Data protection

The term “data protection” is misleading insofar as it does not relate to the protection of data but rather to the protection of the people behind the data – the so-called data subjects. The aim is to protect these people from a situation where personal information that has been collected about them is used to their detriment. Hence, under German law, personal data within the meaning of Section 3 (1) of the German Federal Data Protection Act (BDSG) – that is, information concerning the personal circumstances of an identified or identifiable individual – may be collected, processed, and stored only if this is permitted by law, or if the data subject has given his or her prior, informed, and voluntary consent (Section 4 (1) BDSG). This provision gives concrete form in ordinary law to the fundamental right of informational self-determination.

The handling of personal data is regulated in the Federal Data Protection Act (BDSG). However, as explicitly stated in Section 1 (3) of the Act, other, area-specific, laws take precedence over the provisions of the BDSG. The German Telemedia Act (TMG), Part 4 of which contains such area-specific special provisions, is of particular importance for the publication – or the making available to the public – of content on the internet. Persons who hold publications ready for retrieval online, in other words service providers within the meaning of Section 2 (1) of the TMG, are bound by these provisions. In particular, the operators of repositories and other websites that contain open access (OA) publications are required to refrain from collecting personal data unless they are exceptionally allowed to do so for a specifically defined purpose. Moreover, they are obliged to delete without delay lawfully collected personal data that are no longer needed.

Because of this special provision, online audience measurement, for example by means of log file analysers or analysis applications such as Google Analytics or Piwik, is subject to particular restrictions. Devices and applications employed by the user to retrieve content transmit – often unnoticed – a wealth of information by means of which the user could potentially be identified. The manner in which this information should be handled is narrowly defined by law. A data protection compliant approach to the determination of user frequencies in repositories has been developed within the framework of the project “Open Access-Statistik 2”.

Free access to research data, and the sharing of data with other scientists, always has data protection implications. In cases where scientists are working at a university or a research institute that is under the majority control of a federal state (Land), the provisions of the data protection laws of that state have precedence over those of the Federal Data Protection Act (BDSG). The data protection laws of the federal states (Länder) and the BDSG (e.g., Section 40) contain provisions that privilege science and research. However, these privileges provide, at most, for permission to use and transmit the data in pseudonymised or anonymised form. In other words, the data subject must not be recognizable to the person who takes receipt of, and works with, the data.

Information that allows conclusions to be drawn about a person’s physical or mental state or his or her inner convictions is particularly sensitive, and therefore particularly protected by data protection law. For this reason, requirements with regard to data protection compliant behaviour in medical, psychological, and social research are very exacting. Especially in small comparison groups or rare case constellations, information about one single circumstance might allow conclusions to be drawn regarding a person’s identity, even if the person’s name is not mentioned. Hence, a strict regime applies to the collection, processing, and storage of personal data, which, as a rule, makes transmission conditional upon the previous, voluntary, and informed consent of the data subject. This must be taken into account at the creation stage of the project – that is, when designing the way in which data are to be collected.