Why does the Human Brain Project (HBP) need a Data Protection Officer and what are the main challenges for this role? Our Questions and Answers series with Ethics Support task leaders continues with Data Protection Officer Kevin McGillivray.
Q1: What are the aims of Data Protection Officer (DPO)?
A DPO is a professional in the field of data protection law. In the HBP, the DPO advises HBP partners on data protection issues and assists with monitoring of internal compliance with data protection obligations across the HBP. The DPO also evaluates the risks that the HBP poses to the individuals providing their data to the HBP.
Q2: What are the main activities of Data Protection Officer?
In short, the main activity of Data Protection Officer is observing that the data processing that occurs in the HBP, and the platforms we build, comply with the requirements of the General Data Protection Regulation (GDPR).
Since the HBP project began in 2013, EU data protection law has undergone significant changes. In particular, the longstanding Data Protection Directive was replaced by the GDPR, which entered into force in 2016 and was applied from 25 May 2018. While the GDPR does not completely break from the moorings set out in the Directive, there are important changes. In particular, the GDPR increases accountability obligations and significantly increases potential administrative fines for violation of the law.
The DPO provides advice, education, and information on compliance with the GDPR. In addition to conducting meetings with SubProjects and working as a stakeholder on various HBP platforms (i.e. the Medical Informatics Platform (MIP) and the Neuroinformatics Platform). The HBP raises many difficult questions without clear answers under the GDPR. As a result, the HBP is extremely interesting and challenging from a legal/compliance point of view.
Q3: Who are the main collaborators of Data Protection Officer within and beyond the HBP?
I am located at the University of Oslo Medical Faculty as part of Research Support (‘MEDFORSK’) team. I am the only one working on the HBP at that location. However, I work closely with the Data Governance Working Group (DGWG), the Ethics Support team at DMU, legal counsel at EPFL, and several members of the MIP team at CHUV.
Outside of the HBP, I maintain a close relationship with the Norwegian Research Center for Computers and Law (NRCCL) at the University of Oslo, Faculty of Law.
Q4: What are the main achievements of Data Protection Officer so far?
- Creating a GDPR compliance plan for the HBP
- Writing guidance/protocols/templates aimed at GDPR compliance
- Writing opinions on data protection issues
- Re-writing the data protection section of the Data Policy Manual (DPM)
- Working with HBP platforms and others to implement GDPR requirements
- Writing multiple data protection focused deliverables
- Presenting on data protection law at HBP events and online
Q5: What are the main challenges for Data Protection Officer for the next years?
In many areas, the requirements of the GDPR are not fully understood. At the same time, the HBP, and technology generally, are moving very quickly. Thus, applying a principle-based legislative instrument, where guidelines, opinions, and national interpretations are under development, to a project pushing the state of the art is a significant challenge. This challenge will continue, particularly as we develop the HBP joint platform and increase data sharing across platforms.
The position of DPO is relatively new. I started the position of DPO around the time the GDPR became applicable. Thus, there is still a lot of work to be done across the project to meet GDPR compliance requirements.
Q6: Anything else?
If you have any questions on data protection, please contact me at:
HBP Data Protection Officer (HBP DPO):
Kevin McGillivray
University of Oslo
Research Support (MEDFORSK)
PO Box 1078 Blindern
0316 Oslo, Norway
Contact page https://nettskjema.uio.no/answer/94779.html
Email: data.protection@humanbrainproject.eu or kevin.mcgillivray@jus.uio.no