ANNEX D.2: National/local legislation, rules and restrictions

From wiki.gpii
Jump to: navigation, search


National/Regional legislation

The main legislation dealing with some ethical aspect is the one concerning data protection. The provisions of Spanish Organic Act 15/1999 entitle the Spanish Agency of Data protection to watch, monitor and penalise the provisions of that law. This Organic Law deals with the provision, distribution and guarding of information related to scientific and commercial activities

Informed Consent

The consent form will be checked by the ethics responsible person and will also be forwarded by technical members of Cloud4all who were part of previous pilots. At the beginning of the document a summary of the project must be given, further down in the document, an explanation of the specific test must be conveyed along with the information about the lack of attachments or commitments from the user side. Finally a confirmation on whether everything was explained and understood is necessary. The main items that should be covered in the sheet are:

·         What the research is about

·         Who is carrying out the research

·         Who is funding it

·         Any benefits to individuals or groups

·         Any possible adverse effects

·         What the participants will have to do

·         Length of the research

·         Location of the research

·         What the research findings will be used for

·         What will happen to the results

·         Whether they will receive a summary of the results

Data Protection and Confidentiality

All data in the cloud environment will be anonymised. The proceedings relative to this issue will be dealt in the similar way as for Cloud4all. For the data not stored on the Cloud by digitally, all procedures of encrypting data bases when the information is digital or preserving the physical form when it is written will be put in practise. This topic is especially sensitive since data regarding disability has the highest level of legal protection when it is violated. When the data is revealed to be analysed (asking the user, tracking their activity), the researcher will always inform previously in the consent form. When data about users will be handed among researchers, the basic identification information not relative to demographics (name, surname, and place) will be encoded.

Safety & Risk Assessment

There are no foreseen risks apart from usual random contingencies due to the fact that all disabilities profiles are common visitors of ONCE Foundation premises. Following the Spanish legislation, the building has third party insurance in case any accident occurs.  The overall risk is very low.

Incentives & Reimbursement policy

For every participant of the trial, compensation will be given in order to reward that dedication and willingness. The policy will be similar as the one adopted for Cloud4all trials which was a 30€ gift certificate for a famous shopping centre.

Organisational and Insurance measures

Usual third party insurance is hired by ONCE Foundation. Moreover, enough staff from Technosite and ONCE Foundation will be present in order to avoid inconveniences as well as foreseen contingencies.

Special/Additional regulations of the entity (if any)

In the case of remote tests a variation from Cloud4all is present. Apart from the usual consent form, (This time digitally presented and recording the consent by audio) a previous remote meeting is necessary in order to organise the necessary arrangements for the test (feasibility, accessibility). The challenges presented in the remote testing concern to the security and reliability of communications as well as the identity authentication.

Relevant authorised agencies/bodies/committees and processes

AEPD: The Spanish Agency of Data Protection was established in 1999 in the context of the Spanish Constitution of 1978. This agency is the one in charge of enforcing data protection laws.

CERMI: The Spanish Committee of People with Disabilities Representatives is the main body in charge of representing people with disabilities as well as monitoring the advancement towards a more inclusive society through an effective implementation of Universal Accessibility.

Accessibility of facilities

Once Foundation facilities are in compliance with all accessibility standards regarding physical environment and info accessibility.  Nonetheless the accessibility of facilities does not limit to that but also implies the materials and activities carried out by Prosperity4all tests. Prior to the tests, organisers will ask participants about the arrangements needed if any; furthermore the required material will be in suitable format.  


National/Regional legislation

Informed Consent

In compliance with the Austrian data protection act 2000 LIFEtool created an informed consent form that has to be signed by all participants of the interviews and pilots that will be executed within the Prosperity4All project. This form clearly states the privacy rights of the participants and the compliance of the project with these rights.

Information about the research project

The aim of the Prosperity4All research project is to provide an infrastructure for easy and cost-effective development of digital products and solutions for people with special needs. Moreover within the help of this infrastructure entirely new kinds of assistive technologies could be developed.

Your role in the research project

As part of the research project, your job is to use the developed programs and technical tools. You will then answer simple questions about your satisfaction with the product. The expected benefit, researchers draw from this, is the understanding of how you work with these applications, so that the product can be further improved.

Compensation, location and duration of the field trial

For participating in the field trial, which takes place in Linz in the premises of LIFEtool, you get € 30 in cash. The duration of the evaluation will be approximately 2 hours. Your interactions with the product are partially recorded for the fulfilment of the project objectives and evaluated anonymously.

Framework Conditions

·         You can withdraw from the field trial at any time without indicating any reason.

·         The personal information collected during this study will be kept confidential and will not be passed to third parties. All information collected will be evaluated completely anonymous. Your consent to use the data cannot be revoked at a later date.

Data Protection & Confidentiality

In principle each processing of patient data must be announced to the data protection register.

Concerning the scientific processing of patient data two cases must be differentiated:

  • The data used for the research were raised for “the normal patient” treatment in the hospital and become processed in an announced system (with DVR number). In this case in accordance with § 46 DSG 2000 no separate message is necessary to the data protection register and no information of the patient is needed.
  • For example, the data in the KIS or an announced system are recorded and later processed scientifically.

The data are (beyond the purposes of the treatment) particularly for the scientific study. In this case the use of the data has to be accomplished anonymous or a message to the data protection register has to be provided. Apart from that the consent of the patient for collecting and processing his data must be obtained.

Safety & Risk Assessment

Risk assessment considers issues that might arise because of cultural and age differences, drop outs or not enough users included, ethical approvals not obtained). There are certain mitigation steps planned in case of any of these issues arises or other problems are encountered.

Incentives & Reimbursement policy

For the participation in the trial phases of the Prosperity4All project the end-users will receive 30€ in cash. The Austrian pilot site covers evaluation activities with 40 end-users, as a consequence LIFEtool will disburse in total 1200€ on reimbursements for the trials.      

Organisational & Insurance measures

LIFEtool has a contents insurance which covers all the devices and facilities of its premises.

Special/Additional regulations of the entity (if any)

According with § 14 exp. 1 DSG 2000 (data protection act 2000) it must be ensured that the data are protected against loss, against coincidental or illegitimate destruction, that their use duly taken place and that the data are not accessible to unauthorized ones. 

Based on the data protection Act 2000, the framework for the Austrian
health data network MAGDA-LENA (medical administrative health data exchange -
logical and electronic network Austria) was set, which also specifically and in great detail deal with the security for patient health data. In it is noted that data may be processed and conveyed only under completely determined conditions. Since health data are sensitive data in the sense of the data protection act, their use is permissible only if:

  • the person concerned has expressly granted its approval - which he at any time may revoke
  • they are necessary to protect the vital interests of the person concerned and the consent cannot be obtained in time
  • they are necessary for medical purposes and by medical or other personnel treated with confidentiality

In order to prevent unauthorized access in different places in the system, there are
entrances restrictions installed which can be exceeded only with appropriate authorization by means of password or other identification.

Relevant authorised agencies/bodies/committees and processes

Austrian regulations focus mainly on the relationships between medical experts and patients and are found within several legal acts, and not as part of single dedicated legislation.

Relevant'Authority'for the'Austrian'Pilot Site:

Österreischische Datenschutzkommission


1010 Wien

Accessibility of facilities

LIFEtool’s information centre in Linz, Upper Austria is barrier-free accessible. All the consultation activities regarding assistive technology of LIFEtool Linz are taking place in these facilities. Germany 


National/Regional legislation

The applicable regulations are the ethical principles of psychologists for research (Section C.III [1] (German)) set by the Federation of German Psychologist Associations (Deutsche Gesellschaft für Psychologie e.V. - DGPs). These are based on the "Ethical Principles of Psychologists and Code of Conduct" (Section 3.10 and Section 8.01 to 8.15 [2]) of the American Psychologist Association (APA). They include regulations concerning

·         Informed Consent

·         Data Protection and Confidentiality

·         Safety & Risk Assessment

·         Incentives & Reimbursement policy


Organisational and Insurance measures

All compensatory damages, resulting from the unlikely case of loss or injury on the participants’ side, are covered by the employer's liability insurance. If there are substantial risks, which cannot be avoided (e.g. in human clinical trials), additional insurance should be considered. This should not be necessary for the evaluation in P4All.

Data Protection and Confidentiality

In addition to the regulations from the ethical principles, Germany has additional legislation on data protection. Any use of personal data is subject to data protection regulations, such as the State Data Protection Act (Landesdatenschutzgesetz, LDSG), the Law of Baden-Wuerttemberg on Universities and Colleges (Landeshochschul-gesetz Baden-Wuerttemberg, LHG-BW) or the Telecommunications Act and Telemedia Act (Telekommunikations-gesetz TKG, Telemediengesetz TMG). They include and go beyond regulations transposed from the EC-directive 95/46/EC.

Any handling of personal data requires a legal permission. This is underlined by the legal obligation to observe data secrecy (LDSG, Art. 6). Whenever processing personal data, it is obligatory to observe said regulations, irrespective of whether the data is considered to be sensitive or not. Only when implementing technical and/or organizational measures for the protection of data, the principle of reasonableness shall be applied. According to this principle, the protection purpose and the necessary expenditure shall be in reasonable relation. In the following, we will focus on the regulations concerning the handling of personal data, collected explicitly for research with informed consent of the affected person (adapted from[3] (German)).

Data avoidance and data minimization are the most essential guidelines for the handling of personal data. Every research effort using this kind of information should assess beforehand, what kind of data is actually needed, to gain insights on the research questions. This should be decided, based on the concrete hypothesis. Data accumulation without a clear goal must be avoided. In addition, all options for the actual collection, processing and storage of the information should be considered. This includes anonymization or pseudonymization as early as possible, without compromising the investigation. The method, which has the least impact for the affected persons, while maintaining the scientific integrity, has to be selected.

The most preferable form of data collection happens with the informed consent of the affected person. This is in line with his/her constitutional right for informational self-determination and grants the person agency on the collection, processing and use of his data for a specific research goal, which is the most transparent option for everybody involved. To reach this objective, the regulations on data protection (LDSG, Art. 4) state several guidelines concerning form and content of the consent form. The form should inform about the concrete aim of the data collection and the planed data processing. The consent has to be obtained in written form, voluntarily and includes the right for revocation at any point in time. In particular, the following information has to be included:

-          Responsible agency and director of the research project

-          Goal of the research project

-          Data processing methods employed

-          Group of people, who will get access to the data

-          Research partners, who will take part in the project and are entrusted with a particular step in the data processing

-          Scheduled point in time for the deletion or destruction of the data

-          List of people, who could get access to the data, e.g. external reviewers

In addition, the affected person should be informed about his right to revoke his consent for processing of his data at any point in the future. Independently he also has the right to request any the information linked with his person, and to correct them in case of errors.

Especially the right for revocation and subsequently deletion of the data is a highly discussed topic in German regulation, because it interferes with good scientific practice to store experimental data for at least 10 years. 

Relevant authorised agencies/bodies/committees and processes

Ethics Committee and Ombudsmen for Ethical Principles

The Ethics Committee at KIT is a relatively young institution, which was created to foster the ethical principles of the KIT (  These are directed mainly at the goals and outcome of research regarding potential risks and the dual-use problem. The implementation and judgment on these principles is the duty of the ombudsmen.

When in doubt, or requested by a funding party, research proposals should be handed in for approval by the Ethics Committee, using an official form. They will be discussed in the official sessions, which are held every three months.

Web: (only accessible from the KIT network

Data Protection Commissioner

It is the task of the data protection team of KIT (DST) and in particular of the Data Protection Commissioner (DSB) to help in observing the requirements resulting from data protection legislation.

According to Art. 11,LDSG, every public institution is obliged to keep a central registry for all automated processes that handle personal information. The responsible administrator, institution or organization should indicate such processes as soon as possible, at the latest, with the collection of the first dataset. In case of the KIT, this indication has to be directed at the office of the Data Protection Commissioner using the official form.

Accessibility of facilities

According to the German building code, all public and commercial buildings are equipped with ramps and elevators to provide access for people with impaired mobility. This is also the case for the test facilities at KIT.

In addition, the Study Centre for the Visually Impaired (SZS) at KIT provides literature conversion services for blind and partially sighted persons. The study material is prepared electronically by the SZS. It can be read at a computer with a braille display or a screen reader – alternatively also printed in braille. Many diagrams are additionally made available in tactile form. The conversion itself takes place according to current criteria of scientific text conversion and is being constantly further developed and/or adapted to the needs of the students. The medium form into which the study material is converted is determined in principle by the recipient.



Tests will be carried out with end-users and approval must be obtained by CERTH Ethics committee before any activities are undertaken. The ethical application form contains information about the project and the pilot tests to be carried out. The ethics committee can request further information (e.g. evaluation materials) in order to reach a decision. In case of refusal, then no testing can take place within the premises. Any decision reached by the Ethics committee abides to the European and National legislation and national data protection act.

National/Regional legislation

Test conduction in Greece abides to both European and National Legislation. Any testing with humans abides to the 2001/20/EC Clinical Trials Directive & Ministerial Act: 3/89292/31.12.03. Although, no clinical trials will be carried out within the framework of Prosperity4All, any other parts relating to testing with humans are relevant to the evaluation carrying out within the project. The Ministerial Act (1973) harmonizes the Greek legislation with the EC Directive and regulates any clinical practice, clinical trials, and testing with humans and any respective procedures. The following table presents in detail the specific Article of Ministerial 

Table 19: Specific legislation for conducting tests with humans in Greece

Law/Guideline/Ministerial Act: Article Participation aspect
Ministerial Act 3/89292 (Article 3)
  • Risk estimation in relation to actual gain for science and wellbeing
  • Ensure no harm (physical or psychological) is brought upon participants and personal data are protected by the current legislation (Personal Data Protection Act)
  • Participant can withdraw anytime they wish to without any consequences
  • Insurance is provided for any accidents happening while testing (though no such occurrence is anticipated in tests carried out within the framework of Prosperity4All)
Law 2472/1997 Protection of Individuals with regard to the Processing of Personal Data
Law 3471/2006 Protection of personal data and privacy in the electronic telecommunications sector and amendment of law 2472/1997.
Law 3625/2007 Equality Law: Respect cultural and personal differences and protect people from discrimination because of gender, age, disability, race, religion.

Informed Consent

Participants are informed any prior testing place about the project and the testing procedure. In several occasions, they are informed during recruitment about the purpose, scope and testing details. The informed consent is usually attached to the ethical application form submitted to CERTH Ethics committee in order to receive approval by all member of the Ethics Panel. Any changes and/or amendments suggested by the Ethics committee should be implemented prior testing takes place. Two consent forms are signed and one copy is given to the participant. Information is given to the user in a form that is appropriate and understandable by the participant. Likewise, consent is obtained in a form that is appropriate to the participant (e.g. oral in case of illiterate user).

Data Protection and Confidentiality

Data protection and confidentiality abides to the national law and is controlled by the i.e. Hellenic Data Protection Agency [Error! Reference source not found.]. Specifically, for Prosperity4All tests, there will be no need for approval by the Data protection Agency as data do not carry any other information that might identify the participant unless this constitutes a need arisen in any evaluation plan.

Safety & Risk Assessment

Safety risk assessment is twofold; relevant to physical risk and safety of participants while they are in the premises and assessment of any issues that might risk the quality and efficiency of conduction of tests with participants. Firstly, no physical, mental or any other type of harm is anticipated and will not be endued to participants. Users are protected by the code of conduct, national and European legislation and obtained written/oral consent. Secondly, an internal mitigation plan exists and covers three stages: Recruitment (inclusion/exclusion) criteria (pre-assessment of the situation), Pre-testing and actual conduction monitoring (dynamic assessment of the situation), and data compilation checking (post-test assessment quality and identification of gaps and shortages). Apart, from the test site assessment protocol, the test site will also follow the mitigation strategy developed within the framework of Prosperity4All.

Incentives & Reimbursement policy

Participants will receive monetary reimbursement for their participation. In total, 40 participants will participate in two evaluation phases and thus monetary reimbursement will be 1200 for all participants. Participants may be reimbursed also for any travel costs (i.e. in case they need a taxi to get to the institute premises).

Organisational and Insurance measures

Active under CERTH guidelines as mentioned in the section below. 

Special/Additional regulations of the entity (if any)

Any testing carrying out at CERTH premises abides to the regulations of Ministerial Act 747115/2005 (125/2005) which is the centre’s official internal regulation document addressing internal regulation and guidelines for security and visitors access to the buildings.

Relevant authorised agencies/bodies/committees and processes

Ethical approval is granted by the Ethics committee of CERTH and is the authorised agency for any testing taking place within its premises or in collaboration with other entities. In case of collaboration with other entities or organizations (e.g. public hospital) approval should be obtained by both committees and any other governing body.

Accessibility of facilities

There are no accessibility barriers to the premises where testing will take place (including accessible WC).

Other countries

External implementers will participate in the evaluation and therefore consideration about ethical issues when involving interested parties from other countries-apart from the ones acting as pilot sites-should be made. Participation should be covered under the EU legislation in all cases. In case of national legislative restrictions, they should foremost apply.

Moreover, specifically for remote testing –which will be the case for testing with many implementers- national guidelines do apply. When cross-boundaries testing (between two countries; e.g. researcher is in Austria and participant is in Germany) will take place, then participation should be in accordance to the strictest regulations applied to any of these countries. This might be true for tests carried out with external implementers. Usually, the regulation applies where the servers are hosted or rather what the imprint on the website says. However, server hosting and data collection at the evaluators’ site is preferred/chosen in order not to tackle with data export regulations.

Impact assessment data gathering will be automatic with no personal data collection, hence no restrictions apply.