The POP-ALERT Consortium places high value on the need to protect citizens’ data and privacy. Therefore it commits to the following Privacy Policy.

DEFINITIONS

For the purposes and in the context of the project:

Data/Categories of data: Survey results and email addresses.

Data subjects/categories of data subjects: Any person that answers POP-ALERT surveys or provides their personal data for scientific purposes.

Processing: Data collection for scientific research will take place in the United Kingdom, at the Data Controller facility the University of Greenwich After de-identification/anonymisation, data processing will take place at the partners authorised according to these guidelines.

Database: POP-ALERT Google DRIVE, password protected

Data controller: The person – or legal entity - who determines the purposes for which and the manner in which any personal data are, or are to be, processed. The University of Greenwich will be the Data controller within this project, responsible for compliance with the law and the guidelines further to the accuracy and the reliability of the data collected in the Google DRIVE database (if any).

Data processor: In these guidelines, means any person who has access to the database. He/she is subject to instructions from the Data Controller.

Researcher: any person involved in the project, either with access to the database or not/ irrespective/ regardless of whether he/she has access to the database.

Anonymisation: De-identification of the subjects, by means of a pseudonymisation. Re-identification may be made only by Data Controller, according to the rules defined in this guidelines.

1. QUALITY OF DATA

Data collected and processed for the purposes of the project have to be accurate, reliable kept up to date. The Data Controller is responsible for the quality of data and the fair and transparent processing of data and has to ensure that data will be corrected, revised and/or updated when requested by a data subject or deemed to be necessary as a result of regular audits and reviews.

2. DIGNITY AND PRIVACY

In each phase of the research project the rights and freedoms of the data subject and mainly his/her dignity and privacy will be respected and protected according to the law and the current ethical guidelines.

3. ANONYMISATION

In order to protect privacy and the right to data protection, data will be anonymized. This anonymisation is carried out under the responsibility of the data controller just after their collection and in any case before the further processing of data by data processors who hence will have access only to de-identified data. When data will be inserted in the Google DRIVE database, they will be completely de-identified, assigning a unique ID that will allow strictly within the Data Controller the re-identification and only for the purposes of Data subjects’ rights.

4. CONSENT

No person/data subject will participate without his/her legally effective explicit and informed consent or the consent of data subject's guardian/judicial supporter or his/her legally authorized representative. The researcher shall ask for such consent only under circumstances that give to the prospective subject or the representative the possibility to consider sufficiently whether or not to participate, minimizing therefore the possibility of coercion or undue influence. The information that is given to the subject or the representative shall be in a language understandable to the subject or the representative.

The information sheet will include:

  • A statement with reference to the research purposes of the study, an explanation of the specific purposes of the research as well as a description of the procedures to be followed.
  • A statement that all personal data will be de-identified before their use within the research project.
  • A description of any benefits to the subject or to others which may reasonably be expected from the research.
  • An indication of the contact person for answers concerning pertinent questions about the research and research subjects' rights.
  • A statement that participation is voluntary, that refusal to participate will involve no penalty or loss of benefits to which the subject is otherwise entitled, and that the subject may discontinue participation at any time without penalty or loss of benefits to which the subject is otherwise entitled.
  • A statement that a withdrawal from the research does not have any consequence or penalty on benefits.
  • The list of the partners of the Project, who may have access to the data subject’s data.
    A statement about the length of the anonymized data retention period, depending on consent given only for the project goals or also for general anonymized database availability at the end of the project.

5. PURPOSE

Data controller and data processors will collect, retain and use personal data only for the explicit, legitimate, clearly specified and documented purpose(s) of this project as laid down in the Description of Work of the project.

The data use will be in line with the data subject’s original consent, given on the attached form that will be in the language of the subject to ensure the full comprehension of its statements.

Data may not be processed for purposes which are not compatible with the project’s purposes and/or further (re)used for another purpose(s) that is/are not covered by the consent

6. DATA MINIMISATION

Only personal data that are adequate, relevant and limited to the minimum necessary in relation to the purposes of the project shall be collected and processed. Personal data will be kept in a form which permits direct or indirect identification of data subjects for no longer than is necessary for the purposes of the project.

If they are no more necessary personal data will be erased/destroyed unless and to the extent that it is necessary for the documentation of the research.

7. DATA SUBJECTS' RIGHTS

The underpinning principle of research is that the rights of the individual take priority over the research needs. Persons involved will not be disadvantaged if they refuse to let researchers collect their data. They have the right to withdraw their consent and stop participating to the research project at any time without any consequences or loss of benefits. The data controller will ensure that data subjects may exercise their right to access to their data collected and stored for the purposes of the project as well as the right to object to the further processing and/or to request rectification or erasure of their data. In case that a data subject is exercising these rights the data controller will notify the data processors who have to act respectively.

8. RESPONSIBILITIES

Researchers must ensure that data subjects understand the implications of taking part and consenting to the collection of their data. Data collection must be fair and transparent for the persons concerned. Researchers involved in data collection and processing must ensure that data are accurate and reliable.

Researchers acting as data processors are responsible and accountable for complying with these guidelines, the national law and the specific instructions of the data controller and they are bound by the confidentiality obligation.

9. ACCESS TO DATA AND TRANSFER OF DATA

Researchers acting as data processors will have access only to data that they are specifically mandated and/or authorised to use.  
Access to the database is restricted to data processors who are specifically mandated/authorised to have access and process personal data for the purposes of the project.
Data may be transferred to data processors only after the approval of data controller. Neither the data controller nor the data processors are allowed to transfer, to disclose or to make available data to third parties outside the Consortium.

10. SECURITY

The Data Controller and the Data Processors (Researchers and the organisations in which they are situated) are responsible for data security according to these guidelines and having regard to the sensitive data they deal with they will adopt and implement all the appropriate technical and organisational measures to protect personal medical and other data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access.

If the access or the exchange of data involves their transmission over a network the data controller and the data processors will take all the appropriate measures to transmit the data via a secured network and/or by a secured procedure in order to prevent unauthorised access and interference to the network or to the data. Data security will be preserved through anonymisation, encryption, and regulation of the medium of transfer.

Each consortium member will be responsible for data security within its own organisation, according to the national law, respective codes of conduct and professionals standards as well as the guidelines approved within the consortium for data treatment and data security.

11. ACCOUNTABILITY

The data controller is accountable for compliance with the law and these guidelines and is responsible for taking the necessary technical and organisational measures and the accuracy and reliability (“data quality”) of the data collected and distributed.  

The POP-ALERT Privacy Policy may be subject to change based on the experience made with the applications of these rules and individuals’ feedback and concerns. The POP-ALERT Privacy Policy will be displayed on the website where the latest copy will always be shown and distributed to participants of scientific research as appropriate.