The Right to Data Portability in practice : Exploring the implications of the technologically neutral GDPR

Key Points The European General Data Protection Regulation (GDPR) introduces one new data subject right, Article 20’s right to data portability (RtDP). The RtDP aims to allow data subjects to obtain and reuse their personal data for their own purposes across different services. We investigate the RtDP by making 230 real-world data portability requests across a wide range of data controllers. The RtDP is interesting to study as it operates under a framework that aims to be technologically neutral while requiring specific technologies for implementation. Our objective is to assess the ease of the RtDP process from the perspective of the data subject and to examine the file formats returned by data controllers. From our results, including responses indicating that no personal data were stored, only 172 (74.8 per cent) of RtDP requests were successfully completed. However, compliance with the GDPR varied where not all file formats meet the GDPR requirements. There was also confusion amongst data controllers about data subject rights more generally. Based on our observations, we revisit the current guidance for data portability. We suggest new technical definitions to clarify how data should be made portable and determine the appropriateness of certain file formats for different data types. We suggest recommendations and future work for various stakeholders to address the legal implications derived from our study. This includes discussing possibilities for new data portability standards and codes, conducting further empirical research, and building technological solutions to ensure that the RtDP can be better understood in theory and exercised in practice.PostprintPeer reviewe

Co-creating autonomy : group data protection and individual self-determination within a data commons

Recent privacy scandals such as Cambridge Analytica and the Nightingale Project show that data sharing must be carefully managed and regulated to prevent data misuse. Data protection law, legal frameworks, and technological solutions tend to focus on controller responsibilities as opposed to protecting data subjects from the beginning of the data collection process. Using a case study of how data subjects can be better protected during data curation, we propose that a co-created data commons can protect individual autonomy over personal data through collective curation and rebalance power between data subjects and controllers.Publisher PDFPeer reviewe

Data protection for the common good : developing a framework for a data protection-focused data commons

This research is part of Janis Wong’s doctoral research, which is funded by the University of St Andrews St Leonard’s College, School of Computer Science, and School of Management.In our data-driven society, personal data affecting individuals as data subjects are increasingly being collected and processed by sizeable and international companies. While data protection laws and privacy technologies attempt to limit the impact of data breaches and privacy scandals, they rely on individuals having a detailed understanding of the available recourse, resulting in the responsibilization of data protection. Existing data stewardship frameworks incorporate data-protection-by-design principles but may not include data subjects in the data protection process itself, relying on supplementary legal doctrines to better enforce data protection regulations. To better protect individual autonomy over personal data, this paper proposes a data protection-focused data commons to encourage co-creation of data protection solutions and rebalance power between data subjects and data controllers. We conduct interviews with commons experts to identify the institutional barriers to creating a commons and challenges of incorporating data protection principles into a commons, encouraging participatory innovation in data governance. We find that working with stakeholders of different backgrounds can support a commons’ implementation by openly recognizing data protection limitations in laws, technologies, and policies when applied independently. We propose requirements for deploying a data protection-focused data commons by applying our findings and data protection principles such as purpose limitation and exercising data subject rights to the Institutional Analysis and Development (IAD) framework. Finally, we map the IAD framework into a commons checklist for policy-makers to accommodate co-creation and participation for all stakeholders, balancing the data protection of data subjects with opportunities for seeking value from personal data.Publisher PDFPeer reviewe

Co-creating data protection solutions through a commons

In our data-driven society, personal data affecting individuals as data subjects is increasingly being collected and processed by sizeable, international companies. While data protection laws and privacy technologies attempt to limit the impact of data breaches and privacy scandals, they rely on individuals having a detailed understanding of the available recourse, resulting in the responsibilisation of data protection. Existing data stewardship frameworks incorporate data protection considerations and employ data-protection-by-design principles but may not include data subjects in the process itself, relying on supplementary legal doctrines to strengthen data protection enforcement. Current data protection solutions also lack support for protecting individual autonomy over personal data through co-creation and participation, particularly where there is socio-technical and communal value to collaborative data from which data subjects may not currently benefit. These challenges motivate the application of a theoretical and practical framework that can encourage co-creation of data protection solutions, increase awareness of different stakeholder interests, and rebalance power between data subjects and data controllers. In this thesis, we propose adapting the commons framework to create a data protection-focused data commons. We conduct interviews with commons experts to identify the institutional barriers to creating a commons and challenges of incorporating data protection principles into a commons. We propose requirements for establishing a data protection-focused data commons by applying our interview findings and data protection principles. We then deploy the data protection-focused data commons using an online learning use case. We conduct a study to explore the usefulness of the commons for supporting students' agency and co-creating data protection solutions in response to tutorial recordings, their consent preferences, and attitudes towards privacy and online learning. We find that a data protection-focused data commons as a socio-technical framework can support the collaboration and co-creation of data protection solutions for the benefit of data subjects."This work was supported by the University of St Andrews St Leonards Interdisciplinary Scholarship in collaboration between St Leonards College, School of Computer Science, and School of Management." -- Fundin

Online learning as a commons : supporting students' data protection preferences through a collaborative digital environment

The COVID-19 pandemic has accelerated the adoption of technology in education, where higher education institutions had to implement online teaching models overnight, without time for due consideration of appropriate data protection practices or impact assessments. The General Data Protection Regulation (GDPR) attempts to limit the negative effects caused by the digitisation of education such as lecture capture, tutorial recording, and education surveillance. The GDPR, however, may be insufficient in removing the power imbalance between students and their institutions, where students as data subjects have no choice but to accept their institutions’ terms or be locked out of academia. To increase protection of students’ autonomy, we propose an online learning data protection-focused data commons to support their agency with regards to protecting their personal data. We explain how a commons could apply to online learning, then develop and test an application to put the commons into practice. From our results, we find that although over 50% of students trust universities and staff with their online learning personal data, more transparency on institutional policies and data protection rights can support higher online learning participation rates, help mitigate potential data protection harms, and give students agency over their personal data beyond consent. We conclude that further research is required to move away from consent as the lawful basis for tutorial recordings, support inclusive online learning pedagogies, and balance the implementation of educational technologies with the need to deliver online learning to benefit students’ academic experience.Publisher PDFPeer reviewe

How portable is portable? Exercising the GDPR's Right to Data Portability

The new European General Data Protection Regulation has introduced several new rights designed to empower users and regulate imbalances of power between those who collect and control data and those to whom the data refer. In this paper we focus on one particular right, the right to data portability, and examine how it is being implemented. We discuss the responses to 230 real-world data portability requests, and examine the file formats returned and difficulties in making and interpreting requests. We find variation in file formats, not all of which meet the GDPR requirements, and confusion amongst data controllers about the various GDPR rights.Postprin

Prognostic limitations of donor t cell chimerism after myeloablative allogeneic stem cell transplantation for acute myeloid leukemia and myelodysplastic syndromes

Donor T cell chimerism is associated with relapse outcomes after allogeneic stem cell transplantation (alloSCT) for acute myeloid leukemia (AML) and myelodysplastic syndromes (MDS). However, measures of statistical association do not adequately assess the performance of a prognostic biomarker, which is best characterized by its sensitivity and specificity for the chosen outcome. We analyzed donor T cell chimerism results at day 100 (D100chim) after myeloablative alloSCT for AML or MDS in 103 patients and determined its sensitivity and specificity for relapse-free survival at 6 months (RFS6) and 12 months (RFS12) post-alloSCT. The area under the receiver operating characteristic curve for RFS6 was .68, demonstrating only modest utility as a predictive biomarker, although this was greater than RFS12 at .62. Using a D100chim threshold of 65%, the specificity for RFS6 was 96.6%; however, sensitivity was poor at 26.7%. This equated to a negative predictive value of 88.5% and positive predictive value of 57.1%. Changing the threshold for D100chim to 75% or 85% modestly improved the sensitivity of D100chim for RFS6; however, this was at the expense of specificity. D100chim is specific but lacks sensitivity as a prognostic biomarker of early RFS after myeloablative alloSCT for AML or MDS. Caution is required when using D100chim to guide treatment decisions including immunologic manipulation, which may expose patients to unwarranted graft-versus-host disease

Clinical and Experimental Applications of NIR-LED Photobiomodulation

This review presents current research on the use of far-red to near-infrared (NIR) light treatment in various in vitro and in vivo models. Low-intensity light therapy, commonly referred to as “photobiomodulation,” uses light in the far-red to near-infrared region of the spectrum (630–1000 nm) and modulates numerous cellular functions. Positive effects of NIR–light-emitting diode (LED) light treatment include acceleration of wound healing, improved recovery from ischemic injury of the heart, and attenuated degeneration of injured optic nerves by improving mitochondrial energy metabolism and production. Various in vitro and in vivo models of mitochondrial dysfunction were treated with a variety of wavelengths of NIR-LED light. These studies were performed to determine the effect of NIR-LED light treatment on physiologic and pathologic processes. NIRLED light treatment stimulates the photoacceptor cytochrome c oxidase, resulting in increased energy metabolism and production. NIR-LED light treatment accelerates wound healing in ischemic rat and murine diabetic wound healing models, attenuates the retinotoxic effects of methanol-derived formic acid in rat models, and attenuates the developmental toxicity of dioxin in chicken embryos. Furthermore, NIR-LED light treatment prevents the development of oral mucositis in pediatric bone marrow transplant patients. The experimental results demonstrate that NIR-LED light treatment stimulates mitochondrial oxidative metabolism in vitro, and accelerates cell and tissue repair in vivo. NIR-LED light represents a novel, noninvasive, therapeutic intervention for the treatment of numerous diseases linked to mitochondrial dysfunction

What is Community Operational Research?

Community Operational Research (Community OR) has been an explicit sub-domain of OR for more than 30 years. In this paper, we tackle the controversial issue of how it can be differentiated from other forms of OR. While it has been persuasively argued that Community OR cannot be defined by its clients, practitioners or methods, we argue that the common concern of all Community OR practice is the meaningful engagement of communities, whatever form that may take – and the legitimacy of different forms of engagement may be open to debate. We then move on to discuss four other controversies that have implications for the future development of Community OR and its relationship with its parent discipline: the desire for Community OR to be more explicitly political; claims that it should be grounded in the theory, methodology and practice of systems thinking; the similarities and differences between the UK and US traditions; and the extent to which Community OR offers an enhanced understanding of practice that could be useful to OR more generally. Our positions on these controversies all follow from our identification of ‘meaningful engagement’ as a central feature of Community OR