The aim of today's discussion is to decide the overall approach for updating this policy from pre-GDPR days.
The scope is Personal Data contained within the "operations" data (logs, accounting data, audit files) stored and processed at each Resource Centre. This policy does not address Privacy, Data Protection, GDPR etc related to personal data stored by and within the Research Data for any Research Community.
Do we maintain the same overall approach?
Or do we aim for a completely new approach?
Which entities are Data Controllers?
Do we have any Data Processors?
Draft Notes- please inform Dave Kelsey of any corrections needed.
Meeting of EGI Security Policy Group - Zoom – 9 Jun 2021
Present: Linda Cornwall (STFC), David Crooks (STFC), Sven Gabriel ( Nikhef), Baptiste Grenier (EGI), David Groep (Nikhef), David Kelsey (Chair, STFC), Vicky Konstantinopoulou (GRNET), Ian Neilson (STFC), Uros Stevanovic (KIT).
Apologies: Ian Collier (STFC), Jean-Francois Guezou (RENATER), Stefan Lueders (CERN), Stefan Paetow (Jisc), Alan Sill (TTU)
DavidK welcomed all to the meeting. VickyK had been invited to attend by Baptiste. She is the Deputy Data Protection Officer for GRNET and had earlier raised concerns about the EGI OLA referring to the existing EGI Data Protection policy – still based on the EU 1995 Directive - and not GDPR. DavidK welcomed her and looked forward to SPG benefiting from her expertise in this area.
The scope of the policy is Personal Data contained within the "operations" data (logs, accounting data, audit files) stored and processed at each Resource Centre. This policy does not address Privacy, Data Protection, GDPR etc related to personal data stored by and within the Research Data for any Research Community.
Consider these questions: Do we maintain the same overall approach? Or do we aim for a completely new approach? Which entities are Data Controllers? Do we have any Data Processors?
DavidK showed some slides (available on the agenda) describing the history of the current policy (adopted 2017).
EGI SPG presented and WLCG MB approved a Privacy Notice for WLCG (July 2019)
And use of WISE Baseline AUP v1 for the WLCG AUP.
We started work on an updated version of the 2017EGI DP Policy
Only a few changes needed for GDPR era (as far as we could tell)
In section 5 vii - Requirement for a PN
No longer require a named DPO
Policy must state that the PN must specify the legal basis for processing
Then lots of WLCG discussion in Grid Deployment Board
Data retention - maximum 18 months – several sites said they needed to keep longer
To where does User report issues? Especially for those outside EU. WLCG did not want to take on this role.
To where do we report breaches? Same issue.
And lots of concern about the other old wording (but this had not been questioned back in 2015-17)
Again we decided to wait – concentrate on full deployment of Privacy Notices for WLCG services and for CERN to complete its internal work on PN for services.
So – now to consider the current situation (June 2021)…
EGI needs an updated policy for DP
Or a completely different approach
WLCG needs an updated policy too
Cannot continue to wait for GEANT CoCo – that will now not happen
And even a Best Practices document will take some time (due later this year)
Discussion – what can we do? what should we do?
DaveK presented a proposal
Start again with the updating the old DP policy for GDPR changes
Are there any requirements from the CoCov2 work that we should include?
BUT FIRST - lets discuss the overall approach as introduced by Baptiste in a recent mail thread.
Many issues were discussed
Can the EGI Foundation be the Data Controller and all Resource Centres become Data Processors? With a Data Processing Agreement signed by all sites
As before when this had been discussed by EGI EB/Council – too many sites, too many lawyers, much of the personal data is not “owned” by EGI, sites are really “Data Controllers”
Vicky reported that many sites are actually keen to sign a data processing agreement so that it is clear to them what their responsibilities are
It was suggested that perhaps a general Controller to Controller agreement could be produced and signed.
The conclusion was that all of this is way too complicated for a non-legal body like EGI SPG. We cannot give advice on what should happen
Aim for today - agree the approach and next steps.
Having agreed that the use of Data Processing agreements (or not) is not an issue for EGI SPG, that the most useful approach we could take is
To update the existing policy framework with any changes needed for the GDPR era
If this is found to be useful, it could be used as a “Code of Conduct” BCR-like approach which together with Privacy Notices, EGI services could use to constrain their behaviour to follow “best practice” and minimise the data protection risks to end users
If participants agree and sign bi-lateral data processing agreements they will of course take precedence
This policy would be for cases where no such contract or DPA exists
DaveK will create a shared document for SPG members to start work on updating the old policy wording. Work can continue offline and by email and then some meetings will be called to agree the final words