GDPR: how we approach it here at HER
Human Ecosystems Relazioni research center is completely compliant to GDPR regulations.
This, of course, does not apply out-of-the-box to the subjects which download and install the Human Ecosystems platform, which is not, in itself, compliant.
To become GDPR compliant HER has created specific organizational and technical processes which ensure such compliance.
For example, on the organizational side, HER has designed dedicated professional figures and responsibilities. Or, as for the technical side of things, specific system and platform measures have ben taken for the systematic removal, filtering, anonymisation, clustering (in order to process aggregated data instead of personal) of content, information and data.
HER does not, thus, guarantee in any way for the out-of-the-box GDPR compliance of its Human Ecosystems platform, which needs specific competences, responsibilities and technical solutions to be instanced and applied in organizations to achieve such compliance. (but we ARE more than happy to describe the solutions which we used to make our technologies compliant with GDPR, so that more companies and organizations can actively support people’s rights and freedoms)
And, on top of this, we are also aware that GDPR alone cannot fix all the data related issues of our world. For this we conduct a strong social and cultural activity which has the effect of dealing with data as a cultural phenomenon, with a constructive, transformative effect on society. You can read this article, for example, to know more about the school we are bringing up in Rome. (and also this article in Italian)
As a matter of fact, here at HER, we don’t think that a law or regulation can change the complex scenario of data for the better. It can make things a little better (and, for this, we will never thank the European Union enough for being a stronghold of data rights for its citizens), but it will not change things.
Because the current data economy is an extractive economy. This is the problem.
The GDPR regulates an extractive economy. But it does not change it: it tells what you can extract, how, how you can or cannot store it, what access, rights and liberties you have to make available for people. But GDPR is still talking about an extractive economy, as the only possibility for Data. It does not provide any other vision or alternative.
Here, at HER, we don’t deal with Data in this way.
We don’t extract data FROM people. We confront with data WITH people.
Many companies, organizations and institutions ask us to collect and visualize data to create some research, or some market study, or to better understand phenomena in our world.
When they do, we tell them that we do this in a different way. We take research out of the laboratory.
Our researches are organized in this way:
- create a social engagement process, through communication, art and design;
- get the people involved in confronting with the topic of the research through data and, thus,
- come up with participatory, collaborative, engaging ways in which to collect data;
- the collected data becomes a data commons, which anyone can use;
- develop a cultural/educational process to make sure that the communities you engaged to collect the data are actually able to use the data, and to extract value from it;
- develop the research and make sure that it is of value for the communities, that it gives back something in terms of knowledge, awareness, insights, opportunities, skills, value;
- take the data and the results of the research back into society, into public space, through communication, arts and design, so that it is really an inclusive process, which creates shared cultural capital and cultural acceleration.
This is is how we do research. Sometimes in the past it has not been possible, as some of our clients have not understood the serious implications of the extractive economy that is building up around data. We have always tried, also in these rare cases, to set up things with an ethical approach. We also wrote a book, called Digital Urban Acupuncture, in which we explain our methods in detail.
Now, with GDPR, we are happy to adhere, so that it will possible to handle data in way that are just, open, transparent, accessible and inclusive, but we also want to catch this opportunity to make a statement:
Data WITH people, instead of data ON people.
Let’s bring research out of the laboratory, into society, to create inclusive processes of solidarity, collaboration and participation which are able to unite citizens, researchers, organizations and institutions.
Let’s end the extractive logics of the data economy, and start a new lifecycle in which data is a commons which is managed in society, together with the people.
Starting from May 25th 2018, Human Ecosystems Relazioni has made its systems and processes fully GDPR compliant.
As for the data which has been collected previously to this date, it was compliant to the previous regulations. For this, the existing databases have been frozen (meaning that they have been disconnected from all active software/hardware agents which could modify their state, to preserve them in their form, compliant with the laws that existed when they were created).
In this way, we have been able to clearly mark the data which is relevant before GDPR and, from now on, all our future systems and processes will be fully compliant to GDPR.
Here below we wish to address some specific articles of the GDPR, in order to discuss some of the issues involved.
This is by no means a complete discussion on the topic and, on top of that, specific projects in the research center (for example ones which may deal with health or other sensible topics) may adopt (and publish) different arrangements.
For all enquiries it is possible to contact firstname.lastname@example.org
In response to Article 5 of GDPR
<<Personal data shall be: processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);>>
We do not process and store personal data. We only store publicly available data in aggregated form, under the form of topic classification and anonymised/pseudonymised network graphs which are used to research and understand social phenomena.
<<adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);>>
Data which is not necessary for the treatment is consistently eliminated from our servers in permanent ways.
<<accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);>>
Data is accurate when we collect it, an we only use it to understand the evolution of social phenomena in selected contexts. Therefore there is no need to keep it updated: we use it to understand how societies and communities evolved as relevant for the research context, then throw the original data away, only preserving reference of where we took it from.
<<kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);>>
We don’t store the data that can identify people or organizations.
- topic lists and how much they appear in researches
- anonymous network/relational graphs between pseudonimised subjects
- aggregated classifications (for example: “Y messages were generated on this topic X at this date/time Z”)
<<processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).>>
We don’t store and process any personal data, but only aggregated data or appropriately pseudonimised data.
In response to Article 6 of GDPR
<<Processing shall be lawful only if and to the extent that at least one of the following applies: the data subject has given consent to the processing of his or her personal data for one or more specific purposes;>>
We only process data which data subjects have agreed to by accepting the clauses of the terms of services of the online service providers (the data controllers) which explicitly mention this possibility (for example when mentioning the distribution of these data sets through APIs and partner programs).
The result of processing comes under the form of aggregated data and anonymized relational network graphs, which are used to understand social phenomena. All other data is discarded and forgotten (meaning completely erased, also from caching systems etc ).
Even though this is the case, pulling the research center out of the scope of GDPR, we feel that this is a crucial topic.
Current technological systems and services are not clear enough about when and how users generate data and for which purposes. For this reason the Human Ecosystems Relazioni research center constantly embraces actions in communication, awareness, design and art to create opportunities for education and for the development of accessible critical skills, in accessible, inclusive ways, including the development of tools and methods that are completely free and libre to use. Look at our projects: many are dedicated to this.
In response to Article 7 of GDPR
<<Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.>>
We process publicly available data which is obtained through systems in which data subjects explicitly accept this data to be processed (for example through APIs).
We do not store any personal data.
<<The data subject shall have the right to withdraw his or her consent at any time. 2The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. 3Prior to giving consent, the data subject shall be informed thereof. 4It shall be as easy to withdraw as to give consent.>>
The withdrawal of the consent by the data subject will have immediate effect on our platforms, because it will mean that the data subject’s data will not be available any more on the data controller’s platform, which is the one we use to process data.
Of course we are also able to receive requests in this sense, which we evade by adding the data to be avoided in filters which discard it automatically. But in this case users will not achieve the desired effect, as the data will still be present in the original platform, over which we have no control nor jurisdiction.
In response to Article 9 of GDPR
<<Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.>>
We process and make this kind of information available only in aggregated form and, thus, not in personal form.
And, in any case:
<<processing relates to personal data which are manifestly made public by the data subject;>>
Even though we don’t process an make available personal data, but only aggregated, the origin of the data may come from personal data which was manifestly made public by the data subjects (for example public expressions which are visible and explicitly marked as being “for everyone”, for example by using specific platform functionalities or by publication in the public media channels).
In response to Article 11 of GDPR
<<Where, in cases referred to in paragraph 1 of this Article, the controller is able to demonstrate that it is not in a position to identify the data subject, the controller shall inform the data subject accordingly, if possible. 2In such cases, Articles 15 to 20 shall not apply except where the data subject, for the purpose of exercising his or her rights under those articles, provides additional information enabling his or her identification.>>
We do not store information that can be used to identify data subjects, as the data is handled in aggregated and anonymised or pseudonimised forms.
That said, we are more than happy to support people and organizations to investigate in the case that they think that the data sources in our possession contain information which concerns them. We are happy to take additional data and information that can be lawfully used, together with the interested party, to identify the problematic data. Then we offer our complete support to correct, modify, delete the data and to propagate the effects of such changes, for everything that is reasonably and legally in our power.
In response to Article 12 of GDPR
<<The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. 2The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. 3When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.>>
We are happy to welcome any enquiry or request for information. Anyone can write us at email@example.com and ask for information.
We kindly request to everyone, in the case of requests about single data subjects, to identify themselves, because otherwise we will not be able to provide the requested information.
<<The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. 2In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject.>>
We are here for you.
We are happy to investigate with you specific data issues which may be of harm (or of extreme interest) to individuals, groups and society. As a matter of fact, it is an explicit part of our cultural mission, as a research center.
<<The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. 2That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. 3The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. 4Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.>>
We will be with you all along. We will respect these terms and we will be collaborative and accessible.
At times, we will also request something from you.
We firmly believe that these are important matters. For this we will ask you to help us in creating occasions to ensure that the resolution of data issues which may emerge go to the benefit of everyone, for example by helping others to avoid having the same problem.
In response to Article 13 of GDPR
Sometimes we collect data directly from people (data subjects).
In this case, we act as Data Controller (using the terminology defined in the GDPR). For example, this happens when we create our design interventions in cities, or when we create artworks which collect and visualize data.
When this happens, it may be useful for people to know a series of information:
- the identity and the contact details of the controller: the Human Ecosystems Relazioni private research center, whose legal representative is its president, Salvatore Iaconesi
- the contact details of the data protection officer: we chose to attribute the responsibility of the data protection officer in our research center to our president, who can be reached at the email firstname.lastname@example.org
- the purposes of the processing for which the personal data are intended as well as the legal basis for the processing: this changes for each project and, for this, we suggest you look to the single projects or that you get in touch with us, we’ll be happy to help
- the recipients or categories of recipients of the personal data, if any: as detailed before, we don’t store any personal data; in specific projects this may happen and this information will be provided for them
- the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period: we don’t store personal data; the data we produced is available in aggregated, anonymised form for as long as it is economically sustainable under the form of Data Commons, freely accessible by anyone
- although we do not store any personal data, some data which allows identification of people may slip through; we want to make sure that people are able to verify this data, access it, correct it, modify it, update it, erase it, to understand how we process it, or even to make sure that these data are not captured any more; you can contact us at email@example.com for all of these options; probably, we will ask you to identify yourself if you do, to make sure that you don’t mess around with someone else’s data
In response to Article 14 of GDPR
Sometimes, instead, data is not collected directly from the data subjects. (for example through social networks, or through public administrations)
Given that we do not store and process personal data, but aggregated, anonymised data, the indications in the previous section apply also to this one: the identity and responsible for data protection in our research centre are the same (Human Ecosystems Relazioni and Salvatore Iaconesi), and the firstname.lastname@example.org is the email to which you can refer if you want to know more about the data we store, request edits or removals, withdrawals of authorizations or anything else.
It needs to be clear, in this case, that we may not be the suitable subject to interrogate and to interact with. For example, social networks operators or the other operators where we get the data from would remain the best subject to address, because they are the controllers of your data. But we would love to help you anyway if you find it hard to get in touch with them.
In response to Article 15 of GDPR
We grant access to data to everyone. This includes access to personal data granted to the data subject who is the one identified in the data (given that we don’t store any personal data, but in case that we do – for example, by mistake– this is where we will grant this type of access).
In the other cases: we produce our data sets under the form of Data Commons, meaning datasets which can be accessed and used by everyone.
In all of the cases: the purposes of processing, the categories of data, the recipients of this data an the timeframe with which they are maintained are specific for the single projects and, thus, we advise you look ad the projects individually, or that you send us a note to know more. You can also ask us to check if we have any data about you (for example by indicating us a name, and providing identification showing that that name is you): we’ll be happy to check and to show you the results.
In response to Article 16 and 17 of GDPR
As described before: we are more than happy to correct any mistakes which are contained in the data we store, or to erase it completely if it is what you want. We just ask you to identify yourself to make sure that you’re entitled to correct the data or to ask for removal.
Remember to make sure to erase it also from its original sources! We don’t store any personal data, so this means that your personal data ended up in our databases by mistake (for example a picture might have shown your face and we did not know, or someone might have mentioned you in a public content). But in any case, if we have it, it means that we found it in public. We’ll tell you where, but make sure that you go to them as well to remove it! Otherwise you will have done only half of the job.
In response to Article 18 of GDPR
We have filters which allow us to define data which we are not supposed to collect. For example these filters can indicate words like names, addresses, brands etcetera.
If you want to indicate us some of these names, addresses, brands or else which we should not capture and take into account when harvesting data (for example from the web), you may do so at the email@example.com email address. We will ask you to identify yourself to make sure that you are entitled to make this request.
In response to Article 20 of GDPR
In ways that are similar to the one before this one, you may request that we collect all of the data that pertains to you, so that you can take it elsewhere (and, as we said, you may also request that we delete it).
Send us your identification so that we know what to search for, tell us if you want to delete or just deliver, and we will do just that.
In response to Article 21 of GDPR
We want to hear from you and, in this, we want to understand what you want. For example we would like to know if you object to any of the data treatments that we do, in the limit that they influence and impact your life. For example, if you have any hint that we have some of your personal data (for example, you might have seen your name pop up in some our visualizations by mistake) we will happily receive your objection. When this happens your name will end up in a global filter which filters all of our incoming data: if the name is there for any reason, the entire data item will be discarded, to make sure that this does not happen again.
In response to Article 22 of GDPR
We don’t profile.
We don’t take automatic decisions on people based on their profiles.
The data we produce becomes a Data Commons, available and accessible to anyone using open licenses.
Our research center takes this data (which is not personal data, but aggregated, anonymized data) and puts it in the center of communities, to stimulate public, transparent, inclusive engagement and collaborative processes, and using the data to activate inclusive cultural processes.
In response to Article 25 of GDPR
We use any means possible to preserve and support people’s rights and freedoms. This includes privacy an security by design.
In this, we are always happy to go the extra mile. We are conscious about the fact that most of our rights and freedoms are tightly linked to the digital realm, to data and to the agents of computation (algorithms, artificial intelligences, robots…).
For this, we have developed an entire family of solutions dedicated to bring up these issues, provide citizens with tools and techniques to confront with them, and come up with collaborative, participatory, inclusive answers. One of these solutions is the concept (and the tools that come with it) of the Ubiquitous Commons.
In response to Article 30 of GDPR
We maintain a complete log of all of the processing that we perform in our research.
These logs contain information about: the responsible of the processing and the data protection officer; the purpose of the processing; the categories of data subjects and of the personal data involved (usually none); the recipients of the personal data, where applicable; the transfer of data to third countries, where applicable; the persistence of data (how long it is maintained); the technical/technological and organizational architecture around the data; the type of processing on the data;
In response to Article 32, 33 and 34 of GDPR
Concerning security of our systems, we employ the best and most updated technologies, techniques and protocols we are aware of. We keep our software updated and protected from known exploits; we adopt strong passwords and system wide encryption; we use techniques such as input protection, system hardening and periodic controls including penetration testing and more.
From the point of view of the techniques which are employed in order to minimize risks (and effects) coming from security breaches, we use system wide strong, military grade cryptography, distributed systems, pseudonymisation to avoid disclosure of real data items, security focused system architectures, security oriented protocols for systems settings, password generation, accounts, logs, caches and system dimensioning, and more.
We have systems and personnel who are suitable to detect and contain the effect of security breaches in a few hours. Notifications about the characterization of the breaches, the impacts on people’s data and the suggested counter-measures can be given out in 72 ours.
In response to Article 37, 38 and 39 of GDPR
The data protection officer for Human Ecosystems Relazioni is the president of the research center, Salvatore Iaconesi.
Unless otherwise communicated (for example in single projects), this information is always valid throughout the activity of our research center.