrying out research in Switzerland, federal law applies (private persons section). If you carry out research on EU citizens because of their citizenship (targeting), GDPR applies, and if you carry out research on EU territory, Swiss + EU law apply.

Concerning historical data, archive laws and data protection laws work in combination. In general, personal data stored in public archives may be used with the authorization of the authority that archived it. The authority takes the decision on the basis of the data protection law.

Yes, we are on the lists of safe countries.

Anything done in the past under the old legal framework remains legal. Current processing, on the other hand, must comply with the new laws (note that universities are subject to cantonal law).

As far as “public” people are concerned, researchers need to make an assessment of their importance (relative or absolute) in contemporary history when it comes to using their personal data. Several factors come into play. The important thing is to have sound reasoning.

This is possible, provided the right conditions are met: acceptable risk, explicit consent, security, access control, etc.

Data on deceased persons is not personal data anymore.

The law allows the use of personal data that has been made available to everyone without formal opposition to its collection. What’s more, “public” people are less covered than ordinary people (according to case law) when it comes to information linked to the reason for which they are known. That said, a case-by-case analysis should always be carried out (with an expert in the field if possible).

Participants need to be informed about the categories of recipients. An AI is not a recipient. In other words, mention that you will be working with cloud-based solutions developed by EU companies, and that the information will be stored temporarily on secure servers in line with national data protection law.

Theoretically, the duty to inform is absolute. That said, when data is transmitted by an authority, we may consider that we are entitled to use them.

The duty to inform concerns both those who share (information on data communication) and those who download (information on data collection). The best scenario is to have data whose collection and sharing have already been adequately informed by the primary team. NB: if it is impossible to contact people again, or would require a disproportionate effort, the duty to inform can be renegotiated.

It depends on the social media policy. Is there an opposition to collection? Is it allowed by general terms and conditions? Otherwise, yes, it is imperative to inform.

Yes, that’s it. This said, it also depends on the difficulty of contacting people. It is on a case-to-case basis.

In such cases (especially where data is collected from a third party), it is possible to provide information afterwards.

It depends on what was said to people in the first place (data made public to everybody?) as well as the difficulty to contact them (are the addresses available?)

“General consent” is used to enable the re-use of data without having to systematically contact people again. Note, however, that such consent does not really exist under the general data protection regime. If the “secondary” project doesn’t fall under the LRH, care must be taken. In that case, it would be necessary to check what has been promised in the general consent and what has been decided by the ethics commission. If the project falls within the scope of the LRH, this question must be discussed with the relevant cantonal ethics commission.

There is no standard. Depending on the case, it’s best to store them securely, separately from the rest.

A violation of data protection rights could be justified by the notion of overriding public interest. However, it must be demonstrated that the social impact of the research outweighs the interest in defending the fundamental rights of the individual (which is very difficult). An impact/risk assessment must therefore be carried out. It all depends on the type of research and the type of positive/negative impact it may have.

Responsibility lies with the data controller(s), i.e., the people who decide what is or isn’t done with the data (depending on the case, this may be the institution, the researcher, etc.). The archive is a subcontractor.

Anonymization is a process. It requires informed consent at the collection stage and information about the anonymization process. If the data is collected anonymously, it’s a different matter.

Yes, it can be mentioned. What happens is that it’s very difficult to achieve full anonymization (in the legal sense of the word). It’s better to assume that you have personal data (which you can de-identify as much as possible). It is possible to say that de-identified data will be shared, and set up conditions (e.g., for access) that will limit the re-identification of participants as much as possible.

It all depends on what’s in the data. If they contain information that (directly or indirectly, e.g., by cross-referencing) can be used to identify individuals, then they are personal data. If you remove the IDs and there are otherwise no identifiable data, then you can share the data freely.

Transfers to the USA must be carefully thought through and planned (e.g., by obtaining people’s explicit consent). If it turns out that it is not legal to transfer data to the USA, then it is up to the researcher to request control over access to the data (which SWISSUbase can put in place).

Personal data are communicated to a journal in order to make them available to the scientific community. In this kind of case, it’s a good idea to have a contract delimiting this situation (in addition to having informed people of this, or even better, obtained their explicit consent). This contract can be a kind of subcontracting agreement. Be careful, however, if the journal is in the USA.

It seems that you can use the data until the end of the agreement. That said, it’s hard to answer without more context on the data linkage and data agreement in question.

It seems that you can use the data until the end of the agreement. That said, it’s hard to answer without more context on the data linkage and data agreement in question.

For depositing data on SWISSUbase: There is no cost for (1) researchers from the social sciences and linguistics from any institute of higher education in Switzerland, and (2) researchers from any faculty at UNIL and any faculty at UNINE. We are working on extending SWISSUbase to cater to the needs of researchers in additional disciplines and institutions across Switzerland.

For data download from the public catalogue: This is free for any researcher in Switzerland, no matter the affiliation.

The person depositing the data is asked by contract to confirm the legality of data collection and distribution (which remains his or her responsibility).

The SWISSUbase application code is developed in-house by the team of software engineers at FORS and runs on the Kubernetes container platform. Kubernetes is the open-source system for the management of containerized applications.

For the preservation and sharing of research data, we don’t use a commercial cloud-based solution for security reasons, as most solutions are outside of Switzerland and can’t offer the security necessary to comply with the Swiss Data Protection Act. One additional point of clarification – the research data on the SWISSUbase platform is not necessarily “cold data” (e.g., not used) as it is in the public catalogue for the purposes of other researchers to access and reuse the available data.

Each time a version of a dataset is published, a new DOI is assigned to facilitate long-term traceability. Each DOI assigned to a version of a dataset remains active, meaning that the page is accessible and the metadata is visible, but only the data from the latest published version can be downloaded directly via the public catalogue catalog. Additionally, for each dataset deposited on SWISSUbase, a citation (following the APA standard) is automatically generated and recorded in the catalog and the user contract.

The service offered by FORS is very similar to the one offered by OFS. However, the data deposited with the FORS replication service is stored in Switzerland, which is an advantage from a legal point of view, since there is no transfer of data abroad. In addition, if you have any questions or require a DOI before depositing your data, you can contact one of our experts directly (dataservice@fors.unil.ch), who will be able to help you.

SWISSUbase is a platform for sharing and preserving research data in the long-term. Complete datasets are deposited on SWISSUbase, and rich metadata are added to describe the project and the data. The FORS Replication Service is designed to deposit partial datasets linked to a publication. The deposit process is simpler, there is less metadata to complete, and the deposited data is open to everyone (without any login). Each dataset deposited on SWISSUbase and on FORS Replication Service is assigned a DOI.