Case Study: LEx Ethical and Privacy Considerations

Owned by IMPETUS Consortium
Jan 08, 2023
2 min read

The main focus of the following case study is to describe the procedures that have been followed during the testing phases of the IMPETUS tools and that could serve as guidelines for the adoption of the tools or of any similar technological instrument.

The procedures have been defined in order to have a synergical cooperation among the involved subjects (more specifically, public entities’ representatives, legal and IT consultants and tools’ providers) while considering and respecting all the applicable laws, guidelines and best practices.

The below attached checklist of activities to be done implies a preliminary consideration: the assessments of the regulatory compliance of the IMPETUS tools and platform have been drafted based on the use of the tools during the so-called Live Exercises (“LEx”), which took place in Oslo (Norway) and in Padova (Italy). Moreover, the compliance has been considered with a particular reference to European laws on data protection. National laws were also considered but are not reported in the checklist since they are strictly related to the context of use.

 

Most of the evaluations and activities described in the checklist imply the involvement of IT and legal consultants.

More specifically, the assessments of the tools and the attached checklist take in consideration:

  • the security technological measures which the tool developers were able to grant during the LEx;

  • the networks, technological systems and other infrastructures which were already in place in the cities of Oslo and Padova, which were directly involved in the Project;

  • the fact that the LEx have been done for research purposes and they only lasted a couple of days; and

  • that most of the data subjects were volunteers.

 

In the following checklist, it has been highlighted which evaluations have been done during the IMPETUS development and can be considered final and which activities are strictly related to the context of use and should be conducted having regard to the specific situation.

The checklist involves the following steps:

  1. Define the context of use of the tools

  2. Identify the applicable laws

  3. Choose adequate security measures to prevent violations of rights

  4. Grant an effective oversight

  5. Clearly identify the data processing activities, via a detailed description of the processing activities, the definition of data subjects and the processed personal data, the identification of the storage location and the retention period

  6. Analyse the data processing activities for the tools which process a bigger amount of personal data

  7. Sign a data protection agreement with each external subject that will have access to personal data as Data Processor

  8. Carry out a Data Protection Impact Assessment (DPIA) related to the specific context of use of the tools

  9. Verify if in accordance with European or national legislation a notification to data protection authorities or other authorities is required

  10. Recruit the volunteers respecting the approved procedures

  11. Inform the involved subjects

 

The detailed checklist is attached hereafter.