5. Data-protection recommendations

Data protection is key in creating trust between a Data Provider, Data Owner(s) and Data Consumers. The Data Provider is responsible towards the Data Owner(s) to ensure that data are being handled according to agreements or contracts as well as the legal context in the country where the data is managed. Subsequently, if the Data Provider knows that the Data Consumer has good, proven procedures in place to keep control of who is using the data, and that the persons working with the data have knowledge of the legislation surrounding the handling of personal and IPR data, they will be more willing to allow access to or share data.

This chapter applies whenever the data are shared between two (or more) organisations. There are many different scenarios where data can be shared, and the organizations must discuss the following questions beforehand:

  • Which categories of data are being handled and exchanged?
  • What risks are considered when exchanging or handling the data?
  • How are the data going to be accessed between the organisations?
  • What is the purpose of exchanging data and are there limitations in usage?
  • What physical security requirements must be in place?
  • Which logical (as in software and IT-infrastructure) security requirements must be in place?
  • Which organizationa<l measures (procedures and routines) must be in place?
  • When must data be erased?
  • Which laws, policies, agreements and licences apply to the handling and exchanging of the data?

When data are collected and used within the same organisation there might be greater control of how the data is handled, but this chapter could still be applicable. This chapter discusses the different demands imposed on data protection by different categories of data. The scope of data protection includes unauthorized access, data theft, data loss and the proper documentation of the implementation. The chapter includes a suggestion for data-protection requirements to facilitate the setup of the necessary data-protection framework, for a Data Provider and a Data User. This concept is extended with the principles of federated data access.