Eligible Exemptions from Openness
In this article, we will focus primarily on European Union legislation, as countries outside the EU may prescribe different conditions for eligible exemptions from open sharing of research data. This applies in particular to the protection of personal data and patent law.
The European Commission stipulates that access to data is open by default. However, since there are circumstances that may prevent or restrict the open sharing of data, the European Commission determines eligible exemptions from openness. These exemptions can be claimed in cases where:
- open access to the data would jeopardise the legitimate interests of the beneficiary, including commercial exploitation (e.g., in the case of a planned patent application or trade secret protection),
- open access would conflict with any other restrictions, in particular with the competing interests of the EU or the beneficiary's obligations under the funding agreement (e.g., protection of personal data, statutory secrecy, non-disclosure of endangered areas, groups or species, etc.).
For Horizon Europe projects, eligible exemptions from openness must be substantiated in the research data management plan. At this point, it is necessary to emphasize that open access does not necessarily mean that data become open immediately, indefinitely, or unconditionally, as will be explained below. Despite the access restrictions, it is necessary to create metadata that prove the existence of the data and describe the access options. Metadata sharing can only be restricted in exceptional cases, such as when the mere disclosure of metadata would be sufficient to jeopardize the success of patent proceedings.
We recommend that you follow the instructions of Open Research Europe in the cases of eligible exemptions from openness. When you cannot provide open access to data that would be necessary to confirm the conclusions of a scientific publication in which you report original results, you can still provide relevant access to data within a framework that takes into account your legitimate interests or legal or contractual restrictions. In these cases, you deposit in the repository a detailed metadata record that describes the data, where it is stored, and how it can be accessed. The metadata must meet all legal and ethical obligations and must not contain confidential or personal information. In the scientific publication, on the other hand, you include the so-called Data Availability Statement, indicating where and how the data can be accessed.
Data Protection due to Legitimate Interests and Other Restrictions
If the data cannot be opened due to legitimate interests, e.g., industrial exploitation, or restrictions, e.g., confidentiality, security, competitive interests of the EU or the protection of intellectual property, including patents and trade secrets, this must be substantiated in the research data management plan. The funder may require the authors to provide evidence for their claims.
Scientific publications created on the basis of such data must contain:
- a description of the restrictions on access to the data,
- all necessary information required for readers and reviewers to apply for access to the data,
- the conditions under which access will be granted.
Alternatively, they can contain the persistent identifier of an open and FAIR metadata record containing this information.
More information about this restriction can be found in the Horizon Europe Model Grant Agreement, specifically in Article 13 (Confidentiality and Security), Article 16 (Protection of Intellectual Property) and Article 17 (Open Science).
Protection of Personal Data
Personal data must be processed in accordance with the relevant European and national data protection legislation, specifically with Regulation (EU) 2018/1725, Regulation (EU) 2016/679 - GDPR and ZVOP-1. Where personal data cannot be satisfactorily anonymized, state in the research data managing plan and later in the scientific publication the following:
- an explanation of why or how data falls under personal data protection legislation,
- the opinion of the relevant ethics committee, authorized person for the protection of personal data or other competent authority on the sharing of these data,
- where appropriate, all necessary information required for readers and reviewers to apply for access to the data, or the persistent identifier of the open and FAIR metadata record containing that information.
More information about this limitation can be found in the Horizon Europe Model Grant Agreement, specifically in Article 15 (Data Protection).
Data Under a Third-Party License
If you have obtained data from third parties and access to the data is subject to restrictions, explain this in the research data management plan. Your scientific publication must contain:
- all necessary information required for readers and reviewers to apply for access to the data by the same means as the authors,
- publicly available data that are representative of the analysed dataset and can be used to apply the methodology described in the publication.
There is also the possibility that data can be opened, but the files cannot be uploaded to repositories because they exceed their size limits. In this case, in the research data management plan and the scientific publication, provide all the necessary information required for readers and reviewers to apply for access to the data, or the persistent identifier of the open and FAIR metadata record that contains this information.
Restricting Access to Data
You can restrict access to data in a number of different ways, depending on what makes the most sense for the type of data you have.
1. Time Lock (Embargo)
Embargo is most often enforced for the protection of intellectual property, for the confidentiality of information and data, or for other legitimate interests. A typical example would be a patent process, where data would be kept closed until a patent was granted, and then opened up. You should pay attention to the choice of repository if you decide to use an embargo, because this feature is not universally available. Among general repositories, embargoes are enabled in, e.g., Zenodo, Figshare and Dryad, among others.
2. Time Limit ("Right to be Forgotten")
The time limit is most often enforced in the case of personal data that cannot be satisfactorily anonymized, as the GDPR stipulates the so-called "right to be forgotten". When enforcing a time limit, the data is deleted after the expiry of the contractual obligations, unless it is necessary to keep them in accordance with the law. However, even after deletion, metadata proving the existence and origin of the data must remain available to interested parties.
3. Physical or Electronic Restriction of Access
Physical or electronic restriction of access to data is appropriate in the case of confidential or sensitive data and the protection of intellectual property. In this case, only certain persons can gain access and only under certain conditions, e.g., in a secure room or through a secure connection. Access often requires the approval of the competent state authority, identification of the person accessing the data (either physically or electronically through authentication/authorization) and recording the access (e.g., by signing an access statement). In doing so, the relevant European and national legislation regarding the identification and protection of personal data must be considered, e.g., GDPR and ZVOP-1. As this area is legally very complex, we recommend that you contact your institutional legal department or the Office of the Information Commissioner of the Republic of Slovenia for legal advice.
Last update: 25 April 2022