Remote Access: Make plan of what we need to do

[John-Holt-Tessella]

Make plan T.B.C.

Acceptance criteria

• Take plan to instrument scientists
• Check GDPR issues with web dashboard
  • No GDPR issues relating to dashboard (see below)

[kjwoodsISIS]

GDPR applies to the processing of personal data, whether by automated or manual means.

Personal data only includes information relating to living persons who:

1. can be identified or who are identifiable, directly from the information in question; or
2. who can be indirectly identified from that information in combination with other information.

In short, if it is not personal data, GDPR does not apply.

Do we display personal data on the web dashboard? Yes, we do. In the following fields:

1. Users - contains the names of scientists performing experiment at ISIS. Names are clearly personal data.
2. RB Number - why is the RB Number personal data? Because it is the key to the Experiment Details database. If you can get access to the Experiment Details database, you can use the RB Number to find out more about the PI and other user scientists.

Does this mean we can't display these fields on the web dashboard? No, it does not mean that. GDPR permits personal data to be processed with the consent of the individual. When the PI (Principal Investigator) submits a proposal to ISIS, he is informed that certain fields will be made public, including his/her name and the names of the other scientists involved in the proposal. By submitting a proposal, the PI has given consent. Therefore, we are clear to use the Users and RB Numbers fields.

• Business Apps have confirmed that for proposals awarded beamtime, the proposal title, abstract, and experimenter names (both the PI and Co-Is) are public data for the following types of proposals: Direct, Rapid, Dutch, Riken, and Indian Access.
• Business Apps also state that information relating to ICRD proposals is not published. ICRD = ISIS Collaborative R&D, meaning proposals made by industrial partners. Identifiable information from ICRD proposals should not be displayed on the web-dashboard (i.e. the scientists should suppress the display of the experiment title and leave the Users field blank).

Does this mean we can display any fields containing personal data on the web dashboard? No, it does not. We should only display those fields that a PI has consented to display. In fact, on a precautionary basis, we should display no more information than is necessary. The Users and RB Number fields are sufficient. There is no need to display any more.

[John-Holt-Tessella]

Can we put the above on the wiki so we can refer back to it please?

[kjwoodsISIS]

Information is now on the wiki: https://github.com/ISISComputingGroup/ibex_developers_manual/wiki/Data-Protection

[kjwoodsISIS]

Remote access plan is in General/Files/Remote Users Sep 2020 in MS-Teams. We have implemented the agreed remote access solutions:

• read-only IBEX via iDAaaS
• limited information web-based journal view
• remote access via VNC (read-only and read-write)
• block history links on web dashboard

GDPR issues dealt with by above comments.

Ticket is complete.