Legal aspects and data protection in relation to the CRIS system

CRIS and its integrated large amounts of data are slowly becoming one of the topics of the digital revolution. Many institutions are enthusiastic about the innovative data analysis methods of our time for research and customer loyalty. From a data protection point of view, however, the processing of large amounts of data is one of the greatest conceivable challenges. The legal aspects depend on the legislation of the country in which the CRIS system is operated, the level at which CRIS is operated and the type of data collected.


Legislation is a tool for obtaining quality data on science, research and innovation in CRIS.
At the national level, the following laws govern the data entry to the SK CRIS system:  Act no. 172/2005 on the organization of state aid for research and development  Act no. 185/2009 on incentives for research and development Legislation concerning the organization and support of science in Slovakia contains an incentive component for the registration of quality data. The repressive component, applicable in the case that the legal entity (R&D organisation) does not meet the obligation to enter data, does not apply in the current version of legislation.
The data enters to the SK CRIS system in the several ways: Through the process of Assessment of Competence to Perform Research and Development. The data are completed by applicants (R&D organizations) from both the private and public sectors via an online application form. Based on the assessment of competence, the organization obtains a certificate of competence to perform research and development, and thus the right to apply for funding from the state budget. The certificate is issued and withdrawn by the Minister of Education based on a proposal from the evaluation committee. Basic project data are imported into SK CRIS in the scope of the CERIF format, including linking entities to research organizations and the research team. The result is quality and complete data on project activities, verified by grant agencies.

Through the annual process of the Supplementary Statistical Survey of Research and Development
Potential, the collection of current statistical data on R&D organizations is carried out via an online form. It also collects data on foreign and international cooperation projects, which are funded from other grant schemes and are not imported from the systems of Slovak grant agencies. The data is provided by the R&D organization via an online form. However, these data have to be verified and checked by the SK CRIS administrator. Ensuring the quality and completeness of data with legislative data mainly concerns the register of R&D organizations and the register of research projects.

2.
The second set of problems addressed by the SK CRIS provider is the protection of personal data. Within SK CRIS, personal data registered within the register of researchers are processed. However, these data are created within several workflows, implemented through the SK CRIS system. The legal basis for the collection of these data is the compliance of the legal obligations of the Ministry and the compliance of the role of the Slovak Centre of Scientific and Technical Information (https://www.cvtisr.sk) implemented in the public interest. The public interest is the interest in accordance with valid legal regulations to process information on research and development funded from the state budget.
Compared to Germany, there are some legal aspects and legal regulations to consider when data is processed and published in Germany in particular, there is no national CRIS system, but the process of research data management in the area of data protection and data security is regulated by law. The following regulations and laws must be taken into account in the context of research data management:  Data protection (e.g. lawfulness of processing: including §27 BDSG, Art. 6 GDPR, Art. 17 Abs. 3 lit. d GDPR; informed consent: including §36 BlnDSG, Art. 13 GDPR)  Data security (e.g. §64 BDSG) There are undeniable benefits to building, filling with quality data and using CRIS. On the other hand, there are great dangers if the information stored in CRIS is misused, especially if facility secrets or personal information are stored. To prevent such misuse, various measures must be taken and worked together, in particular on the software side, organizationally and in particular legislatively. We summarize these measures under the term data protection. When dealing with the integration, storage and provision of research information, it should already be included whether and how the research information will be published, under what framework conditions the data will continue to be used, what rights the researchers involved have to the research information, whether the research group or project will leave and ultimately also whether and when the research information is deleted again. Against this background, it is strongly recommended to make agreements on the rights of use of the research information at the beginning of a CRIS implementation. As well as data protection law, which regulates the storage, processing, transmission and publication of personal data. In the case of personal data, some data are considered to be particularly sensitive and therefore particularly worthy of protection. An important aspect is that only authorized persons may have access to the CRIS or that each person is only granted restricted access within the framework of certain user profiles. Every CRIS user has to prove his legitimacy or his user profile before he is allowed to access the database. There are different types of access restrictions that must be used (e.g. the CRIS user can only provide a partial view or the user can query information but not change it). For these reasons, our work will answer the research question as follows: What challenges exist in terms of data protection due to the increasing networking and increased efficiency of the CRIS universities and research institutions and whether legislative or other measures are indicated in this regard?