INSPECTr Project

Research Data Privacy Statement

INSPECTr Project Overview
We (the INSPECTr Consortium) process personal data to research, develop, and validate a shared intelligent platform and a novel process for gathering, analysing, prioritising and presenting key data to help law enforcement agencies (LEAs) in the prediction, detection and management of crime in support of multiple agencies at local, national and international level.

Responsible Research
The INSPECTr project seeks to comply with the tenets of Responsible Research and Innovation and with national and European research ethics requirements in a manner that has been developed in strict compliance with the relevant ethical and legal guidelines, provisions, procedures and protocols that have been identified by the European Commission, Ethics Manager and project partners. We put particular emphasis on privacy-awareness and legal compliance of the research and development.

Regulatory Model
The INSPECTr Consortium has followed a regulatory model with internal and external controls. The Ethical lead partner works closely with the Consortium Partners, who work closely with their own Data Protection Officers (DPOs), legal teams and national Data Protection Authorities in order to comply with the requirements set by the European Commission. An independent Ethical Advisory Board also oversees the INSPECTr project, providing advice to partners. A full suite of ethical, legal and safeguarding documents supports the activities of the INSPECTr Consortium based on the ethical requirements of the European Commission, as well as the implementation of a dynamic Data Management Plan and Data Protection Impact Assessments, an Incidental Findings Policy, and Ethical deliverables in the form of Ethics Requirements and Privacy and Ethics by Design reports.

General Data Protection Regulation (GDPR)
The INSPECTr project will only collect personal data insofar as it is necessary to collect it for the completion of research, validation, dissemination, and exploitation of the project results. The INSPECTr project is a research project and to this end, Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, known as the ‘General Data Protection Regulation’, hereafter ‘GDPR’, is the primary basis for the data processing for technology, university, SME and LEA partners.

The GDPR protects the rights of persons whose personal data is processed, called data subjects’ rights. These are set out below in section 8 below.

In limited number of member states, LEA partners will process personal data on the basis of national law which implements Directive (EU) 2016/680, the ‘Law Enforcement Directive’, to test the INSPECTr platform, as detailed in section 6 below.

Contact Details
The contact details of the project coordinator and the Data Protection Officer of the project coordinator are included below. You can use these details to exercise your rights.

1. Consortium and Controllership

The INSPECTr project consists of eighteen partners (18) including technical, academic, ethics, legal and LEAs from twelve (12) different European countries. There is a broad spectrum of activities within the project. These activities include: research and development on the technological ways to meet the requirements of the LEA end users; research on the relevant law governing the future use of the technology; and research on the ethical and legal implications of the project itself. In determining purposes and means of the processing of personal data, the project was informed by all areas of partner expertise. The broad purposes and means of the processing operations within INSPECTr have therefore been jointly established by the partners.
The specific tasks involved in the research are defined in an agreement between the European Union and the partners. To achieve in practice the technical or other objective of individual INSPECTr tasks, each task leader must further specify the remit and means of data processing. Typically, the data controller undertakes data processing activities. Each partner is responsible on an individual basis for adhering to data protection rules for the data processing activities carried out. This responsibility is exercised with an expectation of support from other project partners.
In the exceptional case, an INSPECTr partner may process data by way of observation data controlled by another INSPECTr partner, e.g. a technical partner processing LEA partner data. In this scenario, a contract will be established between the partners with specific safeguards.

2. Purposes of Processing

We (the INSPECTr Consortium) process personal data in order to effectively participate in the scientific research project which aims to integrate a range of high-tech approaches, including Big Data analytics, cognitive machine learning and blockchain technologies into a shared intelligence platform that will improve digital and forensic capabilities, and reduce the complexity and cost of cross-border collaboration.  The intention is to reduce the complexity and the costs in LEAs and related actors to use leading edge analytical tools proportionally and in line with relevant legislation, including fundamental rights, with extended options for multi-level and cross-border collaboration for both reactive and preventive policing and facilitate the detection/prediction of cybercrime operations/trends supporting multiple agencies at local, national and international level. With this overarching purpose in mind, we process personal data to:

a) develop, train, test and evaluate machine learning models as part of this research activity;
b) organise and administer the project, including its events and contributions from third parties; and,
c) disseminate and communicate the outputs from the project.

3. Personal Data and Data Minimisation

Personal data is that which concerns an individual and can be used to identify them. Where actions in INSPECTr process personal data, INSPECTr engages in data minimisation. Data minimisation in INSPECTr will ensure that data is:

◦ Adequate – Meaning it is sufficient to fulfil the stated purpose
◦ Relevant – Meaning the processing has a rational link to the purpose
◦ Limited – Meaning that only the necessary data to fulfil the stated purpose is processed.

Partners will follow good governance ensuring that they will only process personal data that is adequate, relevant, and limited to what is needed for their task. Towards this requirement, the INSPECTr project develops and uses ‘mocked data’, which is not personal data for the initial development of the INSPECTr tools, e.g. social media profiles, online forum profiles and investigations case files. INSPECTr will process pseudonymous data. Pseudonymous data, if linked to another data set, has the potential to identify individuals e.g. online data may contain usernames or bitcoin wallets which do not immediately identify a person. However, the project consortium is not interested in detecting these matches and any steps required to identify individuals in this manner will be avoided. For the discovery of links between cases remotely, INSPECTr will use cryptographic hashing and bloom filters to ensure the platform processes only anonymised data, with the real data held only on local LEA nodes. This can occur through the federated data software model adopted. No social media personal data is processed during the project, and LEAs will not test the web scraping tool on any online data.

4. Categories of Personal Data

This Privacy Statement is intended to meet the requirements of Article 14 GDPR concerning information to be provided to the data subject, especially in cases where personal data has not been obtained from the data subject. Informing data subjects directly of the information listed below would in many cases have a disproportionate effect on the scientific research purpose objective, pursuant to Article 14(5)(b).
The technology development within INSPECTr takes place in the context of three criminal activity ‘use cases’ shaped by the end user partners. The INSPECTr use cases are (i) terrorism; (ii) financial fraud; and (iii) child sexual abuse material (CSAM).
Across these project use cases, INSPECTr processes the following categories of personal data:

i. Facial image data from online publicly accessible websites with permission for research use to develop an image and object processing tool, e.g. storage.googleapis.com/openimages/web/index.html and cocodataset.org 

ii. Data from targeted darkweb markets, i.e. pseudonymised personal data such as bitcoin wallets or obscured user handles to test the web scraping tools. It is not possible to provide the exact URLs for these sites as they are constantly changing.

iii. Data from targeted online forums where criminal activity is known to occur to test the web scraping tools, e.g. cracked.io, nulled.to, pastebin.com.

iv. LEA closed investigations case files to test the tool in the advanced stages of the project, i.e. any type of seized exhibit within the casefile, e.g. digital or paper exhibits; transcriptions of communications from chat logs, telephone, social media, SMS etc, open source investigations data etc. This data is likely to include data that individuals would consider sensitive.

v. Contact details, i.e. LEA research participants who will give feedback on the tools for testing and impact assessment, ethics experts asked to engage in ethical workshops, and other relevant LEA-related stakeholders to whom we disseminate the results of our project.

vi. Dietary or accessibility requirements for human research participants of in-person workshops. This data is collected only to accommodate specific needs but could include information that is sensitive.


Please note that only data relevant in the context of the chosen use cases will be collected and analysed. The aim of the research is absolutely not to monitor any identified individual or to take decision against him/her, but to conduct research in order to find out if the INSPECTr Platform might contribute to LEA efficiencies, in the form of lawful evidence gathering, digital forensics analysis and cross-border collaboration among LEAs. During the research, INSPECTr partners do not intend to use any of the data mentioned above, in order to identify a natural person.

5. Recipients or Categories of Recipients of the Personal Data

Personal data processed for research purposes is not shared with third parties outside the project unless there is a legal obligation to do so. Personal data may be shared between research partners/institutions involved in the project, strictly for the purposes of the project, provided appropriate contracts are in place. This is likely only in the limited circumstances set out in section 1.

6. Lawful Basis for Processing Personal Data

The legal basis for the processing of personal data required for research, validation, dissemination and exploitation activities in INSPECTr varies depending on the form of personal data and the nature of the data controller and processor. This is the case across both the GDPR and relevant national law.

Furthermore, although the INSPECTr project is most fundamentally a scientific research project, some LEA partners are processing personal data within closed investigations case files on the basis of national law which implements Directive (EU) 2016/680, the ‘Law Enforcement Directive’. The Directive covers the processing of personal data by LEAs for the purposes of the ‘prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security’. In these limited instances, the partners have interpreted the national law implementing the Directive to understand the scientific research purpose of the project to overlap with the prevention of criminal offences, since this is their overriding objective for involvement in the project.

The following table presents the legal basis relied on by partners processing the six categories of personal data described in section 4 above.

7. Storage and Retention

Personal data will not be stored longer than is necessary for the research purposes pursued by the INSPECTr project. Over the course of the project, data will be reviewed periodically and the necessity of ongoing storage assessed. Data which is no longer necessary will be anonymised or deleted. The project ends in August 2022. At this point, each partner will individually re-assess whether further storage is necessary and lawful. The maximum duration of data retention will be five years following the completion of the project.

8. Data Subjects’ Rights and Limitations

If your personal data is processed by INSPECTr, you have the following rights, subject to the described restrictions.

Subject access request (Article 15 GDPR)

You have the right to obtain confirmation as to whether or not INSPECTr is processing personal data concerning you, and, where that is the case, access to it. We will provide you free of charge with a copy of your personal data undergoing processing in a commonly used electronic form.

Right to rectification (Articles 16 and 18 GDPR)

You also have the right to obtain the rectification of any inaccurate personal data concerning you. If you have challenged the accuracy of your data and asked for rectification you have the right to request the restriction of processing while we are considering your rectification request.

Right to be forgotten (Article 17 GDPR)

In case you object to the processing of your data and there is no lawful basis to retain your data, we will comply with your request and erase your data.

Please note that your right to be forgotten might be limited, such as where the erasure is likely to seriously impair the achievement of the research purposes of the project.

Right to object (Articles 21 and 18 GDPR)

You can object to the processing of your data by INSPECTr. In order to do that, you must provide us with specific reasons based upon your particular situation. Please note that the right to object is not an absolute right. The project will consider your objection and determine how best to respond.

If the processing is carried out for the performance of a task in the public interest (Article 6(1)(e) GDPR) or for a legitimate interest (Article 6(1)(f) GDPR), we can continue with the processing if we can demonstrate compelling legitimate grounds for the processing, which override your interests, rights, and freedoms. If the processing is carried out for scientific research purposes (Article 9(2)(j) GDPR), we can continue with the processing if the processing is necessary for the performance of a task in the public interest.

If any of these are the case, we will explain our decision to you, otherwise your data will be excluded from processing. You have the right to request the restriction of processing while we are considering your objection.

Right to lodge a complaint with supervisory authority (Article 77 GDPR)

If you believe that your rights have been infringed, you can lodge a complaint with any supervisory authority, including the authority where you reside, work or where the infringement on your rights is suspected. This is without prejudice to any other administrative or judicial remedy you have.

8.1 Limitations on Data Subject’s Rights

It is possible that national laws will exist which restrict the rights of the data subjects listed above. For example, national law, which is necessary and proportionate, may provide for such restrictions if they are intended to safeguard the prevention, investigation, detection, or prosecution of criminal offences pursuant to Article 23(1)(d) GDPR. National law can also derogate from some of the rights set out above in circumstances where the data is processed for scientific research purposes, pursuant to Article 89(2) GDPR.

The project consortium is not obliged to maintain, acquire, or process additional information in order to identify the data subject for the sole purpose of complying with the GDPR pursuant to Article 11(1). However, pursuant to Article 11 (2) GDPR, where data subjects provide additional information in order to exercise their rights, the INSPECTr consortium will handle the request in a manner compliant with technical and legal requirements. In this regard, the identity of the data subject, as well as their relation to the data referred to in the request has to be sufficiently verified.

Although data subjects’ rights may be restricted under the conditions described, all requests to the abovementioned points of contact will be carefully assessed on a case-by-case basis and replied to.

9. Contact Details

To contact the project about personal data processing, you should get in touch with the Co-ordinating partner, which is the UCD Centre for Cyber Security and Cyber Crime Investigation (UCD-CCI) at University College Dublin. The contact details for this partner and the organisation’s Data Protection Officer (DPO) are provided below.

TERMS OF USE FOR INSPECTr WEBSITE

1. Acceptable use of information appearing on this site

The content of this website, including texts, images, photographs, audio, video, graphics, logos, domain names, user interfaces, user “look and feel”, is protected by the provisions of national and international intellectual property laws. Unless otherwise indicated, you are authorised to view, copy, print and distribute (but not modify) the content of this website, provided that such use is for solely personal and non-commercial purposes. Please acknowledge the source. All logos and trademarks are excluded from the above-mentioned general authorisation. In cases of doubt as to the conditions of use or reproduction of a particular item, please contact us at: inspectr@ucd.ie.

2. Privacy and Security

You can review our Website Data Privacy Statement here.

3. Do we link to other websites?

Our websites may contain links to other sites, including the sites of the consortium partners, which are not governed by our privacy statement and are provided for your convenience only. You are solely responsible for evaluating the content and accuracy of materials on such third party websites. Please review the destination websites’ privacy policies before submitting personal data on those sites. Whilst we try to link only to sites that share our high standards and respect for privacy, we are not responsible for the content, security or privacy practices employed by other sites.

4. General disclaimer and limitations of liability

We aim to keep the information that appears on the INSPECTr website as complete and up to date as possible. If errors are brought to our attention, we will take all reasonable steps to make any necessary corrections within a reasonable time. Please be aware that the information published on our website is for informational purposes only. None of the information contained on the website constitutes legal or professional advice, nor can we accept responsibility for how it might be used, including liability for any errors or omissions in third party use. We cannot be held liable for any direct or indirect damage which may result from use of this site. Links to other websites are provided in good faith and for information only.
While we take all possible steps to minimise disruption caused by technical errors, we cannot guarantee that our website will not be interrupted or otherwise affected by such problems. Please note that access may be suspended temporarily and without notice in the case of system failure, website maintenance or repair or for reasons beyond our control.  
The use of our website is governed by Irish law. Any dispute arising from or related to the use of this website shall be subject to the non-exclusive jurisdiction of the Irish courts.  
If you are dissatisfied with these Terms, your sole and exclusive remedy is the discontinuation of the use of the Site.
Data Controller and Administrator of the website:

UCD Centre for Cybersecurity and Cybercrime Investigation (UCD-CCI)
UCD School of Computer Science
University College Dublin
Belfield, Dublin 4, Ireland

Service Contact: inspectr@ucd.ie