EXHAUSTION Personal Data Protection Policy

This privacy policy will explain how our organization uses the personal data we collect from you as a visitor to our website or as a stakeholder in our project, Exposure to heat and air pollution in Europe – cardiopulmonary impacts and benefits of mitigation and adaptation (EXHAUSTION), funded by the European Union’s Horizon 2020 research and innovation programme under grant agreement No 820655.

 How do we collect your data? 

In EXHAUSTION we will collect data from a range of external sources, and then generate new data by manipulating, analyzing and model using the collected data as input. Data collection refers to the process of collecting data from sources outside of the project, whilst data generation refers to the process of generating new data through project activities, such as through data manipulation and data analysis.

The data we will collect from external sources for EXHAUSTION will be collected both from primary and secondary sources. Secondary research data may be explained as data that already exists and was collected by a party other than the project, such as health registry data or survey data with a wide consent. Primary research data however, is collected directly from the data – source by project members.

Most of the data that we will use in EXHAUSTION is secondary research data, and the only part of the project where some primary research data will be collected is in the development of the citizen engagement tool, further elaborated under the section Data for the Citizen Engagement Tool.

In the following description of the different data types we will collect and generate, a distinction will be made between personal data, sensitive data and non-personal data. Personal data contains information relating to an identifiable person who can be directly or indirectly identified, as defined in Article 4 of the General Data Protection Regulation (GDPR). Sensitive data refers to “special categories of personal data”, defined as “data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation” in GDPR Article 9 (3). Non-personal data refers to data that doesn`t constitute personal data under Article 4 of GDPR.

EXHAUSTION will collect and generate data on climate, air quality, health – outcomes, demographic, vulnerability, socio-economy and costs from a range of different sources in order to fulfill our objectives. We will also utilize models, scripts, projections and results from other projects and studies. We will generate new data in the format of collapsed and merged datasets, projections, scripts, models, projections and results. All data in EXHAUSTION will be in digital format. The origin, types, formats and collection of the different types of data will be described in more detail as follows:

Data for the Citizen Engagement Tool

In order to raise awareness of citizens to episodes on extreme heat and/or air pollution EXHAUSTION will use and expand the HackAir platform, previously developed by the beneficiary DRAXIS. HackAIR is a tool offered through a web and mobile application that the public can use to engage in and be informed about air pollution levels. HackAir will collect data from the primary source, namely the users of the platform. Data that will be collected are measurements of air quality that the app – users do themselves, and their experience of the heat stress and air quality. HackAir - users measure air quality with low cost sensors, and sky depicting photos that from which HackAir estimates particles in the atmosphere. Some personal data will also be collected via the application, such as email address and IP address. Number of persons using the citizen engagement tool are expected to be at least 8000. We will also collect feedback from users during the project through surveys, interviews and issue tracking and prioritization tool, where also a minimal amount of personal information will be required . No sensitive data will be collected through HackAir. Data management of personal data is elaborated on under section 6 Data Security and section 7 Ethical Issues of this DMP. DRAXIS will be responsible for the necessary approvals for the data collection through HackAir.

Protection of Personal Data

The personal data that will be processed in the project are the individual level epidemiological data and the data for the Citizen engagement tool, HackAir.

The individual level epidemiological data contains sensitive data that we will only be allowed to process under certain circumstances, such as a research project that will benefit society. We will handle all personal and sensitive data according to the GDPR adopted by the EU Parliament in 2016 to protect all EU citizens from privacy and data breaches.

The beneficiaries will be responsible for the individual level data from their country. The researchers will only have access to pseudonymized individual level data, meaning that identifiable data will be removed from the dataset and replaced with a pseudo ID. A trusted third party will keep the linkage key, and researchers in EXHAUSTION will never have access to personal ID. We will link the participant’s addresses or living area to other data in such a way that the participant’s address will never be revealed together with other information about the participants. There are different ways to do this. Some beneficiaries will have a third party doing the linkage with addresses, others may do the linkage with addresses in a separate process and with a separate linkage key, whilst at least one beneficiary will replace the address with gridded latitude and longitude before linking. Beneficiaries will have somewhat different procedures for handling personal data in general, depending on requirements from data owners, institution-specific procedures and country legislation.

Only dedicated project members will have access to the personal data. Personal data will generally not be shared between the partners, instead we will share aggregated data tables and analysis outputs for meta – analysis. The beneficiaries handling cohort data from Conor, SWEDEHEART, UK Biobank, and RoLS are all restricted from sharing any cohort data. We will store and process personal data in a secure server that fulfills requirements of GDPR , such as “Services for sensitive data“ (TSD) administered by the University of Oslo, or other equivalent secure servers. A project-restricted area in TSD can be accessed from all over the world, for any individual who has been given access rights. Any usage demands a two-factor log-in with a personal one-time code. Access – rights can be controlled for each project and each folder.

Personal data will be stored after project end for documentation purposes, but deleted or anonymized after about 10 years, depending on the decision from ethics committee in the respective country / region. When data is anonymized, it means that all linkage keys are deleted and data is aggregated to such a level that a way to identify participants no longer exists. Anonymized data is not personal and GDPR rules no longer apply.

The personal data collected for the citizen engagement tool is non-sensitive person data and will be handled according to GDPR. Data will be stored on a secure encrypted server and will be anonymized by HackAir before it can be accessed by EXHAUSTION researchers. As soon as a participant leaves the platform all personal data will be permanently deleted.

All beneficiaries handling person sensitive data will be responsible to get a Data Protection Impact Assessment (DPIA) approved from local Data Protection Officers (DPO) before data collection. All DPIAs will be stored in the project archives.

What data do we collect when you sign up to the newsletter? 

EXHAUSTION collects personal information to keep stakeholders updated about EXHAUSTION activities and opportunities for networking on the topic of climate and health.  EXHAUSTION strives to limit the amount of personal information collected. 

We collect the following data for the purpose of contacting you about relevant information, activities or networking opportunities:

  • Personal identification information (Name, email address, phone number, etc.) 

  • Work affiliation and title, as well as thematic content categories

  • Further personal information to be collected is specified in consent forms for each activity under this project. 

How will we use your data? 

We collect your data so that we can: 

  • Provide you with information about climate and health related events and information 

  • Send you our quarterly newsletter through ClickDimensions (Microsoft)

  • Provide networking opportunities for policy-makers, researchers and other stakeholders, amongst other, this may entail sharing your contact information with other participants at events.  

How do we store your data? 

Your data is securely stored on Microsoft OneDrive for Business, licensed to CICERO Center for International Climate Research.  Access to data saved on the project platform is limited to project participants. 

We will keep your name and e-mail address on file post-project for further networking opportunities, you may always opt out at a later date. 

What are your data protection rights? 

We would like to make sure you are fully aware of your data protection rights. Every user is entitled to the following: 

  • The right to access – You have the right to request copies of your personal data.  

  • The right to rectification – You have the right to request that we correct any information you believe is inaccurate. You also have the right to request us to complete the information you believe is incomplete. 

  • The right to erasure – You have the right to request that we erase your personal data, under certain conditions. 

  • The right to restrict processing – You have the right to request that we restrict the processing of your personal data, under certain conditions. 

  • The right to object to processing – You have the right to object to our processing of your personal data, under certain conditions. 

  • The right to data portability – You have the right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions. 

 If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please contact us at our email: exhaustionmanagement@cicero.oslo.no

The right to lodge a complaint

In case of any complaint, please contact EXHAUSTION Management immediately to resolve the problem. Please note that you have the right to lodge a complaint with the relevant data protection supervisory authority. In general, you can refer to the data protection supervisory authority responsible for the location where your place of residence or work is located, or that of our coordinator’s organization.

Web-site 

When you visit our website a small amount of information concerning your use of it is generated - see our policy on cookies and social media plug-ins below. If you only browse the website, EXHAUSTION collects no personal data, i.e. we cannot identify who you are.

Our website contains links to other websites. Our privacy policy applies only to our website, so if you click on a link to another website, you should read their privacy policy. 

Cookies 

Cookies are text files placed on your computer to collect standard Internet log information and visitor behavior information. When you visit our websites, we may collect information from you automatically through cookies or similar technology.  For further information, visit allaboutcookies.org. 

We use cookies to help us improve your experience. EU legislation states that all websites should let you know when they are using cookies. Most websites use cookies, and they will not cause any harm to your device. EXHAUSTION uses cookies to help us see which pages our visitors like and which ones are not working so well, meaning we can make improvements to the website and improve your experience. Cookies do not tell us who you are or give us any personal details about you. 

You can set your browser not to accept cookies, and the above website tells you how to remove cookies from your browser. However, in a few cases, some of our website features may not function as a result.

Social media plug-ins

For embed social media plug-ins on our website we are using the so called two-click solution. This means that when visiting our page, no personal data is initially transferred to the plug-in providers. You can identify the plug-in providers by looking at their logos as well as the text that appears when you hover your mouse cursor over their logos. You can directly communicate with the plug-in provider via the button. The plug-in provider will only receive the information that you are using on the respective page of our online service once you have clicked the indicated field and thereby have activated it. The activation of a plug-in thus leads to your personal data being transferred to the respective plug-in provider and saved there (in case of US American providers in the USA). 

As plug-in providers mostly collect data via cookies, we recommend you delete all cookies in your browser via the security settings before clicking on the grayed out box.  We are neither able to influence data collection and data processing, nor are we informed as to the extent of the data collection, the purpose of data processing, or the data retention period. We also have no information from plug-in providers regarding the process of data deletion.

The plug-in provider saves the data collected about you in the form of a usage profile and uses that for the purposes of advertisement, market research, and/or needs-based website design.  Data analysis of this kind is undertaken (also for not logged-in users) in particular for the purposes of needs-based advertisement, and to inform other users of the respective social network of your activities on our website.  You have the right to object to the creation of these profiles. To make use of this right, you need to turn to the respective plug-in provider. We offer you the opportunity to interact with social networks and other users via the plug-ins, enabling us to improve our online service and make it more interesting for you as a user. Legal basis for the use of plug-ins is Art. 6 para. 1 lit. f GDPR.

Your data is passed on to the plug-in provider independently of you having an account with their network or being logged in there. If you are logged in, the data that was collected about you on our website will be attributed to your account with the plug-in provider.  If you click on the plug-in buttons and e.g. post a link on the social media account you are accessing, this information is also collected by the plug-in provider, saved in your account, and publicly shared with your contacts. We suggest you regularly log-out after using social networks, especially before clicking on any plug-in buttons as this prevents the plug-in provider from matching the activity with your account.

You can find further information on the purpose and the scope of data collection and processing by the plug-in provider in their respective data protection statements. There you can also find further information on your rights regarding this matter and customising settings and options for the purpose of protecting your privacy.  Address of the respective plug-in provider and URL to their data protection policy:

Twitter, Inc., 1355 Market St, Suite 900, San Francisco, California 94103, USA;

https://twitter.com/privacy. Twitter has submitted to the EU-US-Privacy-Shield, https://www.privacyshield.gov/EU-US-Framework.

How to contact us 

If you have any questions about ENBEL’s privacy policy, the data we hold on you, or you would like to exercise one of your data protection rights, please do not hesitate to contact us. 

E-mail us at: exhaustionmanagement@cicero.oslo.no