Sharing Personal Data and GDPR - Privacy Statement Addendum 2

September 2023

Basic GDPR definitions:

 Personal Data:  Under the GDPR, the definition of “personal data” includes any information relating to an identified or identifiable natural person, such as an employee, donor, member, or grantor.  An “identifiable natural person” is also one who can be identified, directly or indirectly, by reference to an identifier, including an IP address and device identifier.  Sensitive personal data, and personal data belonging to children, are subject to heightened requirements. The “personal data” bucket is a big one and includes information you might not have taken into consideration. In addition to data points such as name, email, ID #, photo, location data and online ID (IP address, social media), it also includes any factors specific to physical, social, and economic factors – in short, anything that possibly could be used to identify someone.

 

Two main Topics of Clarification:

  1. Data Collection Practices – including what is collected and how it is secured.
  2. Data Use Practices – who has access to the data and how the data is used.

 

Specific Clarifications:

  1. All personal data usage must fall within “lawful basis” and “legitimate interest” categories.
  2. The EU GDPR states that any company (wherever it is located in the world) collecting personal data from people in the EU will need “specific, informed, and non-ambiguous” consent from the “data subjects.”
  3. Currently, for the EU GDPR, smaller firms – those defined as having 250 employees or fewer – do not have to comply with all GDPR rules as standard. If an organization falls into this band, there’s no need to have documentation of why personal data is being collected and processed, the information that is stored, or how long for. Smaller firms are not required to maintain a record of processing activities unless this carries a risk to the rights and freedoms of data subjects, it is a regular occurrence, or it relates to certain data like criminal convictions and offenses.
  4. AAPT has the general policy of not sharing member (and staff) email addresses and other personal information with anyone outside the organization.  If others (including AAPT sections, grant-funded projects, and other professional societies) want to have email messages sent to members or staff, they can supply the message to appropriate AAPT staff, who will send the message.
  5. AAPT members can control the data that are visible to other members in the membership directory.  They can also control how AAPT may communicate with them.
  6. Outside “vendors”:  Whenever possible, personal data should be communicated directly from the member to the vendor.  AAPT should not collect that information for the institution/vendor.
  7. The same policies apply to personal data collected for grant-funded and other projects and groups affiliated with AAPT.  AAPT staff should be consulted before such data is used by the project personnel and should only be used internally.
  8. Under federal regulations, other researchers may request access to data gathered as part of federally funded grants. If an outside researcher requests access to data collected as part of a federally funded AAPT project, AAPT will follow the data management plan for the project. AAPT will take appropriate steps to de-identify the data and will follow steps set by the research protocol, data management plan, and the approving IRB to maintain confidentiality. This includes restricting access to potentially identifying information such as physical, social, economic, and employment data. Researchers making such a request will submit a proposal outlining the purposes of their request, along with a data management plan, to the AAPT for approval before the request is granted.
  9. AAPT committees will work with the appropriate AAPT staff to handle communication with speakers and presenters at national meetings and with nominees in ways that are consistent with AAPT personal data policies.  Similar procedures should be developed and recorded for handling information via shared drives and communications platforms.
  10. In general, when AAPT (or the groups mentioned previously) collect personal information, we need to tell the respondents how the data will be used.

 

Additional comments:

 

  1. Data collected as part of grant funded projects using surveys, interviews, or focus groups, usually promise confidentiality, especially if the research protocol has been reviewed by an IRB or the ACP Protection of Human Subjects Committee. In these cases, contact information cannot be shared with AAPT for other purposes.
  2. Projects are required to ask for consent from participants about being contacted by AAPT.
  3. What are the rules for a project collecting registration information that does not have an associated fee?  If there is a fee and the project has a direct AAPT connection, then the registration should be handled by AAPT's Department of Programs and Conferences.  For example, a group has its participants register for its no-cost webinars.
  4. What rules should apply to the use of email addresses collected by projects that obtain the addresses via web searches?  Projects that use email addresses to advertise their activities including those associated with AAPT national meetings should have an “unsubscribe” link as part of their email.