Project dara protection
InfraStress Data Protection Policy
What is InfraStress
Critical infrastructures and chemical plants are both crucial for our society and pivotal to secure against potential threats, as any damage to them may have unintended harmful cascade effects on citizens and individuals. InfraStress is a research project which addresses cyber-physical (C/P) security of Sensitive Industrial Plants and Sites (SIPS) Critical Infrastructures (CI) and improves resilience and protection capabilities of SIPS exposed to large scale, combined, C/P threats and hazards, and guarantee continuity of operations, while minimizing cascading effects in the infrastructure itself, the environment, other CIs, and citizens in vicinity, at reasonable cost. It is an European Union funded project under the Horizon2020 scheme. It lasts two years (June 2019 – June 2021) and it is conducted by a research consortium gathering twenty-seven partners.
Why your personal data might be involved and processed by InfraStress?
During the research activities and the rollout of the project, personal information will be inevitably processed. In such case, if your personal data are processed, you will be the ‘data subject’. Hereby we sum up the four main areas where personal data processing operations may take place. Please be aware that the list below is by no means exhaustive. In the circumstance when the consortium will learn about the necessity of a new data processing operation to be initiated, we will update this list as soon as possible.
Testing and integration of InfraStress technologies. As you can read from above, the core purpose of InfraStress is to provide a number of chemical plants with an integrated architecture to prevent and detect intentional or accidental safety and security threats. For this reason, amongst the technologies that this project will test, there will be applications like intrusion detection sensors, network analysis, physical-security information systems, crowd-sensing. In such circumstances, personal data processed might include social media posts (in an aggregated and paraphrased way), sensor-generated data, IP addresses.
Complementary surveys. In order to test and evaluate the technology on end-users and plants, questionnaires or surveys might be conducted. In such case, no details will be retained and any residual personal information gathered (f.e., country of residence) will be aggregated and pseudonymized.
Business-related personal data – this is the case in which you are a project partner. Name, surname, e-mail address, organization are often processed amongst partners to undertake ordinary project activities, like emailing, assemblies planning and attendance lists, decision-making processes and legal compliance duties. Cookies might be installed to enable access to the shared private online working platform of InfraStress.
Incidental processing – periodic review and updates of this policy
According to the GDPR (Article 4), ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; In substance, the controller is the person or entity which leads the personal data processing operation by determining purposes and means for the processing.
In InfraStress, processing operations are handled by different partners. However, supervision over such operations and the determination of purposes and means are dealt with by the responsible partners in close coordination with the entity responsible for the project (i.e., project coordinator). Below the contact points of the project coordinator, should you have any query regarding the way personal data is processed:
Engineering Ingegneria Informatica S.p.A.
Piazzale dell'Agricoltura, 24, 00144 Roma RM, Italy
How the project processes personal data
Personal information within the InfraStress project are processed pursuing a legitimate interest of the consortium, which substantiates in the research activities carried out with the purpose of implementing the Grant Agreement N. 883088 that InfraStress Consortium signed with the European Commission (REA Agency). Within InfraStress, non-business related personal data processing is necessary for scientific research purposes in accordance with GDPR Article 89(1)2 and based on European Union Regulation No 1291/2013 Of The European Parliament And Of The Council Of 11 December 2013 Establishing Horizon 2020 - The Framework Programme For Research And Innovation (2014-2020) And Repealing Decision No 1982/2006/Ec.
Some information on the policy of the project and about the ways personal data are processed
However, processing personal information pursuing research interests implies that a number of safeguards and proactive initiatives are taken in order to protect the rights of the data subjects at stake. In order to do so, InfraStress project partners begin all processing of personal data by following these principles:
Fairness and lawfulness. Personal data are processed fairly and for the purposes for which they were collected initially. Any re-purposing is done by an assessment of the compatibility test (the initial purpose and the research purpose for which partners process personal data must be compatible one another). Moreover, personal data processing operations are assessed against their legality by the project coordinator.
Security of processing. Personal data processing operations are conducted following the available security measures, both technical and organizational. As an example, access control and authentication-based environments are applied to the access to data-sets containing personal data, and the need-to-know principle is implemented in the vetting of any researcher involved in InfraStress personal data processing operation.
Minimization. Collection and processing of personal data, including during the technology testing and the data storage, follow the principle of data minimization. This means, for example, collecting data (and tuning InfraStress technologies) in a way that only the strictly necessary amount of personal data is processed. Furthermore, the testing of InfraStress technologies will be conducted only in circumscribed perimeters, and whenever personal details will be needed, pseudonymization will be sought.
Third-party non-disclosure. No personal data will be disclosed to any third-party (i.e. non-consortium entities) unless there is an explicit authorization to do so by the interested individual or a contractual obligation to be fulfilled.
Use-case-based access. Personal data will remain within the consortium domain. Furthermore, personal data will only be accessed by the partners with an involvement in a given use-case. If the partner does not have any interest or involvement in a use case, personal data processed therein will not be disclosed to them, in accordance to the need-to-know principle.
Long-term identification is not an aim. It is not in the purposes of this project to retain personal data for long periods and to aggregate such data so to identify an individual. When personal data are processed for research finalities, such sets will mostly be operated for the duration of the testing and immediately deleted afterwards, unless otherwise indicated.
Accuracy. InfraStress project regularly reviews datasets where personal data are stored in order to ensure the accuracy and reliability of the information therein. Systems to update the information are in place so to ensure both security and controlled access to datasets.
For how long we will retain the information?
If immediate deletion will not occur, that means we have a legal obligation and/or a research purpose to archive the data either for contractual reasons or for scientific research finalities. In such case, InfraStress partners will retain the personal data in question for a maximum of one year from the termination of the project, unless otherwise indicated or requested by a supervisory authority or for auditing purposes.
Your rights upon the personal data we process
If you, as a data subject, believe that any of your personal data are processed by InfraStress, you are entitled to request the controller to undertake the following actions:
Right to access. Data subjects are entitled to request information regarding their personal data, including purposes, categories of information, recipients, retention, source of collection, transfer to third-countries (non-EU Member States). Moreover, the data subject is entitled to receive a copy of such data.
Erasure or rectification. Data subjects may request at any time for their personal data to be amended, updated or erased by the controller.
Restriction of processing. Data subjects have the right to request that their data are suspended from being processed, anytime the data results to be inaccurate or unlawfully or unnecessarily processed.
Portability. Data subjects shall have the right to receive their personal data in an machine-readable format, anytime they wish to transfer such data to another controller representing a similar service.
Object. Data subjects have the right to object to the processing of their personal data anytime they demonstrate grounds relating their particular situation, unless the processing is conducted on public interest grounds and pursuant to Article 89(1).
Automated decision-making or profiling. Data subjects have the right not to be subjects to automated decision making processes (including profiling) which substantiates in legal consequences for him or her.
Who you can address these questions to?
InfraStress contact point is the following:
Engineering Ingegneria Informatica S.p.A.
Piazzale dell'Agricoltura, 24, 00144 Roma RM, Italy
InfraStress Consortium is committed to timely respond to any inquiry you may have, and reasonably comply with any exercise of your rights enlisted above. However, data subjects should be aware that, each time their requests are not satisfactorily fulfilled by the controller, or they believe their rights have been violated, recourse to data protection authorities or to the ordinary judicial branch is still possible.
How we embed privacy within the consortium
InfraStress project values the respect for privacy and data protection as both a legal requirement and an ethical standard. For this reason, we indicate below the periodical actions and initiatives we undertake in order to frequently review the way the project observes and respects privacy standards.
Respect for GDPR and its obligations in the scientific research domain. The main legal act we rely upon for complying with privacy and data protection rights is the GDPR. In this respect, we continuously assess our activities, particularly if or when involving personal data processing operations for scientific research purposes, against the rights of the individuals and our legal obligations enshrined in the GDPR.
Accountability. We maintain and regularly update internal policies enabling the consortium to keep records and documentation of the relevant personal data processing operations. These actions include the assessment of the risks that our research may occur to the rights and freedoms of individuals. Such processes aim at identifying mitigation measures and enabling safeguards against privacy violation, and are recorded in the so-called DPIA (data protection impact assessment).
Awareness raising. We regularly undertake activities aimed at informing our consortium partners about the data protection obligations and standards that we abide to. Initiatives are performed on a periodical basis and include webinars, presentations and ad-hoc sessions on privacy, data protection and the respect for fundamental rights in research activities. Privacy sessions are organized in the course of every face-to-face general assemblies organized by the consortium.
Ethical standards. As said above, we do not only regard the protection of personal data and privacy as a legal requirement to meet. InfraStress project considers personal data protection obligations as an ethical standard of best practice. For this reason, the consortium implements and assesses privacy beyond what imposed by law and as a by-design principle, including in the development of any technology and its integration within use-case scenarios.
Further research guidelines. InfraStress project makes extensive use as a benchmark and as a code of conduct of further ethical guidelines issued by the European Commission on responsible research. Such manuals inform researchers and projects funded under the Horizon2020 and similar EU funding programs about the best practices to be adopted when the research involves the processing of personal data.
Review of this document – document history
InfraStress project commits to review this document every time there is the need of and on a quarterly basis.
Release date : 31/07/2019