GDPR Diagram

[Wkt8]

Create a workflow diagram for data that comes from different sources, and comes contains or does not contain living donors, and is available in the public domain / not available in the public domain. Describes for each set of characteristics whether the data is subject to GDPR / data protection, or if it is able to be wrangled by us.

Acceptance criteria for the task:

• GDPR workflow diagram created
• Reviewed by other wranglers and Gabs, Tony, Oihane
• Added to our wrangler docs

[Wkt8]

https://miro.com/app/board/o9J_lzQKwKI=/

https://docs.google.com/document/d/1HD1Z2F9vfevmsqRzKBGd_858_GKiUkzSopXs9bKnTk8/edit#

[Wkt8]

Now under review by wranglers and Tony

[Wkt8]

@gabsie

[ESapenaVentura]

AI

@gabsie and @ESapenaVentura to check

[ESapenaVentura]

The diagram looks fine to me!

Only point I am not sure about is about datasets that we archive and contain living donors; needs clarification

[Wkt8]

To clarify, it would be useful to get someone to double-check the following scenario: When a contributor comes to us with data that comes from living donors, and explicitly tells us to archive it in ENA, are we considered data controllers? If so, we presume that we would not be able to submit that to the DCP, as we are data controllers.

[Wkt8]

@gabsie and @ofanobilbao your input would be valuable here!

[ofanobilbao]

@Wkt8 The diagram looks very good!

My main doubts also come in the same scenario that Enrique mentioned above.

Also, are all living donors treated equally regardless of origin? What if the donors are non European?

And last question, on the left of the diagram, what if a contributor reaches out, and their data is already archived in ENA etc but they add extra metadata without us asking, and we confirm they are European living donors? This might not be a likely scenario. But would we then move into wrangling it as Managed Access?

[Wkt8]

All living donors are treated equally regardless of origin - so if the donors are non European we still wouldn't consider wrangling them unless they were archived in publicly available databases.

That's a really good point on mixed datasets - I think what we've done in the past is we've wrangled them mixed - we include the publicly available data and we do not include the managed access.

In your scenario - if the CONTRIBUTORS have added extra metadata which contains living donors to ENA - then I think we are fine to wrangle that as it was added by them to the publicly available archive.

[Wkt8]

Who do we ask about GDPR concerns? @Wkt8 to check with tony again Add edge case scenarios?

[Wkt8]

@idazucchi @ipediez to have a quick look as well!

[ipediez]

I have found this guide to GDRP that includes some sort of checklists to determine whether an organisation is considered a Data Controller, a Joint Controller, or a Data Processor.

It might be worth to have a look trough it.

[Wkt8]

Based on a chat with tony - have decided to mark this as done. Information is saved here: https://ebi-ait.github.io/hca-ebi-wrangler-central/SOPs/GDPR_Guidelines.html When we encounter the scenario in which we actively archive living donor data into openly accessible databases we will re-think this.