Join Zoom Meeting
Password:
The aim of today's discussion is to decide the overall approach for updating this policy from pre-GDPR days.
The scope is Personal Data contained within the "operations" data (logs, accounting data, audit files) stored and processed at each Resource Centre. This policy does not address Privacy, Data Protection, GDPR etc related to personal data stored by and within the Research Data for any Research Community.
Do we maintain the same overall approach?
Or do we aim for a completely new approach?
Which entities are Data Controllers?
Do we have any Data Processors?
Draft Notes- please inform Dave Kelsey of any corrections needed.
Present: Linda Cornwall (STFC), David Crooks (STFC), Sven Gabriel ( Nikhef), Baptiste Grenier (EGI), David Groep (Nikhef), David Kelsey (Chair, STFC), Vicky Konstantinopoulou (GRNET), Ian Neilson (STFC), Uros Stevanovic (KIT).
Apologies: Ian Collier (STFC), Jean-Francois Guezou (RENATER), Stefan Lueders (CERN), Stefan Paetow (Jisc), Alan Sill (TTU)
Agenda: https://indico.egi.eu/event/5623/
(notes by Dave Kelsey - 18 Jun 2021)
DavidK welcomed all to the meeting. VickyK had been invited to attend by Baptiste. She is the Deputy Data Protection Officer for GRNET and had earlier raised concerns about the EGI OLA referring to the existing EGI Data Protection policy – still based on the EU 1995 Directive - and not GDPR. DavidK welcomed her and looked forward to SPG benefiting from her expertise in this area.
The aim of today’s meeting is to explore issues related to updating the current EGI Policy on the Processing of Personal Data. https://documents.egi.eu/document/2732
The scope of the policy is Personal Data contained within the "operations" data (logs, accounting data, audit files) stored and processed at each Resource Centre. This policy does not address Privacy, Data Protection, GDPR etc related to personal data stored by and within the Research Data for any Research Community.
Consider these questions: Do we maintain the same overall approach? Or do we aim for a completely new approach? Which entities are Data Controllers? Do we have any Data Processors?
DavidK showed some slides (available on the agenda) describing the history of the current policy (adopted 2017).
Now consider the recent history (2018 onwards in GDPR era)
GEANT gave up on the CoCo V2 (Dutch Authority said could only be inside Europe – for now and imposed too many difficult to implement conditions). For more details on GEANT and the work on version 2 of the Code of Conduct see https://connect.geant.org/2021/04/09/next-steps-for-geant-code-of-conduct
And lots of concern about the other old wording (but this had not been questioned back in 2015-17)
Again we decided to wait – concentrate on full deployment of Privacy Notices for WLCG services and for CERN to complete its internal work on PN for services.
So – now to consider the current situation (June 2021)…
DaveK presented a proposal
BUT FIRST - lets discuss the overall approach as introduced by Baptiste in a recent mail thread.
Many issues were discussed
Aim for today - agree the approach and next steps.
Having agreed that the use of Data Processing agreements (or not) is not an issue for EGI SPG, that the most useful approach we could take is
DaveK will create a shared document for SPG members to start work on updating the old policy wording. Work can continue offline and by email and then some meetings will be called to agree the final words