Skip to content

Data Protection

Jump to bottom Edit New page
John Holt edited this page Aug 4, 2020 · 3 revisions

Wiki > Project overview > Data Protection

Data protection is concerned with the fair and proper use of information about people.

All individuals have a right to privacy, which means that all organisations must manage personal information with appropriate care. In the UK, the protection of data is enshrined in law - specifically the Data Protection Act 2018 (DPA-2018) 2018 and the General Data Protection Regulation (GDPR) which, although it is an EU regulation, also forms part of UK law. The DPA-2018 and GDPR apply to the ‘processing of personal data’, and will catch most businesses and organisations, whatever their size.

For more information on DPA-2018 and GDPR, visit the web-site of the Information Commissioner's Office.

What is ‘personal data’?

Personal data is information about living persons who:

  1. can be identified or who are identifiable, directly from the information in question; or
  2. who can be indirectly identified from that information by combining it with other information.

Personal data means information about any living individual. This could be anyone, including a customer, client, employee, partner, member, supporter, business contact, public official or member of the public. The data need not be ‘private’ information – information which is public knowledge or is about someone’s professional life can be personal data.

What is ‘processing’?

The DPA-2018 and GDPR apply to the processing of personal data, whether by automated or manual means.

Almost anything you do with data counts as processing; including collecting, recording, storing, using, analysing, combining, disclosing or deleting it. Furthermore, the law expects that any organisation (or individual) that processes personal data does so in a way that is clear, open, honest and fair with people from the start.

In short, if processing involves personal data, the DPA-2018 & GDPR apply. Otherwise, they don't.

IBEX and Personal Data

IBEX processes a small amount of personal data. It displays information from the Experiment Details database (display is a form of disclosure) and makes information available to the web dashboard (from where the information is displayed (i.e. disclosed) to a much wider group of people).

Which features of IBEX display personal information?

  • Experiment Details View
  • IBEX Journal Viewer

Experiment Details View

The Experiment Details View displays the following fields:

  1. Users - contains the names of scientists performing experiment at ISIS. Names are clearly personal data.
  2. RB Number - why is the RB Number personal data? Because it is the key to the Experiment Details database. If you can get access to the Experiment Details database, you can use the RB Number to find out more about the PI and other user scientists.

IBEX Journal Viewer

The IBEX Journal Viewer (i.e. the journal viewer built into IBEX) displays the following fields:

  1. Users
  2. User Institute - could help identify a user, therefore, it's personal data.
  3. Local Contact - name of the instrument scientists, again it is obviously personal data.
  4. RB Number.

Do we display personal data on the web dashboard?

Yes, we do. In the following fields:

  1. Users
  2. RB Number.

Does this mean we can't display these fields in IBEX or on the web dashboard?

No, it does not mean that. DPA-2018 & GDPR permits personal data to be processed with the consent of the individual. When the PI (Principal Investigator) submits a proposal to ISIS, he/she is informed that certain fields will be made public, including his/her name, institute and the names of the other scientists involved in the proposal. By submitting a proposal, the PI has given consent.

Similarly, ISIS publishes the names of instrument scientists (i.e. local contact) on its web pages. It is part of an instrument scientist's job that he/she is available for users (and potential users) to consult - hence they have consented for some personal information (e.g. name and a work e-mail address) to be used.

Therefore, we are clear to use the Users and RB Numbers fields.

  • Business Apps have confirmed that for proposals awarded beam time, the proposal title, abstract, and experimenter names (both the PI and Co-Is) are public data for the following types of proposals: Direct, Rapid, Dutch, Riken, and Indian Access.
  • Business Apps also state that information relating to ICRD proposals is not published. ICRD = ISIS Collaborative R&D, meaning proposals made by industrial partners. Identifiable information from ICRD proposals should not be displayed on the web-dashboard (i.e. the scientists should suppress the display of the Experiment Title and leave the Users field blank).

Does this mean we can display any fields containing personal data on the web dashboard? No, it does not. We should only display those fields that a PI has consented to display. In fact, on a precautionary basis, we should display no more information than is necessary. The Users and RB Number fields are sufficient. There is no need to display any more.

What about the Experiment Title field on the web dashboard?

The Experiment Title field cannot be used to identify an individual. We also give users the option to suppress the display of the Experiment Title field (via the DAE View). If a user or scientists wishes the Experiment Title not to be displayed, they have the means to do so.

What about the Experiment Details View and IBEX Journal Viewer in IBEX?

For the same reasons as as above, we can display the Users, User Institute, Local Contact and RB Numbers fields in the Experiment Details View and IBEX Journal Viewer. IBEX is, of course, not accessible to external users (i.e. users outside the STFC firewall), therefore, any information displayed by IBEX is much less visible. Again, the precautionary principle should apply: we should display no more information than is necessary.

Add a custom footer
Add a custom sidebar
Clone this wiki locally