1 Dealing with Data Privacy and Security to Support Agricultural R&D Dealing with Data Privacy and Security to Support Agricultural R&D DEALING WITH DATA PRIVACY AND SECURITY TO SUPPORT AGRICULTURAL R&D Technical practices and operating procedures for responsible agroinformatics data management AUTHORS James Wilgenbusch, Benjamin Lynch, Naomi Hospodarsky and Philip Pardey This document was prepared with support from the CGIAR Platform for Big Data in Agriculture. Wilgenbusch is Director of Research Computing at the University of Minnesota (UMN) and Co-Director of the GEMS Informatics Initiative; Lynch is Associate Director for Scientific Computing and Hospodarsky is a Research Security and Compliance Analyst, both at the Minnesota Supercomputing Institute; and Pardey is Director of Global Research Strategy for UMN’s College of Food, Agricultural and Natural Resource Sciences (CFANS) and Co-Director of the GEMS Informatics Initiative. This report solely reflects the opinions and findings of the authors. © 2020 James Wilgenbusch, Benjamin Lynch, Naomi Hospodarsky and Philip Pardey 3 Dealing with Data Privacy and Security to Support Agricultural R&D ACKNOWLEDGMENTS The content of this report benefited greatly from discussions with participants at the Big Data Workshop for Agriculture titled “BD AI, Blockchain, Workforce Development and Data Privacy”, held at the Microsoft Campus, Fargo, North Dakota on September 10, 2019; the 2019 CGIAR Big Data in Agriculture Platform Convention titled “Trust: Humans, Machines and Ecosystems” held at ICRISAT, Hyderabad, India on October 18, 2019; and the Data Ownership Dialog, co-located with the ASA-CSSA- SSSA International Annual Meeting held in San Antonio, Texas held on November 13, 2019. We are also thankful for the support from Brian King and Connie Chan-Kang in the preparation of this report. Additional support was provided by the GEMS Informatics Initiative at the University of Minnesota. 4 Dealing with Data Privacy and Security to Support Agricultural R&D TABLE OF CONTENTS TABLES AND FIGURES PROJECT DESCRIPTION 5 EXECUTIVE SUMMARY 6 DEALING WITH DATA PRIVACY AND SECURITY TO SUPPORT AGRICULTURAL R&D 8 1 2 3 4 TECHNICAL AND NON-TECHNICAL STANDARDS AND PROCEDURES 15 SECURITY TIERS TO SAFEGUARD AGRICULTURAL DATA PRIVACY 17 MAPPING THE CGIAR PLATFORM’S RESPONSIBLE DATA GUIDELINES TO TECHNICAL STANDARDS 23 MECHANISMS TO PROTECT AGRICULTURAL DATA PRIVACY 10 CONCLUSION 26 REFERENCES 27 APPENDIX 32 FIG 1: A schematic depicting the CGIAR´s Platform for Big Data in Agriculture responsible guidelines 11 FIG 2: The relationship between data risks and security standards 20 FIG 3: A risk-based schema for mapping high-level CGIAR responsible data guidelines to specific data standards and regulations 23 FIG 4: An example of mapping CGIAR data functions and guidelines to specific data standards and regulations 24 Table 1: Key organizing principles for a sample of voluntary data codes of conduct 12 Table 2: Sources of technical information for mapping CGIAR guidelines to technical standards 16 Table 3: Three tiers of risk for agricultural data 18 Table 4: Description of putative impacts from breaching three levels of data security 19 Table 5: Data security classifications used by selected U.S. research universities 20 Table 6: Data security objectives and the tiered consequences of a data breach 22 Table 7: An example of mapping HIPAA security standards and implementation specifications to NIST cybersecurity categories 25 5 Dealing with Data Privacy and Security to Support Agricultural R&D The goal of the Responsible Agroinformatics Data Management Project undertaken by the University of Minnesota’s GEMS Informatics Initiative, with financial support from the CGIAR Platform for Big Data in Agriculture, is to provide guidance and recommendations for responsible data management that the Platform for Big Data in Agriculture may recommend and promote within CGIAR and its network of partners around the world. To support this objective, this project specified three deliverables: This report deals directly with the first two work objectives of this project. To address the third objective, presentations were developed and presented at several national and international conferences. Slide decks for these talks are available from the lead author of this report upon request. Additional efforts beyond the scope of this statement of work are being planned and we expect that this work will continue to serve as a foundation for additional forums on how best to navigate the rapidly changing ecosystem of data privacy and agroinformatics data management. For example, we are working now with members of the NSF funded BDSPOKES project of the Midwest Big Data Hub to host an on-line workshop “Big Data Promises and Obstacles: Agricultural Data Ownership and Privacy” scheduled for June 24, 2020. The American Society of Agronomy has agreed to publish a special issue the Agronomy Journal based on the talks presented at this workshop on the topic of “Data Privacy and Ownership in Agriculture.” This meeting and the associated journal articles will extend the impact of this work and serve as a springboard to addressing similar issues at the international level. PROJECT DESCRIPTION Develop good practice guidelines and recommendations that meet the needs and context of CGIAR, as defined by a CGIAR lawyer; Communicate practices and products for sensitization and validation. Recommend practices and key relevant global technology standards to be observed at three tiers of risk, with an eye towards ensuring broad validity of the recommendations; 6 Dealing with Data Privacy and Security to Support Agricultural R&D Concerns related to data ownership and privacy cut across all sectors of our economy, shape public-private relationships and, if left unaddressed, threaten to limit the potential gains to be had from the “Big Data” revolution. Those working in the food and agricultural sectors are also at the center of concerns surrounding data ownership and privacy. This increase in attention to data ownership and privacy concerns has resulted in a proliferation of laws, regulations, policies, procedures, guidelines, codes of conduct, and data use agreements that, in some way, attempt to govern the collection, storage, use, management, retention, and sharing of data. Increased concerns over agricultural data privacy is driven in part by the deluge of agriculture related data coming from an ever- increasing array of data sources, the often-complicated network of agricultural stakeholders, and the potential benefits that data driven approaches can have on innovation and production in this critically important and profitable sector of our global economy. Against this background, the first section of this report identifies and describes some of the key means by which the privacy of agricultural data is being governed in various regions of the world. At a high-level, the mechanisms used to govern agricultural data ownership and privacy are a mix of voluntary and required practices. Voluntary mechanisms are mostly intended to be aspirational and typically do not have a means of enforcement. Required mechanisms come in the form of laws, regulations, and contracts that must be viewed in the context of geopolitical boundaries and may not inherently protect agricultural data. For laws and regulations to apply, agriculturally-related data must currently be linked to personal information before they are provided protections. This section also lists and includes a brief description of the most commonly used technical and non-technical standards used to define what is meant in various laws, regulations, and contracts used to protect the privacy of data. These standards will be mapped to the CGIAR Platform’s Responsible Data Guidelines (CGIAR 2019) in section 3 of this report. Rather than offer a “one-size-fits-all” approach to data privacy and security in the food and agricultural sector, in the second section of this report we propose and describe a three-tiered data security approach based on three tiers of risk tolerance; High, Medium, and Low. Data privacy and security are not costless, and so an economically informed approach that considers the cost-benefit implications of a potential security breach is a more practical approach than pursuing a standard approach that treats all data equally from a risk management perspective. High security is intended to provide the greatest level of protection against unauthorized access, Medium-tier points to good EXECUTIVE SUMMARY 7 Dealing with Data Privacy and Security to Support Agricultural R&D practices and standards used to reasonably ensure the privacy and integrity of data, and Low is only concerned with security measures that protect the veracity of the original data, and not with whom can, or cannot, access the data. We advocate for three tiers of data security and not more, because a) it becomes increasingly difficult to implement more than three tiers of security, and b) there is little to no benefit to having a finer grain set of security tiers. While beyond the required scope of objectives for this project, section two of the report also references a few examples of the approaches used by sectors other than agriculture to classify data. The third and final section of this report brings the first and second sections together in the form of a map linking the CGIAR Platform’s Responsible Data Guidelines to several widely used or sourced technical standards developed by international and U.S. agencies and additional details that form part of the European Union’s General Data Protection Regulation (GDPR 2016) according to three-tiers of risk. To our knowledge, this is the first mapping or cross-linking between a form of agriculture data privacy governance and technical and non- technical standards. Agricultural innovation is a global enterprise and data centric approaches are increasingly being used to unlock the gains that we should expect from these innovations. That said, justifiable concerns regarding the way that the privacy of agriculture data is, or is not, protected limits the availability of these data for the public good. Our mapping of guidelines to standards should be considered in light of risks. The agriculture sector is represented by a large and diverse set of stakeholders and a one-size-fits-all approach to address privacy will not effectively address stakeholder concerns and will likely inhibit rather than advance the movement of data into the public domain by applying strong technical and administrative controls where they may not be needed. The implementation of data management standards must be considered according to the type of data being managed and the risk posed to the stakeholders if those data were no longer private. While lessons can be learned from the responses to data privacy used in the healthcare sector, the specific implementation details will certainly be different when applied to the realities facing food and agricultural innovation, production, logistics, market chains and regulatory interests. That said, the overarching framework does not need to be reinvented. Moreover, waiting to do something should not be considered an option. We propose linking CGIAR’s (or other) data management guidelines to a common set of existing—or if required, modified—technical standards, and doing so in a way that enables practical (and verifiable) risk management practices to be implemented that foster trust among the myriad of relevant stakeholders and advances the innovation and broader benefits promised by the Big Data revolution in agriculture. 8 Dealing with Data Privacy and Security to Support Agricultural R&D Dealing with Data Privacy and Security to Support Agricultural R&D Over recent years, the agricultural press and the farm organizations that represent farmer interests have paid increasing attention to the privacy, use and ownership of farm-related data (see e.g., AFBF 2016; Herbold-Swalwell 2018; McIntosh 2018). While farmers appreciate the potential for agricultural information to improve their farming operations, a recent survey of Canadian farmers also revealed significant and increasing concerns by farmers in that country about the implications of sharing farm-originated data (FCC 2019). These data privacy and security concerns for farm-originated data spillover and have significant consequences for agricultural research, whether that research be conducted by public or private entities. The very technologies that produce more farm-related data (e.g., satellite, drone, machine and ground sensors) are also used in experimental settings both on-farm and on research stations. Likewise, rapidly expanding applications in the data sciences (e.g., artificial intelligence and machine learning techniques, and their specialties such as neural networks or natural language processing) are lowering the cost of making more scientific and commercial sense of the deluge of agricultural data (Goldfarb and Tucker 2019). Moreover, both on- and off-farm crop- and animal-related data are often pooled for data science purposes or to enable the development and deployment of new agricultural devices and applications driven by data. As the data revolution in the food and agricultural sciences gathers pace, the concerns over data privacy and security, and their implications for innovation in the food and agricultural sectors, are bound to multiply.1 In addition, these concerns reach well beyond data concerning just the phenotypic (e.g., yield or quality) performance of crops and animals in farm or experimental field settings. The data revolution also encompasses the generation, analysis and deployment of crop, animal and microbial genomic information, all sorts of weather and environmental data, as well as food and agricultural management Survey’s conducted in 2014 and 2016 by the American Farm Bureau indicated that U.S. farmers “…were ‘concerned’ or ‘extremely concerned’ about which entities can access their data and whether that data could be used for regulatory purposes (Janzen 2019).” 1 Likely one of the main drivers of these increasing data policy, intellectual property and practice concerns is the notion that data has potential economic value, and thus how best to create and share that value. These same economic drivers arose in the 1970s and 1980s as technological developments in the biosciences (e.g., gene sequencing, gene modification, and gene editing) unlocked new potential value in genetic resources that hitherto had been “freely and openly shared.” This spurred a growth in the rules, regulations and IP related to the genetic resources used in agriculture (Binenbaum et al. 2003; Nottenburg et al. 2002; Wright and Pardey 2006), all of which had, and continue to have, profound research freedom-to-operate and international trade implications for genetic innovations in agriculture. 9 Dealing with Data Privacy and Security to Support Agricultural R&D and socio-economic data (NAS 2019). Moreover, the source of data relevant for innovation in the food and agricultural sectors stretches well beyond the farm, involving data elements along the entire value chain linking farms to markets. Not only are the sources and potential applications of data in agriculture proliferating, the entities performing the research are changing profoundly as well. As Pardey et al. (2016a and b) reveal the private sector now performs 50.4% of the world’s food and agricultural R&D, well up from the 32% private share in 1980. Moreover, the private presence in food and agricultural R&D is moving well beyond the rich countries to involve research undertaken elsewhere in the world, particularly in agriculturally large, middle-income countries such as China, India and Brazil. This is expanding the awareness and necessity to address the intellectual property (IP) and other privacy and contractual concerns related to public- private research relationships, many of which involve the sharing of sensitive firm-originated data. These developments are coming at a time when many public funding agencies are requiring more formal, and often more open-access, data management practices for the results of research that arise from the projects they fund (e.g., NSF 2002; USDA-NIFA 2019). These IP pressures—in conjunction with the new scientific opportunities arising from innovations in the data sciences themselves—have given rise to new principals and guidelines affecting the stewardship and management of scientific data. This includes the FAIR (findable, accessible, interoperable and reusable) standards described by Wilkinson et al. (2016), or the FAIR(ER) data practices implemented by the GEMS informatics platform (GEMS 2020) that in addition promotes the ethical use of data (that respects IP and privacy aspects of data) and also strives for replicable results from the reuse of data. CGIAR operates within the context of these rapidly changing innovation and data access realities for agriculture R&D worldwide. CGIAR’s international operations add cross-jurisdictional complexity to the social, legal and practical problems they confront in responsibly dealing with their own or third-party data they access or create, curate and make available. 10 Dealing with Data Privacy and Security to Support Agricultural R&D The growing number of diverse approaches used to address data privacy concerns related to agricultural data can be daunting (Ferris 2017; Sanderson, Wiseman, and Poncini 2018; Stubbs 2016; Wiseman et al. 2019). At a high level, these approaches can be divided into voluntary codes of conduct, laws and regulations, and legally binding contracts (Archer and Delgadillo 2016). Voluntary measures come in the form of suggested best practices; whereas laws, regulations, and contracts set out mandatory measures that typically include a range of penalties as a result of non-compliance. The CGIAR Platform for Big Data in Agriculture and their Responsible Data Guidelines is an example of a voluntary measure or a voluntary code of conduct for data practices and is explicitly intended to be “aspirational in nature” and “an aid for responsible decision making” (CGIAR 2019). The CGIAR guidelines are organized around a standard data life cycle, which gives researchers a familiar framework to apply a mix of high-level (e.g., “Don’t ignore ethical practices/standards …”) to low-level (e.g., “… use two-factor or multifactor authentication.”) good practices. The good practices are presented in the form of “Tips” for what to do and what not to do (Figure 1). We will use these tips as the basis for our standards mapping given in Section 3. Similar voluntary codes of conduct have been created to serve specific geographic regions. In Europe, eight organizations (Copa and Cogeca, CEMA, CEETTAR, ESA, Fertilizers Europe, FEFAC, ECPA, EFFAB, and CEJA), each of which is comprised of their own member organizations, recently published the European Union Code of Conduct on Agricultural Data Sharing by Contractual Agreement (Anonymous 2018). The EU Code broadly applies to the agro-food sector and covers a diverse set of data managed and generated by this sector. While the EU code is voluntary, its signatories encourage, “…all parties involved in the agri-food chain to conform according to these jointly agreed principles” (Anonymous 2018, 4). Similar voluntary codes have also been created in the United States (AFBF 2016) and in New Zealand (Anonymous 2016).2 2 Another example of a voluntary or recommended code of conduct includes the recommendations to “Address Privacy and Security” developed by the Principles for Digital Development group (PFDD 2020). In 2000 the African Union adopted an African Union Convention on Cyber Security and Personal Data Protection (African Union 2014) and in December 2018 the World Bank Group posted a Personal Data Privacy Policy (World Bank 2018), that is to be operationalized in May 2020 (Tafafa 2020). None of these guidelines, policies or conventions make direct mention of food or agriculturally related data, and are principally or exclusively concerned with the protection or privacy aspects of personally identifiable data. 11 Dealing with Data Privacy and Security to Support Agricultural R&D FIGURE 1. A schematic depicting the CGIAR’s platform for big data in agriculture responsible guidelines Source: CGIAR (2019). 12 Dealing with Data Privacy and Security to Support Agricultural R&D CGIAR PLATFORM FOR BIG DATA IN AGRICULTURE & RESPONSIBLE DATA GUIDELINES EUROPEAN UNION CODE OF CONDUCT ON AGRICULTURAL DATA SHARING BY CONTRACTUAL AGREEMENT AMERICAN FARM BUREAU’S “PRIVACY AND SECURITY PRINCIPLES FOR FARM DATA” NEW ZEALAND’S “FARM DATA CODE OF PRACTICE” 1. Planning and Approval 2. Collection 3. Storage and Analysis 4. Publishing and Discovery 5. Archiving and Discarding 6. Reuse and Transfer 7. Attribution of the underlying rights to derive data (Data Ownership) 8. Data Access, control, and portability 9. Data protection and transparency 10. Privacy and Security 11. Liability and intellectual property rights 12. Education 13. Ownership 14. Collection, Access, and Control 15. Notice 16. Transparency and Consistency 17. Choice 18. Portability 19. Terms and Definitions 20. Disclosure use and Sales Limitation 21. Data Retention and Availability 22. Contract Termination 23. Liability and Security Safeguards 24. Disclosures a. Corporate Identity b. Rights to Data c. Security Standards d. Data Access e. Data Sovereignty 25. Practices a. Rights to Data b. Data Interchange and Access c. Security d. Regulatory Compliance Source: Developed by authors based in information taken from CGIAR (2019), GDPR (2016), AFBF (2016), Anon. (2016). TABLE 1. Key organizing principles for a sample of voluntary data codes of conduct The many different forms of voluntary codes of conduct used to protect the privacy of agriculture data make it difficult for stakeholders at all stages of agricultural innovation and production to know how to comply with the growing set of diverse expectations, especially those (such as the CGIAR) who operate in a multi-country context. Furthermore, it is unclear whether these voluntary codes of conduct are having the desired effect. Sanderson et al. (2018, p. 15) concluded that, “…the question of what ag-data codes really achieve remains to be answered.” Others are less ambiguous and argue that “…the current regulatory environment is not sufficient to protect sensitive agricultural data…” (Ferris 2017, p. 331) because state law in the United States is not uniform “…and voluntary industry standards are simply that—voluntary” (Ferris 2017, p. 331). Beckerman (2019) and Ferris (2017) proposed solving this problem by creating federal regulation aimed specifically at protecting agricultural data in the same way that HIPAA (United States 2004) governs the healthcare industry and the Gramm-Leach-Bliley Act (Gramm 1999) regulates the financial services industry in the United States. In 2018, the United States introduced new legislation called the Agriculture Data Act of 2018 (Klobuchar 2018), which would apply to data that are relevant to “covered conservation practices.” If passed, this law will likely precipitate the development of specific requirements for how the privacy of covered data are protected. Such data protection standards may be relevant to other types of agri-food data, which makes it important to keep track of the development of this bill in the years to come. 13 Dealing with Data Privacy and Security to Support Agricultural R&D While agriculture data are not explicitly protected by law or regulation, some legal and regulatory frameworks can be used to protect the privacy of agriculture data. For example, in the United States, section five of the Federal Trade Commission (FTC) Act (United States 2018) seeks to protect consumers against unfair or deceptive acts or practices in or affecting commerce and therefore could be used to protect agriculture data. That said, Ferris (2017) argues that there are a number of reasons why this is unlikely to happen in practice. Given FTC’s broad scope and limited resources, Ferris points out that the FTC is more likely to exercise its enforcement activities on high profile cases, where the potential consequences of a violation are very serious and the likelihood for a successful prosecution is very high. Ferris goes on to argue that cases involving agriculture data privacy do not meet these expectations, so there is little reason to believe that FTC enforcement would be an effective legal mechanism to use for the protection and enforcement of agriculture data privacy. Following high profile events like the Facebook—Cambridge Analytica scandal, more and more U.S. states are beginning to enact legislation to protect data that are considered private (Beckerman 2019). While these state-based data privacy laws appear to have the best interest of an individual’s privacy in mind, the lack of uniformity in the way data privacy is treated across states is leading to questions and some doubts as to whether state data privacy laws are actually helping to protect privacy in general (Beckerman 2019; Ferris 2017). One notable exception at the state level is Minnesota’s Agricultural Data statute (State of MN 2018). Similar to the proposed Agricultural Data Act of 2018 (Klobuchar 2018), the MN Agricultural Data statute legally defines a class of agricultural data as private. Such a measure gives the University of Minnesota and the Minnesota Department of Agriculture a way to protect grower (and other identifiable) data from open access requests. This has helped to address grower concerns that the data from their farms, which, for example, is provided for research, could be accessed by a competitor or other interested party to obtain an economic advance or by an environmental organization to seek legal action. The United States is certainly not alone in enacting legislation around data privacy. Perhaps most notable, starting in 2016 Europe enacted the General Data Protection Regulation, GDPR (GDPR 2016). Similar to U.S., law, the GDPR does not explicitly protect agriculture data; rather, the regulation only applies to “personal data”, which under GDPR is considered, 14 Dealing with Data Privacy and Security to Support Agricultural R&D Therefore, agriculture data can only be protected if the data cannot be separated from personal information (Janzen 2018). This required link to a person before agriculture data are afforded protection is similar to laws protecting data privacy in China and Brazil, two important countries in agriculture production and data (Archer and Delgadillo 2016). The final form of agricultural data privacy governance that we will briefly discuss is contractual. Archer and Delgadillo (2016) do a thorough job discussing the specific legal elements that should be contained in a contract and they also discuss some of the data related issues that may arise when organizations engaged in a contractual agreement span multiple countries. Our concerns regarding the use of contracts to govern agriculture data privacy are the same as any of the other governance mechanisms that we have discussed so far. That is, the contract must clearly define what technical and non-technical standards will be used to reasonably ensure the privacy of the data. Without such standards it is hard to know whether a future data privacy breach resulted from lack of adherence to these standards or simply whether the assault on privacy was particularly egregious. Contracts provide a very flexible means to establish these expectations. Our mapping of the CGIAR guidelines to specific standards discussed in Section 3 provides clarity as to what is expected in the contractual partnership, and also establishes a mechanism to objectively evaluate whether the requirements of a contract compare favorably with best practices used in other industries. In the absence of laws and regulations for protecting agricultural data privacy, a contractual approach is likely the best approach to establishing common expectations and mitigating general risks related to data privacy (Archer and Delgadillo 2016). “… any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” (GDPR 2016, Art. 4.1). 15 Dealing with Data Privacy and Security to Support Agricultural R&D The development of good or best practices implies that a set of standards already exists by which comparisons to general practices can be made. Standards not only make it possible to objectively order one approach over another, but they also help to unambiguously describe what methods will be used when it comes to protecting data privacy. For example, even a relatively specific sounding action like “anonymizing data” could mean different things to different people if left without the reference to existing standards and definitions. For example, the U.S. National Institutes of Standards (NIST) outlines the following five ways that data can be anonymized (McCallister et al. 2010 Sect. 4.2.4). Generalizing the Data—Making information less precise, such as grouping continuous values Suppressing the Data—Deleting an entire record or certain parts of records Introducing Noise into the Data—Adding small amounts of variation into selected data Swapping the Data—Exchanging certain data fields of one record with the same data fields of another similar record (e.g., swapping the ZIP codes of two records) Replacing Data with the Average Value—Replacing a selected value of data with the average value for the entire group of data. If left undefined, both the data provider and the data recipient could be very surprised by the results of the de-identification process. 16 Dealing with Data Privacy and Security to Support Agricultural R&D To implement the guidelines-to-technical standards mapping we conducted and describe in this report, we drew from standards developed by a joint technical committee (JTC) of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) and by NIST. The ISO/IEC JTC was formed in 1987 while NIST become the new name of the U.S., National Bureau of Standards (NBS) in 1988. The beginning of the NBS dates back to 1901. Both of these organizations develop standards that generally transcend political boundaries and thus their work is frequently cited as a means for defining or at least benchmarking requirements in other countries. To support what is meant in the CGIAR Platform for Big Data in Agriculture Responsible Data Guidelines (CGIAR 2019) we refer to five ISO/IEC (ISO/IEC 27001:2013, ISO/IEC 27002:2013, ISO/IEC 27017:2014, ISO/IEC 27018:2015, ISO/IEC 27701:2019) and two NIST standards (McCallister et al. 2010; Ross et al. 2017), which are briefly described in Table 2 DESCRIPTION ISO/IEC 27001:2013 Specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. ISO/IEC 27002:2013 Gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization’s information security risk environment(s). ISO/IEC 27017:2015 Gives guidelines for information security controls applicable to the provision and use of cloud services by providing: additional implementation guidance for relevant controls specified in ISO/IEC 27002; additional controls with implementation guidance that specifically relate to cloud services. ISO/IEC 27018:2014 Establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. ISO/IEC 27701:2019 Establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in line with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. NIST 800-171 Protecting controlled unclassified information in nonfederal systems and organizations NIST 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) Source: Developed by authors drawing on information fromthe ISO/IEC and NIST (McCallister et al. 2010; Ross et al. 2017) standards listed in the table. TABLE 2. Sources of technical information for mapping CGIAR guidelines to technical standards 17 Dealing with Data Privacy and Security to Support Agricultural R&D Safeguarding agricultural data would be relatively easy if there was not an interest in making these data more broadly available to advance research and development objectives that align with the public good. In the context of this report, making data more broadly available is more than a mere interest or even guiding principle. The CGIAR has a mandate to make data open, and this mandate is inscribed in the policies and guidelines that undergird the development of the CGIAR Platform for Big Data in Agriculture (see, for example, CGIAR 2014). The purpose of this section is to describe an approach that can be taken to balance access to data, as required by the GGIAR Open Access and Data Management (OADM) policy (CGIAR 2014) with the data privacy aspirations, as described under the CGIAR Responsible Data Guidelines (CGIAR 2019). Fortunately, balancing access to data with the protection of its privacy is not a new enterprise. That is to say, there is a rich set of mature experiences and examples, especially from the healthcare sector, (Horvitz and Mulligan 2015; Lane et al. 2013; O’Keefe and Rubin 2015; Rodwin and Abramson 2012) and from U.S.-based research universities (Redd et al. 2019). The recommendations in this section are greatly influenced by these examples and from our direct experience managing diverse data types at a major U.S.-based public research university where there is an expectation of openness of our data, tempered by an overarching ethical framework that respects, values, and in some cases requires data privacy (UMN 2020). The practice of balancing the needs to access data with concerns over privacy fits firmly into a broader framework of balancing benefits with risks (Stine et al. 2008). The application of this general framework is essential to be able to implement practical data management solutions that can be used to simultaneously uphold the CGIAR’s OADM policy (CGIAR 2014) while also adhering to the tenants found in the CGIAR’s Responsible Data Guidelines (CGIAR 2019). A first step in this framework is to broadly classify data according to the harm that could be caused to individuals (AKA, research subjects), and the institutions hosting the research if the privacy of these data were to be compromised. Broadly classifying data in this way requires that everyone involved, at all stages of the research data life cycle, be aware of the risks associated with their data and the policies and procedures used by their institute to handle these data. Researchers, students, and staff must at a minimum be able to identify what types of data require special treatment and know who within their institute can provide help when questions emerge about the data that they are charged with managing (D’Arcy and Greene 2014; Geller et al. 2010; Hu et al. 2012). 18 Dealing with Data Privacy and Security to Support Agricultural R&D LOW RISK DATA MEDIUM RISK DATA HIGH RISK DATA y Data are considered public y Data have been fully de- identified, or subject has consented to make data public y The loss or unintentional alteration of these data would not result in harm to the subject or institution y Data are considered private y Data have been fully de-identified y The loss or alteration of these data would result in significant harm to the subject or institution y Data are considered private y Data contain personal identifiable information y The loss or alteration of these data would result in catastrophic harm to the subject or institution In cases where sensitive data are identified, it is common practice for the management of these data to be reviewed (and certified as being compliant with the relevant standards) by an Institutional Review Board (IRB). While a detailed description of IRB procedures and staff data management training is beyond the scope of this report, it should suffice to say that an organization should not assume that having an IRB, or even a designated data steward will ensure the proper identification of sensitive data (Klitzman 2011). The main point here is to emphasize that each organization must decide how the data that they are responsible for protecting will be classified and what specific procedures will be used to manage these data while they are in the care of the research institute. The practice of classifying and managing data will reflect an organization’s appetite for risk, so explicitly considering data privacy and security in the context of a standard risk management framework is a necessary first step to good data management practices. Our focus going forward is to describe three tiers of risk; high, medium and low, for the protection of agricultural data types (Table 3). These tiers of risk and their associated security protocols map to the putative impact or risk to a research subject, and to the institution hosting the research, if the privacy of the data protected under each tier were to be compromised, either willfully or by failing to meet the relevant standards. The tiers and this general approach is based largely on the security categorization criteria described in NIST FIPS 199 (NIST 2004) (see also Table 4). This approach was chosen because it aligns with the goals of this report—in that it establishes both the security categories for information (e.g., data) and the systems that host this information. TABLE 3. Three tiers of risk for agricultural data Source: Developed by authors. 19 Dealing with Data Privacy and Security to Support Agricultural R&D Combining efforts related to the classification of information with the classification of information systems is a common approach, because in practice it greatly helps to inform procedures, which in turn are used to implement solutions. For example, it should come as no surprise that information classified “high-risk” should only be stored on information systems that meet the standards for systems qualified to host high- risk information. It follows that as the risk (or costs) to a subject increase, the standards use to protect that person’s (or institution’s) privacy will also become more stringent or strict (Figure 2). While this approach may seem obvious, section 3 of this report would not be possible if it were not for the ability to transfer the tiers of impact from the exercise of classifying information to the practice of managing information systems. More specifically, the criteria under each data security-tier are used to inform what standards are mapped to a specific guideline found under the CGIAR’s Responsible Data Guidelines (CGIAR 2019). As you might expect, systems designed to support “Low Risk Data” may have fewer required standards linked to the CGIAR Responsible Data Guidelines than will systems designed to support “High Risk Data.” POTENTIAL IMPACT DEFINITIONS LOW The potential impact is low if—The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.1 A limited adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals. MODERATE The potential impact is moderate if—The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. A serious adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or serious life threatening injuries. HIGH The potential impact is high if—The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. A severe or catastrophic adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries. Source: Developed by authors based on information from Stine at al. (2008). 1 Adverse effects on individuals may include, but are not limited to, loss of the privacy to which individuals are entitled under law. TABLE 4. Description of putative impacts from breaching three levels of data 20 Dealing with Data Privacy and Security to Support Agricultural R&D This approach of directly mapping a limited set of data security tiers to a similar set of information systems, to a broader set of data management guidelines is common among institutions charged with safeguarding data used for a wide variety of research related purposes (Levenstein et al. 2018; Sweeney et al. 2015). We reviewed the data classification policies for 20 U.S.-based research universities and found that half use a three-tiered approach, nine use four-tiers, and one institution uses a five-tier system (Table 5). FIGURE 2. The relationship between data risks and security standards INSTITUTION NUMBER OF TIERS NAMES OF TIERS Boston Univ. 4 Restricted Use, Confidential, Internal, Public Carnegie Mellon Univ. 3 Restricted, Private, Public Colorado University System 3 Highly Confidential, Confidential, Public Columbia Univ. 4 Sensitive Data, Confidential Data, Internal Data, Public Data Cornell Univ. 3 Confidential, Restricted, Public Duke Univ. 3 Sensitive (High), Restriced (Medium), Public (Low) Harvard Univ. 5 Level 5, Level 4, Level 3, Level 2, Level 1 Indiana Univ. 4 Critical, Restricted, University Internal, Public New York Univ. 3 High Risk, Moderate Risk, Low Risk Princeton Univ. 4 Restricted, Confidential, Unrestricted, Publically available TABLE 5. Data security classifications used by selected U.S. research universities RISK TO SUBJECT st an da rd “s tr ic tn es s” Source: Developed by authors. 21 Dealing with Data Privacy and Security to Support Agricultural R&D INSTITUTION NUMBER OF TIERS NAMES OF TIERS Univ. of California, Berkeley 4 Extreme, High, Moderate, Limited or None Univ. of Chicago 3 High, Moderate, Low, Univ. of Florida 3 Restricted, Sensitive, Open Univ. of Maryland 4 High, Elevated, Moderate, Low Univ. of Massachusetts 4 Restricted Data, Confidential Data, Operational Use Only Data, Unclassified Data Univ. of Michigan 4 Restricted, High, Moderate, Low Univ. of Minnesota 3 Private-highly Restricted, Private-restricted, Public Univ. of Virginia 4 Highly Sensitive, Moderately Sensitive, Internal Use, Public Univ. of Washington 3 UW Confidential, Restricted, Public Univ. of Wisconsin 3 High Risk, Moderate Risk, Low Risk Source: Developed by authors based on information taken from on-line material posted by the respective universities. In cases where institutions used four or more tiers, it was common for one of the tiers to pertain specifically to “internal” or “institutional” information. In at least two of these cases the additional tier was created to address specific state-based requirements for reporting employee information, such as salaries. The category names also varied, but in almost all cases the names of the categories where indicative of the degree of risk to the research subject or institute hosting the research if the privacy of the data were to be compromised. Another less commonly considered dimension of the risk management framework is an organization’s security objective (NIST 2004). For example, if the security objective for the information an organization is charged with managing is availability, then the technical and non-technical standards used to safeguard these data will be very different from those whose security objective is to protect confidentiality. This more nuanced approach provides more flexibility simply because practitionwers are not required to fit all of their data under a single security objective category. NIST FIPS 199 (NIST 2004) demonstrates what the potential impacts to subject or institution might look like if the security of information were to be compromised by juxtaposing the impacts with three security objectives; Confidentiality, Integrity, and Availability (Table 6). 22 Dealing with Data Privacy and Security to Support Agricultural R&D POTENTIAL IMPACT SECURITY OBJECTIVE LOW MODERATE HIGH Confidentiality Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. [44 U.S.C., SEC. 3542] The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Integrity Guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity. [44 U.S.C., SEC. 3542] The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The unauthorized modification or destruction of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Availability Ensuring timely and reliable access to and use of information. [44 U.S.C., SEC. 3542] The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. In short, we advocate for a three-tiered system because a finer grain system, with more than three tiers becomes impractical to implement, while a more course-grained system, with fewer tiers, either does not afford sufficient protections to some data or makes protecting data prohibitively burdensome (e.g., expensive and complicated). For the purposes of this report, the primary security objective was confidentiality. Without specific examples of existing CGIAR data use agreements3, we consider the number of impact categories and the general risk management framework described above to offer sufficient flexibility to address the majority if not all current risks associated with agricultural data. Importantly, by not being overly complicated, this approach also encourages better compliance by more closely reflecting what can be practically implemented by software developers and other technology partners. TABLE 6. Data security objectives and the tiered consequences of a data breach Source: Taken from NIST (2004, p. 6). 3 Lacking access to a list of existing CGIAR data use agreements and good practices (as was promised), we drew on our (considerable) collective experience negotiating and implementing a broad range of data use agreements related to agricultural data when assessing the risk implications of a data security breech. 23 Dealing with Data Privacy and Security to Support Agricultural R&D The lack of clear a map between data privacy guidelines and a set of standards is among the causes of confusion for practitioners working to provide data services to the agricultural sector and contributes to the lack of trust among various data producer/owners (Wiseman et al. 2019). The approach described in this section helps resolve some of the ambiguity around what is meant by the relatively high-level guidelines by mapping these guidelines to specific technical and non-technical standards. Our specific application of this approach involves mapping the 10 high-level functional guidelines described under the CGIAR’s Responsible Data Guidelines (CGIAR 2019) to specific standards and regulations (Table 2) based on the potential impact that could result if the confidentiality of the data (Table 3) that CGIAR is entrusted with managing were to be compromised (Figure 3). The work product from this approach is a mapping of each guideline (or guideline subcategory if one existed)4 to relevant technical standards for each security tier (Figure 4). Because of the large size of this work, the complete mapping is presented as an appendix to this report. ISO/IEC 27001:2013 ISO/IEC 27002:2013 ISO/IEC 27017:2015 ISO/IEC 27018:2014 ISO/IEC 27701:2019 GDPR:2016 NIST 800-171 NIST 800 -122 RISK LEVELguidelines for the data cycle STANDARd & REGULATION HIGH MEDIUM LOW FIGURE 3. A risk-based schema for mapping high-level CGIAR responsible dataguidelines to specific data standards and regulations 4 CGIAR guidelines and guideline subcategories are collectively referred to as “Tips”. 24 Dealing with Data Privacy and Security to Support Agricultural R&D More concretely, the appendix lays out the guidelines to standards mapping. The first three columns identify the data management function, high-level guideline, and, where relevant, a more specific sub- guideline (also referred to as “tips”) as described in the CGIAR’s Responsible Data Guidelines (CGIAR 2019). Columns four and five identify the specific standard (Table 2, Column 5) according to the three risk categories (Table 3, Column 4). In all cases there was an agreed set of standards for each of the CGIAR guidelines and in most cases we were also able to differentiate those standards into the three risk tiers. Standards identified in a lower tier extend to the tiers above them. Therefore, if no standard is listed in the high category, it is because it inherits the Low or Medium standards. Mappings of agriculture data privacy governance, such as the CGIAR’s Responsible Data Guidelines (CGIAR 2019), to technical standards are at best rare and to our knowledge do not exist, which may make this mapping the first instance of its kind. The format and even the overarching goal of this approach draws heavily on examples from other fields, especially the healthcare profession. For example, the Health Insurance Portability and Accountability Act (HIPAA) (United States 1996) has governed the data privacy and security provisions for safeguarding medical information in the United States for over 20 years. Importantly, HIPAA is not prescriptive and therefore does not provide anything like a “check list” or a mapping of guideline to standards, which can be used to develop specific implementations. Several years after HIPAA was signed into law, the U.S. Department of Health and Human Services (DHSS) released the HIPAA Privacy Rule (Office for Civil Rights, HHS 2002) and HIPAA Security Rule (Centers for Medicare & Medicaid Services (CSM) 2003) to establish technical and non-technical standards and to operationalize the protection of an individual’s “electronic protected health information” (e-PHI). Recognizing the sensitivity of e-PHIs and the increased risk of cyber-attacks, the DHHS Office for Civil Rights created a “Crosswalk Between HIPAA Security Rule and NIST Cybersecurity Framework” (DHHS 2014) in an attempt to address cybersecurity gaps and to assist healthcare organizations increase their attention to securing health data. Our mapping closely reflects the crosswalk approach taken by the DHHS (Figure 4), in which higher level data management functions contain categories and subcategories of increasingly specific recommended practices, which are mapped to specific standards. FIGURE 4. An example of mapping CGIAR data functions and guidelines to specific data standards and regulations employ access control mechaniSms STORAGE & ANALySIS use two factor or multifactor authentication ISO/iec 27001:2013 A.14.5, ISO/IEC 27002:2013 9.4.1 (B)(F), ISO /iec 27017:2015 9.4. [1,2,4 ], NIST 800-171 3.5.3 FUNCTION GUIDELINE GUIDELINE SUBCATEGORY TECHNICAL STANDARD Source: Developed by authors 25 Dealing with Data Privacy and Security to Support Agricultural R&D We recognize that there are important differences between the privacy concerns for healthcare data and the privacy concerns for agriculture data. That said, there are important lessons that can be learned by examining and selectively using approaches to data privacy and security from other sectors of the economy and this is clearly one that translates well. Another important lesson learned for the healthcare sector, is that practical guidance describing more specifically how to protect certain types of healthcare data lagged well behind the laws designed to protect these data. This is an important consideration especially in light of the many voluntary codes of conduct and the increasing number of contractual arrangements with customized data use agreements (DUA) that currently govern the use of a great deal of agricultural related data. Beginning to define and standardize approaches for safeguarding agricultural data is a good first step, not only to help develop trust between data producers/owners and agriculture researchers, but a standards-based approach can help application developers and data repositories managers build systems that maximize the benefits of the current agricultural data deluge while also respecting and protecting its privacy. While the measures described here are specifically focused on addressing the requirements of the CGIAR Platform’s Responsible Data Guidelines, the general approach could serve as an example of how emerging agricultural data governance could be linked to well-known data protection standards. FUNCTION CATEGORY SUBCATEGORY RELEVANT CONTROL MAPPINGS1 PROTECT PR.DS-7: The development and testing environment(s) are separate from the production environment y COBIT 5 BAI07.04 y ISO/IEC 27001:2013 A.12.1.4 y NIST SP 800-53 Rev. 4 CM-2 y HIPAA Security Rule 45 C.F.R. § 164.308(a)(4)4 Information Protection Processes and Procedures (PR.IP): Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets. PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained y CCS CSC 3, 10 y COBIT 5 BAI10.01, BAI10.02, BAI10.03, BAI10.05 y ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3 y ISA 62443-3-3:2013 SR 7.6 y ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4 y NIST SP 800-53 Rev. 4 CM-2, CM- 3, CM-4, CM-5, CM-6, CM-7, CM-9, SA-10 y HIPAA Security Rule 45 C.F.R. §§ 164.308(a)(8), 164.308(a)(7)(i), 164.308(a)(7)(ii) TABLE 7. An example of mapping HIPAA security standards and implementation specifications to NIST cybersecurity categories Source: DHHS (2014). 1 Mappings to other standards come from the NIST Cybersecurity Framework, Appendix A and are provided for reference. 26 Dealing with Data Privacy and Security to Support Agricultural R&D Agricultural innovation is a global enterprise and data centric approaches are increasingly being used to unlock the gains that we should expect from these innovations. That said, justifiable concerns regarding the way that the privacy of agriculture data is, or is not, being protected limits the availability of these data for the public good. Such concerns highlight the need for the development of consensus concerning how data privacy is governed in the agricultural sector. More to the point, this consensus will likely come by mapping data management guidelines to well-known technical and non-technical standards, so that data owners better understand how their privacy is being protected and can more objectively compare one approach to another. This mapping of guidelines to standards should be considered in light of risks. The agriculture sector involves a large and diverse set of stakeholders, and so a one-size- fits-all approach to addressing privacy is will not effectively address stakeholder concerns. Moreover, it will likely inhibit rather than advance the movement of data into the public domain by applying strong technical and administrative controls where they may not be needed. The implementation of data management standards is best considered according to the type of data being managed and the risks posed to stakeholders if those data were no longer private. While this approach is more nuanced, frameworks for assessing such risks and applying appropriate standards to manage the privacy of data already exist and can be used as a basis for future work in the agricultural sector. Good examples of how to balance privacy needs with interests to make agricultural data more accessible for serving the public good can be found in the healthcare sector, in particular. The specific implementation details will certainly differ when applied to cases related to agriculture, but the overarching framework does not need to be reinvented. Waiting to do something should not be considered an option. Data management guidelines linked to common technical standards that are considered in light of tiered risks posed by breaches in data security will help develop trust among stakeholders and advance the innovation promised by the Big Data revolution in agriculture. Conclusion 27 Dealing with Data Privacy and Security to Support Agricultural R&D AFBF (American Farm Bureau). 2016. “Privacy And Security Principles For Farm Data.” : 1–3. https://www. fb.org/issues/technology/data-privacy/privacy-and-security-principles-for-farm-data (September 7, 2018). African Union. African Union Convention on Cyber Security and Personal Data Protection. June 2014. https:// au.int/en/treaties/african-union-convention-cyber-security-and-personal-data-protection. Anonymous. 2016. “New Zealand Farm Data Code of Practice, Version 1.1.” http://www.farmdatacode.org. nz/wp-content/uploads/2016/03/Farm-Data-Code-of-Practice-Version-1.1_lowres_singles.pdf (February 14, 2020). ———. 2018. “EU Code of Conduct on Agricultural Data Sharing by Contractual Agreement.” : 19. http://cema- agri.org/sites/default/files/publications/EU_Code_2018_web_version.pdf (September 7, 2018). Archer, Joan K, and Cordero A Delgadillo. 2016. “Key Data Ownership,Privacy and Protection Issues and Strategies for the International Precision Agriculture Industry.” In 13th International Conference on Precision Agriculture, , 17. https://info.publicintelligence.net/FBI- (September 7, 2018). Beckerman, Michael. 2019. “Opinion | Americans Will Pay a Price for State Privacy Laws - The New York Times.” The New York Times. https://www.nytimes.com/2019/10/14/opinion/state-privacy-laws.html (February 15, 2020). Binenbaum, Eran et al. 2003. “South-North Trade, Intellectual Property Jurisdictions, and Freedom to Operate in Agricultural Research on Staple Crops.” Economic Development and Cultural Change 51(2): 309–35. https://www.journals.uchicago.edu/doi/10.1086/346177 (February 18, 2020). Centers for Medicare & Medicaid Services (CSM), HHS. 2003. “Health Insurance Reform: Security Standards. Final Rule.” Federal register 68(34): 8334–81. http://www.ncbi.nlm.nih.gov/pubmed/12596712 (March 6, 2020). CGIAR. 2014. “CGIAR Open Access and Data Management Policy.” : 2013–16. https://cgspace.cgiar.org/bitstream/ handle/10947/2875/CGIAR OA Policy - October 2 2013 - Approved by Consortium Board.pdf?sequence=4 (February 26, 2020). ———. 2020. “Responsible Data Guidelines: Managing Privacy and Personally Identifiable Information in the Research Project Data Lifecycle.” CGIAR Platform for Big Data in Agriculture. https://bigdata.cgiar.org/ responsible-data-guidelines/ (February 14, 2019). D’Arcy, John, and Gwen Greene. 2014. “Security Culture and the Employment Relationship as Drivers of Employees’ Security Compliance.” Information Management & Computer Security 22(5): 474–89. https:// www.emerald.com/insight/content/doi/10.1108/IMCS-08-2013-0057/full/html (March 6, 2020). DHHS (Department of Health and Human Services). 2014. HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework. https://www.hhs.gov/sites/default/files/nist-csf-to-hipaa-security-rule-crosswalk-02-22-2016- final.pdf (March 6, 2020). FCC (Farm Credit Canada). 2019. “Producers Embrace Technology, but Want Control over Their Data, FCC Survey - Farm Credit Canada.” https://www.fcc-fac.ca/en/about-fcc/media-newsroom/news-releases/2019/ producers-embrace-technology-but-want-control-over-their-data.html (February 18, 2020). references 28 Dealing with Data Privacy and Security to Support Agricultural R&D Ferris, Jody L. 2017. “Data Privacy and Protection in the Agriculture Industry: Is Federal Regulation Necessary?” Minnesota Journal of Law Science & Technology J.L. Sci. & Tech 18(309). https://scholarship.law.umn.edu/mjlstAvailableat:https://scholarship.law.umn.edu/mjlst/vol18/iss1/6 (September 7, 2018). GDPR (General Data Protection Regulation). 2016. “General Data Protection Regulation, Official Legal Text.” Brussels: European Commission. https://gdpr-info.eu/ (January 3, 2020). Geller, Gail, Alison Boyce, Daniel E. Ford, and Jeremy Sugarman. 2010. “Beyond ‘Compliance’: The Role of Institutional Culture in Promoting Research Integrity.” Academic Medicine 85(8): 1296–1302. http:// journals.lww.com/00001888-201008000-00013 (March 6, 2020). GEMS Informatics Initiative. 2020. “FAIR(ER) Data.” Minneapolis-St Paul: University of Minnesota. https:// agroinformatics.org/features/fair2-data/ (March 6, 2020). Goldfarb, Avi, and Catherine Tucker. 2019. “Digital Economics.” Journal of Economic Literature 57(1): 3–43. https://pubs.aeaweb.org/doi/10.1257/jel.20171452 (February 14, 2020). Gramm, Phil. 1999. “S.900 - 106th Congress (1999-2000): Gramm-Leach-Bliley Act.” https://www.congress. gov/bill/106th-congress/senate-bill/900 (February 14, 2020). Herbold-Swalwell. 2018. “Ownership of Your Data a Big Deal.” Farm Progress. https://www.farmprogress. com/regulatory/ownership-your-data-big-deal (February 18, 2020). Horvitz, Eric, and Deirdre Mulligan. 2015. “Policy Forum. Data, Privacy, and the Greater Good.” Science (New York, N.Y.) 349(6245): 253–55. http://www.ncbi.nlm.nih.gov/pubmed/26185242 (February 26, 2020). Hu, Qing, Tamara Dinev, Paul Hart, and Donna Cooke. 2012. “Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture.” Decision Sciences 43(4): 615–60. http://doi.wiley.com/10.1111/j.1540-5915.2012.00361.x (March 6, 2020). ISO/IEC, 27001. 2013. “Information technology — Security techniques — Information security management systems — Requirements.” ISO/IEC, 27002. 2013. “Information technology — Security techniques — Code of practice for information security controls.” ISO/IEC, 27017. 2015. “Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services.” ISO/IEC, 27018. 2014. “Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors.” ISO/IEC, 27701. 2019. “Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines.” Janzen, Todd. 2018. “Do GDPR Protections Extend to Ag Data? — Janzen Ag Law.” http://www.aglaw.us/ janzenaglaw/2018/5/1/gdprs-impacts-on-ag-data-platforms (September 7, 2018). ———. 2019. “Do Farmers Still Care About Ag Data Privacy?” Janzen Ag Law. https://www.aglaw.us/ janzenaglaw/2019/1/3/farmers-care-about-data (February 18, 2020). 29 Dealing with Data Privacy and Security to Support Agricultural R&D Klitzman, Robert. 2011. “Views and Experiences of IRBs Concerning Research Integrity.” The Journal of law, medicine & ethics : a journal of the American Society of Law, Medicine & Ethics 39(3): 513–28. http://journals.sagepub.com/doi/10.1111/j.1748-720X.2011.00618.x (March 6, 2020). Klobuchar, Amy. 2018. “Text - S.2487 - 115th Congress (2017-2018): Agriculture Data Act of 2018.” https://www. congress.gov/bill/115th-congress/senate-bill/2487/text (February 15, 2020). Lane, Julia, Victoria Stodden, Stefan Bender, and Helen Nissenbaum. 2013. Privacy, Big Data, and the Public Good: Frameworks for Engagement Privacy, Big Data, and the Public Good: Frameworks for Engagement. ed. Julia Lane. https://books.google.com/books?hl=en&lr=&id=giGmAwAAQBAJ&oi=fnd&pg=PR9&dq=is+ public+access+to+data+good&ots=JRIX26e5pf&sig=EEOKCt84Fl7rVkn0-4RiG9QMN4A#v=onepage&q=is public access to data good&f=false (February 26, 2020). Levenstein, Margaret C., Allison R. B. Tyler, and Johanna Davidson Bleckman. 2018. “The Researcher Passport: Improving Data Access and Confidentiality Protection.” https://deepblue.lib.umich.edu/ handle/2027.42/143808 (March 5, 2020). McCallister, Erika, Tim Grance and Karen Kent. 2010. Special Publication 800-122 Guide Guide to Protecting the Confidentiality of Personally Identifiable Information (PII). Gaithersburg, MD. https://nvlpubs.nist.gov/ nistpubs/Legacy/SP/nistspecialpublication800-122.pdf (February 22, 2020). McIntosh, Matt. 2018. “The Legal Mess of Farm Data Ownership.” Farmtario. https://farmtario.com/machinery/ the-legal-mess-of-farm-data-ownership/ (February 18, 2020). NAS (National Academies of Sciences Engineering and Medicine). 2019. Science Breakthroughs to Advance Food and Agricultural Research by 2030 Science Breakthroughs to Advance Food and Agricultural Research by 2030. Washington, D.C.: The National Academies Press. https://www.nap.edu/catalog/25059/ science-breakthroughs-to-advance-food-and-agricultural-research-by-2030 (October 3, 2018). NIST (National Institute of Standards and Technology). 2004. “FIPS PUB 199: Standards for Security Categorization of Federal Information and Information Systems.” Fips 199(February 2004). https://nvlpubs.nist.gov/ nistpubs/FIPS/NIST.FIPS.199.pdf (March 3, 2020). Nottenburg, Carol, Philip G. Pardey, and Brian D. Wright. 2002. “Accessing Other People’s Technology for Non-Profit Research.” The Australian Journal of Agricultural and Resource Economics 46(3): 289–416. http://doi.wiley.com/10.1111/1467-8489.00185 (February 18, 2020). NSF (National Science Foundation) 2002. “Dissemination and Sharing of Research Results.” Washington, D.C.: National Science Foundation. https://www.nsf.gov/bfa/dias/policy/dmp.jsp (March 9, 2020). O’Keefe, Christine M., and Donald B. Rubin. 2015. “Individual Privacy versus Public Good: Protecting Confidentiality in Health Research.” Statistics in Medicine 34(23): 3081–3103. http://doi.wiley.com/10.1002/ sim.6543 (February 26, 2020). Office for Civil Rights, HHS. 2002. “Standards for Privacy of Individually Identifiable Health Information. Final Rule.” Federal register 67(157): 53181–273. http://www.ncbi.nlm.nih.gov/pubmed/12180470 (March 6, 2020). Pardey, Philip G., Connie Chan-Kang, Steven P. Dehmer, and Jason M. Beddow. 2016a. “Agricultural R&D is on the Move.” Nature 537(7620): 301–3. http://www.nature.com/articles/537301a (February 18, 2020). Pardey, Philip G., Connie Chan-Kang, Steven P. Dehmer, and Jason M. Beddow. 2016b. “Supplementary Information to: Agricultural R&D Is on the Move.” Nature 537: 301–3. https://www.nature.com/news/ polopoly_fs/7.39087.1473843554!/suppinfoFile/537301a-s1.pdf (March 6, 2020). PFDD (Principles for Digital Development). “Principles: Address Privacy and Security.” https://digitalprinciples. org/principle/address-privacy-security/. Accessed April 2020. 30 Dealing with Data Privacy and Security to Support Agricultural R&D Redd, Kacy et al. 2019. Accelerating Public Access to Research Data. Washington, District of Columbia. https://www.aplu.org/projects-and-initiatives/research-science-and-technology/public-access/workshop- on-public-access-report-aplu-aau-2019.pdf (March 6, 2020). Rodwin, Marc A., and John D. Abramson. 2012. “Clinical Trial Data as a Public Good.” JAMA 308(9): 871. http://jama.jamanetwork.com/article.aspx?doi=10.1001/jama.2012.9661 (February 26, 2020). Ross, Ron, Patrick Viscuso, Gary Guissanie, Kelley Dempsey and Mark Riddle. 2017. “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”. NIST SP 800-171. http://dx.doi. org/10.6028/NIST.SP.800-171. Sanderson, Jay, Leanne Wiseman, and Sam Poncini. 2018. “What’s behind the Ag-Data Logo? An Examination of Voluntary Agricultural-Data Codes of Practice.” International Journal of Rural Law and Policy 0(1): Article ID 6043. https://epress.lib.uts.edu.au/journals/index.php/ijrlp/article/view/6043 (September 7, 2019). State of MN. 2018. “Sec. 13.643 MN Statutes, Agricultural Data. Research, Monitoring, or Assessment Data.” https://www.revisor.mn.gov/statutes/cite/13.643 (February 15, 2020). Stine, Kevin et al. 2008. National Institute of Standards and Technology Special Publication 800-60 Volume I: Guide for Mapping Types of Information and Information Systems to Security Categories. Gaithersburg, MD. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v1r1.pdf (February 22, 2020). Stubbs, Megan. 2016. Big Data in U.S. Agriculture. www.crs.gov (September 6, 2018). Sweeney, L, Mercè Crosas, and M Bar-Sinia. 2015. “Sharing Sensitive Data with Confidence: The Datatags System.” Technology Science. Tafara, Ethiopis. “The Importance of Protecting ‘Privacy’ in the Age of Digital Data.” Digital Development. Washington, D.C.: World Bank, February, 2020. https://blogs.worldbank.org/digital-development/ importance-protecting-privacy-age-digital-data. UMN (University of Minnesota). 2020. “Know Your Data and How to Protect University Data.” Minneapolis: University of Minnesota . https://it.umn.edu/good-practice/know-your-data-how-protect-university (February 28, 2020). United States. 1996. “Health Insurance Portability and Accountability Act of 1996. Public Law 104-191.” United States statutes at large 110: 1936–2103. http://www.ncbi.nlm.nih.gov/pubmed/16477734 (March 6, 2020). ———. 2004. “The Health Insurance Portability and Accountability Act (HIPAA).” U.S. Dept. of Labor, Employee Benefits Security Administration. https://permanent.access.gpo.gov/gpo10291/fshipaa.html (February 14, 2020). ———. 2018. “Federal Trade Commission Act, Section 5 Unfair or Deceptive Acts or Practices.” https://www. fdic.gov/regulations/compliance/manual/7/vii-1.1.pdf (February 14, 2020). USDA-NIFA (USDA, National Institute for Food and Agriculture). 2019. Data Management Plan for NIFA- Funded Research, Education, and Extension Project. Washington, DC. https://nifa.usda.gov/sites/default/ files/resource/data-management-plan-for-research-education-extension-projects-20190926.pdf (March 9, 2020). Wilkinson, Mark D. et al. 2016. “The FAIR Guiding Principles for Scientific Data Management and Stewardship.” Scientific Data 3(1): 160018. http://www.nature.com/articles/sdata201618 (February 18, 2020). 31 Dealing with Data Privacy and Security to Support Agricultural R&D Wiseman, Leanne, Jay Sanderson, Airong Zhang, and Emma Jakku. 2019. “Farmers and Their Data: An Examination of Farmers’ Reluctance to Share Their Data through the Lens of the Laws Impacting Smart Farming.” NJAS - Wageningen Journal of Life Sciences: 100301. https://www.sciencedirect.com/science/ article/pii/S1573521418302616 (September 7, 2019). World Bank. “Personal Data Privacy” Washington, D.C.: World Bank, December 2018. https://policies.worldbank. org/sites/ppf3/PPFDocuments/Forms/DispPage.aspx?docid=15176fac-233e-4482-8e47-d0d82754b703 Wright, Brian D., and Philip G. Pardey. 2006. “The Evolving Rights to Intellectual Property Protection in the Agricultural Biosciences.” International Journal of Technology and Globalisation 2(1/2): 12. http://www. inderscience.com/link.php?id=9124 (February 18, 2020). 32 Dealing with Data Privacy and Security to Support Agricultural R&D appendix 33 Dealing with Data Privacy and Security to Support Agricultural R&D APPENDIX. Mapping the CGIAR’s responsible data guidelines to relevant technical and non-technical standards for three security tiers FUNCTION GUIDELINE SUBCATEGORY RISK LEVEL APPLICABLE STANDARDS Planning and Approval Create a Data Management Plan Identify the Type and Nature of PII H   M NIST 800-122:3.2.3 ISO/IEC 27001: A. 18.1.4 L GDPR Art. 35 Compliance requirements (including necessary forms for obtaining consent, and ethics clearance, if applicable) H NIST 800-122:4.1.1 ISO/IEC 27701:2019 A.7.2.2, A.7.3.1 M GDPR Art 6 L ISO/IEC 27001: A.18.1.1 Legitimate research objectives that will be advanced by the PII H ISO/IEC 27701:2019 A.7.2.[1,2] M GDPR 13.1(c) L   Foreseeable risks and consequences if participants are identified from the data H   M GDPR Art 24 ISO/IEC 27701:2019 A.7.2.5 L GDPR Art 35.1, 35.7 Privacy protection measures for collection, storage, transfer and publishing H ISO/IEC 27701:2019 A.7.4.4 M GDPR Art 46.1 NIST 800-122:4.1.1 ISO/IEC 27001: A. 18.1.3 ISO/IEC 27002: 6.1.5 ISO/IEC 27701:2019 A.7.2.6 L   Process for obtaining informed consent H ISO/IEC 27701:2019 A.7.3.3 M GDPR Art 4.11 ISO/IEC 27701:2019 A.7.2.3 L   Timeframe or trigger for archiving or deletion of PII H   M GDPR Art 5.1(f) ISO/IEC 27701:2019 A.7.4.8 L   Employ stricter standards for research involving vulnerable populations such as children or illiterate participants or sensitive data such as ethnicity or religious beliefs H   M GDPR Art 36.1 ISO/IEC 27701:2019 A.7.2.3 L   Undertake due-diligence of datasets previously collected by you or third parties to ensure you are entitled/ permitted to use for your research project H   M GDPR 46.1, 46.2(e) ISO/IEC 27701:2019 A.7.2.6 L   34 Dealing with Data Privacy and Security to Support Agricultural R&D FUNCTION GUIDELINE SUBCATEGORY RISK LEVEL APPLICABLE STANDARDS Planning and Approval Conduct internal assessment through IRB, legal, or ethics committee H   M GDPR Art 40.1, 40.2 NIST 800-122:4.2.2 L   Collection Ensure compatibility with the DMP-PII H   M GDPR Art 32   L     De-identify data to anonymize by default unless it will impair the data’s analytic potential, scientific utility or benefit to the participant, H NIST 800-122:4.2.3 ISO/IEC 27701:2019 A.7.4.5   M GDPR 25   L     If you cannot anonymize, minimize the PII and pseudonymize to reduce the disclosure risk H NIST 800-122:4.2.3 ISO/IEC 27701:2019 A.7.4.5   M GDPR 25 L     Provide research participants sufficient information to use reasoned judgment to decide whether or not they wish to participate in the project H NIST 800-122:2.3 ISO/IEC 27701:2019 A.7.3.3   M GDPR 7     L     Ensure informed consent is designed to address the following elements: Competence, comprehension, full disclosure, voluntariness H ISO/IEC 27701:2019 A.7.3.3   M GDPR 4.11, 7 ISO/IEC 27701:2019 A.7.2.4   L     Legitimate scientific purpose for which the PII is collected and scope of use (e.g. stored, transferred, published and whether as anonymized, minimized or raw data) H     M GDPR 13.1(c) ISO/IEC 27701:2019 A.7.2.1   L     Foreseeable risk of privacy loss and consequences H     M GDPR Art 24, 35.1, 35.7   L     Meaningful alternatives including opt-in protection/anonymization H GDPR 4.11 ISO/IEC 27701:2019 A.7.3.5   M GDPR 4.11   L   35 Dealing with Data Privacy and Security to Support Agricultural R&D FUNCTION GUIDELINE SUBCATEGORY RISK LEVEL APPLICABLE STANDARDS Collection Safeguards to protect privacy, conditions on which PII may be shared and any limitations on reuse or third- party access and use of PII H ISO/IEC 27701:2019 A.7.2.[6,7], B.8.5.3 M GDPR 13.1, 13.2 L   Permission to follow-up or contact the participant and for what purpose (including by third- parties) H ISO/IEC 27701:2019 B.8.2.3   M GDPR 7 ISO/IEC 27701:2019 A.7.3.[2,3,7]   L     Participant’s right to withdraw and rights regarding their data (e.g. to be informed; to access; to rectify; to object; to erase) H     M GDPR Art 7.3, 13.2(c) ISO/IEC 27701:2019 A.7.3.[4,5]   L     Inclusion of physical, phone and/or electron- ic contact (at least two forms of contact) that participant can reach to exert her/rights H     M GDPR 13.1(a) ISO/IEC 27701:2019 A.7.3.[4,5]   L     Explicit consent and par- ticipant’s acknowledge- ment of understanding H     M GDPR Art 7.1 ISO/IEC 27701:2019 A.7.2.4   L     If written, provide the participant a copy of pro- cessed informed consent H     M GDPR Art 12.1 ISO/IEC 27701:2019 A.7.3.[3-4]   L     Use plain language and adapt informed consent to meet the needs of vulnera- ble populations (e.g. obtain orally or in local language) H     M GDPR Art 7.2 ISO/IEC 27701:2019 A.7.2.4     L   36 Dealing with Data Privacy and Security to Support Agricultural R&D FUNCTION GUIDELINE SUBCATEGORY RISK LEVEL APPLICABLE STANDARDS Storage & Analysis Employ Administrative Safeguards to protect stored data through standardized practices Design organizational policies and procedures (and maintenance thereof) to protect PII, data, and access H GDPR Art 5.1(f), 24.3, 25.3, 28.[5-6], 28.10, 31, 32.1(b), 32.[2-3] 35.9, 36.[1-2], 36.3(a-f), 36.5, 39.1(b) 40.1(a), 40.2(b-k), 40.[3-8] ISO/IEC 27001:2013 4.2, 5.1, 5.2 ISO/IEC 27017:2015 5.1.1 ISO/IEC 27018:2014 0.6, 0.3(b), 5.1.1, 6.2, 6.2.1 ISO/IEC 27701:2019 5.2.[2-4], 5.4.[1-5], 6.5.2, 6.5.2.1, 6.15.1.1, 7.4.3 NIST 800-122 3.2.[1-6], 4.1.1, 4.2.1, 4.2.2, 4.2.4, 5.1, 17.1.[1-3] M ISO/IEC 27002:2013 5.1, 5.2, 8.2.3 ISO/IEC 27017:2015 5, 5.1.[1-2], 8.1.1, 17.1.1, 18.1.1 ISO/IEC 27701:2019 7.4.3 NIST 800-122 3.2.[1-6], 4.1.1, 4.2.1,4.2.2, 4.2.4 NIST 800-171 3.11.[1-3], 3.12.[1-4]   L ISO/IEC 27001:2013 5.1, 5.2, 8.[1-3], 9.[1-3] ISO/IEC 27017:2015 5, 5.1.[1-2], 8.1.1, 17.1.1, 18.1.1 NIST 800-171 3.11.[1-3], 3.12.[1-4]   Adhere to DMP-PII, Follow informed Consent regulations, and organizational practices. Check to ensure use of the data is compatible with the purpose specification and scope consented to by the research participant, including any limitations or authorizations they may have specified or should reasonably expect regarding the use of their PII. H GDPR Art 5.1, 6.1, Art 4.11,Art 12, Art 17, Art 18 ISO/IEC 27001:2013 4.2, A.18.1.[1-4] ISO/IEC 27018:2014 0.3, 18, Annex A ISO/IEC 27701:2019 6.15.1.1, 7.2.[1-6] NIST 800-122 2.3, 4.1.1, 18, Appendix B   M GDPR Art 5.1, 6.1, Art 4.11,Art 12, Art 17, Art 18 ISO/IEC 27001:2013 A.18.1.[1-4] ISO/IEC 27002:2013 18.1.[1-4] ISO/IEC 27018:2014 18, Annex A L ISO/IEC 27001:2013 A.18.1.[1-4] ISO/IEC 27002:2013 18.1.[1-4] ISO/IEC 27017:2015 18.[1-2] Ensure appropriate IT & Security controls to protect confidentiality of PII at rest and in transit Store data in secure loca- tions, devices or servers H GDPR Art 5.5(f), 6, 24.2, 27.1, 27.2(a-b), 27.[3-5], 32.1(a-c), 32.2, 37.1.(a-c), 37.[2- 7], 38.[1-6], 39.1(a-e), 39.2 ISO/IEC 27018:2014 9-12 ISO/IEC 27701:2019 6.1-6.15 NIST 800-122 3.2.6, 4.2.1, 4.3 M ISO/IEC 27002:2013 6.1.[1-2], 6.2.[1-2], 8.1.[1-4], 8.2.[1-3], 8.3.[1-3], 10.1.[1-2], 11.1.[1-6], 11.2.[1-9], 12.1.[1-4], 12.2.1, 12.3.1, 12.4.[1-4], 12.5.1, 12.6.[1-], 13.1.[1-3], 14.1.[1- 3], 14.2.[1-4], 14.2.[3-8] ISO/IEC 27017:2015 8.1.1, 8.1.2, 8.2.2, 10.1.1, 10.1.2, 12.1.2,12.1.3, 12.3.1, 12.4, 12.6.1, 13.1.3, 14.2.1, 15.1.[1-2], 18.1, 18.1.2, 18.1.3, 18.1.5 NIST 800-171 3.1.[1-22],3.4.[1-9],3.5.[1- 11],3.7.[1-6],3.8.[1-9],3.10.[1-6],3.13.[1- 16],3.14.[1-7] 37 Dealing with Data Privacy and Security to Support Agricultural R&D FUNCTION GUIDELINE SUBCATEGORY RISK LEVEL APPLICABLE STANDARDS Storage & Analysis L ISO/IEC 27001:2013 A.8.1.[1-4], A.8.2.[1- 3], A.8.3.[1-3], A.10.1.[1-2], A.11.1.[1-6], A.11.2.[1-9], A.12.[1-7], A.13.1.[1-3], A.13.2.[1-3], A.14.1.[1-3], A.14.2.[1-9] ISO/IEC 27017:2015 8.1.1, 8.1.2, 8.2.2, 10.1.1, 10.1.2, 12.1.2,12.1.3, 12.3.1, 12.4, 12.6.1, 13.1.3, 14.2.1, 15.1.[1-2], 18.1, 18.1.2, 18.1.3, 18.1.5 NIST 800-171 3.1.[1-2],3.4.[1-2],3.5.[1- 2],3.7.[1-2],3.8.[1-3],3.10.[1-2],3.13.[1- 2],3.14.[1-3]   Encryption in transit H GDPR Art 6, 32 ISO/IEC 27018:2014 13.2, A.10.6 ISO/IEC 27701:2019 6.5.3.1,6.7.1.1, 6.11.1.2, 6.15.1.5 NIST 800-122 4.3 (AC-17), (MP-5), (SC-9)   M ISO/IEC 27002:2013 14.1.2, 18.1.5 ISO/IEC 27017:2015, 10.1.[1-2] NIST 800-171 3.8.1, 3.8.6, 3.13.8, 3.13.10, 1.13.11   L ISO 27002:2013 10.1.[1-2], 13.2.1(f) ISO/IEC 27017:2015, 10.1.[1-2] NIST 800-171 3.8.1, 3.8.6, 3.13.8, 3.13.10, 1.13.11 Encryption at rest H GDPR Art 6.4, Art 32.1(a) Recitals 78 & 83 ISO/IEC 27018:2014 10.1.1.1 ISO/IEC 27701:2019 6.5.3.[1-3], 6.7.1.1 NIST 800-122 4.3 (MP-4), (MP-5), (SC-9), (SC-28) M ISO/IEC 27001:2013 A.8.2.3 ISO/IEC 27002:2013 8.3.1(d) ISO/IEC 27017:2015 8.3 NIST 800-171 3.8.1, 3.8.9, 3.13.16, 10.1.1 L ISO/IEC 27001:2013 A.8.2.3 ISO/IEC 27002:2013 8.3.1(d) ISO/IEC 27017:2015 8.3 NIST 800-171 3.8.1, 3.8.9, 3.13.16, 10.1.1 store encryption keys separately from data H GDPR Art 6.4, Art 32.1(a) Recitals 78 & 83 ISO/IEC 27018:2014 10.1.1.1, 10.1.2 ISO/IEC 27701:2019 6.7.1.2 NIST 800-171 3.13.16 M ISO/IEC 27002:2013 10.1.2 NIST 800-171 3.13.10 L ISO/IEC 27002:2013 10.1.2 NIST 800-171 3.13.10 Employ Access Control Measures Limit system access to authorized users, processes owned by those users and devices H GDPR Art 32.4 ISO/IEC 27018:2014 9.[1-4], A.10.[8-13] ISO/IEC 27701:2019 6.6.2 NIST 800-171 3.1.[1-22] NIST 800-122 4.3 (AC-3), (AC-5), (AC- 6) 38 Dealing with Data Privacy and Security to Support Agricultural R&D FUNCTION GUIDELINE SUBCATEGORY RISK LEVEL APPLICABLE STANDARDS Storage & Analysis M ISO/IEC 27017:2015 9.1.1-9.4.3 ISO/IEC 27002:2013 9.[1-2] ISO/IEC 27018:2014 9.[1-4] NIST 800-171 3.1.[1-22]   L ISO/IEC 27017:2015 9.1.1-9.4.3 ISO/IEC 27002:2013 9.[1-2] ISO/IEC 27018:2014 9.[1-4] NIST 800-171 3.1.[1-22]   Limit information system access to the types of transactions and functions that authorized users are permitted to execute H GDPR Art 32 ISO/IEC 27018:2014 A.10.[8-13] ISO/IEC 27701:2019 6.6.2.3, 6.6.4.1 NIST 800-122 4.3   M GDPR Art 32 ISO/IEC 27001:2013 A.9.1.1, A.9.2.3, A.9.4.1, A.9.4.[4-5] ISO/IEC 27002:2013 9.4.1, 9.4.[4-5], 14.2.5 NIST 800-171 3.1.[1-22]   L ISO/IEC 27001:2013 A.9.1.1, A.9.2.3, A.9.4.1, A.9.4.[4-5] ISO/IEC 27002:2013 9.4.1, 9.4.[4-5], 14.2.5 ISO/IEC 27017:2015 9.2.3, 9.4.1, 9.4.4 NIST 800-171 3.1.[1-2]   Use two-factor, or multi- factor authentication H GDPR Art 5.1(f), Art 25.2 Recital 78, Art 32.[1-4] Recital 83 ISO/IEC 27018:2014 9.4.1.[1,2,4] ISO/IEC 27701:2019 6.6.4.2 NIST 800-122 4.3 M GDPR Art 5.1(f), 25.2 Recital 78, Art 32.[1- 4] Recital 83 ISO/IEC 27018:2014 9.4.1.[1,2,4] NIST 800-122 4.3 L ISO/IEC 27001:2013 A.9.1.1, A.9.4.2, A.9.4.4, A.13.2.3, A.14.1.2, A.14.5 ISO/IEC 27002:2013 9.4.1(b)(f), 9.4.2(d)(e), 9.4.4(a)(c) ISO/IEC 27017:2015 9.4.[1,2,4] NIST 800-171 3.5.3, 3.7.5 H GDPR Article 32 ISO/IEC 27018:2014 9.4.4 ISO 27002:2013 6.2.2 ISO/27701:2019 NIST 800-122 Use pro-privacy analytical tools M ISO/IEC 27001:2013 A.9.4.4 ISO/IEC 27002: 2013 9.4.4 ISO/IEC 27017:2015 9.4.4 L ISO/IEC 27001:2013 A.9.4.4 ISO/IEC 27002: 2013 9.4.4 ISO/IEC 27017:2015 9.4.4 H GDPR Art 6.1 ISO/IEC 27018:2014 ISO/IEC 27701:2019 7.4, 7.4.[1-2] NIST 800-122 4.2.1, 4.2.2, 4.2.3, 5 39 Dealing with Data Privacy and Security to Support Agricultural R&D FUNCTION GUIDELINE SUBCATEGORY RISK LEVEL APPLICABLE STANDARDS Publishing & Discovery Maintain adherence to DMP-PII Limit PII in public use datasets H GDPR Art 6.1 ISO/IEC 27018:2014 ISO/IEC 27701:2019 7.4, 7.4.[1-2] NIST 800-122 4.2.1, 4.2.2, 4.2.3, 5 M GDPR Art 6.1 ISO/IEC 27001:2013 A.8.1.1, A.8.2.[1-2] ISO/IEC 27017:2015 5.1.2 ISO/IEC 27701:2019 7.4, 7.4.[1-2]   L ISO/IEC 27001:2013 A.8.1.1, A.8.2.[1-2] ISO/IEC 27002:2013 8.1.1, 8.2.1 ISO/IEC 27017:2015 8.2.2, 8.1.1 NIST 800-171 3.1.22   Evaluate the likelihood of (re)identification H GDPR Art 24 ISO/IEC 27108:2014 0.6, 5.1.1, 8, 17 ISO/IEC 27701:2019 6.5.1.1, 6.5.2.[1-3], 7.2.2, 7.2.5 NIST 800-122 3.2.1, 4.2.2, 6, 17.1.[1-3]   M ISO/IEC 27002 8.2, 17.1, ISO/IEC 27017:2015 8.2, 17.1 NIST 800-171 3.11.1, 3.12.1 NIST 800-122 2.3, 3.2.1, 4.2.2   L ISO/IEC 27001 8.1, 8.2, 9.2,9.3, A.5.1.2, A.8.1.1, A.8.1.3, A.8.2.1, A.8.2.2, A.17.1.3, A.18.1.1, A.18.2.2 ISO/IEC 27002 8.2, 17.1 ISO/IEC 27017:2015 8.2, 17.1 NIST 800-171 3.11.1, 3.12.1 Indicate in metadata the availability of raw data or minimized data containing PII, if available bilaterally H GDPR Art 15-22 ISO/IEC 27002:2013 8.1.[1-2], 8.2.[1-2] ISO/IEC 27701:2019 6.2.2.[1-2], 8.2.6, 7.3.[1- 7] NIST 800-122 4.3 (MP-3) M GDPR Art 15-22 ISO/IEC 27002:2013 8.1.[1-2], 8.2.[1-2] NIST 800-171 3.8.4 L ISO/IEC 27002:2013 8.1.[1-2], 8.2.[1-2] ISO/IEC 27017:2015 8.1.[1-2], 8.2.2 NIST 800-171 3.8.4 40 Dealing with Data Privacy and Security to Support Agricultural R&D FUNCTION GUIDELINE SUBCATEGORY RISK LEVEL APPLICABLE STANDARDS Archiving / Discarding Plan ahead for Data Lifecycle by including planning and budgeting for archiving H GPR Art 25, 32.1(b), 32.2 ISO/IEC 27001:2013 4.2, 6.1.1, 6.2 ISO/IEC 27018:2014 0.6, 0.3(b), ISO/IEC 27701:2019 5.4, 5.5.[1-6], 7.4, 7.4.[1- 8], 8.4 NIST 800-122 4.2.1     M ISO/IEC 27001:2013 4.2, 5.1, 6.1.1, 6.2, 7.1     L ISO/IEC 27001:2013 4.2, 5.1, 6.1.1, 6.2, 7.1   Decide whether Deleting or Archiving; All copies of PII should be deleted once no longer needed. H GDPR Art 5.1, Art 6.1, Art 12, Art 17 ISO/IEC 27001:2013 4.2 ISO/IEC 27018:2014 0.6, 0.3(b), A.9.3 ISO/IEC 27701:2019 7.4.5, 7.4.7, 7.4.8, 8.4.2 NIST 800-122 4.3 (MP-6) M ISO/IEC 27001:2013 4.2 ISO/IEC 27701:2019 7.4.5, 7.4.7, 7.4.8, 8.4.2 NIST 800-171 3.8.3 L ISO/IEC 27001:2013 A.8.3.2, A.11.2.7 ISO/IEC 27002:2013 11.2.7 NIST 800-171 3.8.3 (if archiving) Ensure compatibility with DMP- PII H GDPR Art 5.1(b), 6.1, 25.2 (recital 39), Art 89(b) ISO/IEC 27001:2013 A.18.1.1 ISO/IEC 27018:2014 NIST 800-122 4.2.1, 4.2.2, 4.2.3 M GDPR Art 5.1(b), Art 6.1, 25.2 (recital 39), Art 89(b) ISO/IEC 27001:2013 A.18.1.1 ISO/IEC 27017:2015 5.1.2 L ISO 27001:2013 NIST 800-171 (if archiving) Ensure adequate Security (as with Storage best practices) H GDPR Art 5.5(f), 6, 24.2, 27.1, 27.2(a-b), 27.[3-5], 32.1(a-c), 32.2, 37.1.(a-c), 37.[2-7], 38.[1-6], 39.1(a-e), 39.2 ISO/IEC 27018:2014 9-12 ISO/IEC 27701:2019 6.1-6.15 NIST 800-122 3.2.6, 4.2.1, 4.3 41 Dealing with Data Privacy and Security to Support Agricultural R&D FUNCTION GUIDELINE SUBCATEGORY RISK LEVEL APPLICABLE STANDARDS Archiving / Discarding M ISO/IEC 27002:2013 6.1.[1-2], 6.2.[1-2], 8.1.[1-4], 8.2.[1-3], 8.3.[1-3], 10.1.[1-2], 11.1.[1-6], 11.2.[1-9], 12.1.[1-4], 12.2.1, 12.3.1, 12.4.[1-4], 12.5.1, 12.6.[1-], 13.1.[1-3], 14.1.[1-3], 14.2.[1-4], 14.2.[3-8] ISO/IEC 27017:2015 8.1.1, 8.1.2, 8.2.2, 10.1.1, 10.1.2, 12.1.2,12.1.3, 12.3.1, 12.4, 12.6.1, 13.1.3, 14.2.1, 15.1.[1-2], 18.1, 18.1.2, 18.1.3, 18.1.5 NIST 800-171 3.1.[1-22],3.4.[1-9],3.5.[1- 11],3.7.[1-6],3.8.[1-9],3.10.[1-6],3.13.[1-16],3.14. [1-7]   L ISO/IEC 27001:2013 A.8.1.[1-4], A.8.2.[1-3], A.8.3.[1-3], A.10.1.[1-2], A.11.1.[1-6], A.11.2.[1-9], A.12.[1-7], A.13.1.[1-3], A.13.2.[1-3], A.14.1.[1-3], A.14.2.[1-9] ISO/IEC 27017:2015 8.1.1, 8.1.2, 8.2.2, 10.1.1, 10.1.2, 12.1.2,12.1.3, 12.3.1, 12.4, 12.6.1, 13.1.3, 14.2.1, 15.1.[1-2], 18.1, 18.1.2, 18.1.3, 18.1.5 NIST 800-171 3.1.[1-2],3.4.[1-2],3.5.[1-2],3.7.[1- 2],3.8.[1-3],3.10.[1-2],3.13.[1-2],3.14.[1-3] (if archiving) Maintain Storage Access Controls H GDPR Art 32 ISO/IEC 27018:2014 A.10.[8-13] ISO/IEC 27701:2019 6.6.[1-4], 6.7, 6.7.1 NIST 800-122 4.3 M ISO/IEC 27001:2013 A.9.[1-5], A.10.1.[1-2] ISO/IEC 27002:2013 9.[2-4], 10.1 ISO/IEC 27017:2015 9.1.[1-2], 9.2.[1-4], 9.4.1, 9.4.4, 10.1.[1-2] NIST 800-171 3.1.[1-22], 3.10.[1-6] L ISO/IEC 27001:2013 A.9.[1-5], A.10.1.[1-2] ISO/IEC 27002:2013 9.[2-4], 10.1 ISO/IEC 27017:2015 9.1.[1-2], 9.2.[1-4], 9.4.1, 9.4.4, 10.1.[1-2] NIST 800-171 3.1.[1-2], 3.10.[1-2] Future-proof your archives (don’t assume format longevity) H GDPR Art 25.2, 32.1(b), 32.2, Recital 78 ISO/IEC 27018:2014 0.6, 8, 10.1.1, 12.3.1, A.6 ISO/IEC 27701:2019 5.4.2, 5.6.1 NIST 800-122 4.3 (MP-4) M GDPR Art 25.2 (recital 39) ISO/IEC 27001:2013 6.1.1, A8.3.3, A.9, A12.3.1,A.14.2.5 ISO/IEC 27002:2013 0.5, 8.1.1, 8.2.3, 8.3.1, 12.3 ISO/IEC 27017:2015 8.1.1 NIST 800-171 3.13.2 L ISO/IEC 27001:2013 6.1.1, A8.3.3, A.9, A12.3.1,A.14.2.5 ISO/IEC 27002:2013 0.5, 8.1.1, 8.2.3, 8.3.1, 12.3 ISO/IEC 27017:2015 8.1.1 NIST 800-171 3.13.2 42 Dealing with Data Privacy and Security to Support Agricultural R&D FUNCTION GUIDELINE SUBCATEGORY RISK LEVEL APPLICABLE STANDARDS Reuse & Transfer Plan ahead for the potential of data re- use or Transfer Revaluate likelihood of (re-)identification and risk of harm, particularly if it involves a public data-set containing PII H GDPR Art 5, 24, 35 ISO/IEC 27108:2014 0.6, 5.1.1, 8, 17 ISO/IEC 27701:2019 5.1, 5.7.2, 6.5.1.1, 6.5.2.[1- 3], 7.2.2, 7.2.5 NIST 800-122 3.2.1, 4.2.2, 6, 17.1.[1-3]   M ISO/IEC 27001:2013 8.2 ISO/IEC 27002:2013 8.2, 17.1 ISO/IEC 27017:2015 8.2, 17.1 NIST 800-171 3.11.1, 3.12.1 NIST 800-122 2.3, 3.2.1, 4.2.2   L ISO/IEC 27001 8.1, 8.2, 9.2,9.3, A.5.1.2, A.8.1.1, A.8.1.3, A.8.2.1, A.8.2.2, A.17.1.3, A.18.1.1, A.18.2.2 ISO/IEC 27002 8.2, 17.1 ISO/IEC 27017:2015 8.2, 17.1 NIST 800-171 3.11.1, 3.12.1   Don’t reuse or transfer PII until any inconsistencies with the DMP-PII or purpose compatibility have been resolved (e.g. through an updated ethics review or consent from participant) H GDPR Art 5.1(b), 6.1, 24, 25.2 (recital 39),35, Art 89(b) ISO/IEC 27018:2014 0.3, 5.1.2, A.9.3 ISO/IEC 27701:2019 7.2.[1-4], 7.3.[1-10] NIST 800-122 4.2.1, 4.2.2, 4.2.3, Appendix D M GDPR Art 5.1(b), Art 6.1, 25.2 (recital 39), Art 89(b) ISO/IEC 27001:2013 4.[1-2], 6.1,A.18.1.1 ISO/IEC 27017:2015 5.1.2 L ISO/IEC 27001:2013 4.[1-2], 6.1,A.18.1.1 ISO/IEC 27017:2015 5.1.2 All copies of PII should be deleted once no longer needed. H GDPR Art 5.1(b), 25.2 (recital 39), Art 89(b) ISO 27701:2019 7.4.7, 7.4.8, 8.4.[1-3] NIST 800-122 MP-6, ISO 27018:2014 A.10.7 M GDPR Art Art 5.1(b), 25.2 (recital 39), Art 89(b) ISO 27701:2019 7.4.7, 7.4.8, 8.4.2 ISO 27018:2014 A.9.3, A.10.7 NIST 800-122 MP-6 L Implement a Data Sharing Agreement, including scope of use, privacy protection measures, confidentiality and any limitations H GDPR Art 6, 15, Art 17, Art 18, Art 20, Art 21, Art 23, Art 26 ISO/IEC 27018:2014 A.10.1 ISO/IEC 27701:2019 7.2.[1-5], 7.3.[1-10], 7.5.1 NIST 800-122 2.3, Appendix D M GDPR Art 6, 15, Art 17, Art 18, Art 20, Art 21, Art 23, Art 26 ISO/IEC 27002:2013 13.2.[1-4], 14.1.[2-3] ISO 27018:2014 A.10.1, NIST 800-122 2.3 NIST 800-122 Appendix D 43 Dealing with Data Privacy and Security to Support Agricultural R&D FUNCTION GUIDELINE SUBCATEGORY RISK LEVEL APPLICABLE STANDARDS Reuse & Transfer L ISO/IEC 27001:2013 A.13.[1-3] ISO/IEC 27002:2013 13.2.[1-4], 14.1.[2-3]   Acquire explicit consent for transfer of data containing PII (as part of original DMP & Informed consent) H GDPR Art 6.1, Art 7, Art 15.2, Art 19, Art 44 ISO/IEC 27018:2014 A.5.[1-2], A.7, ISO/IEC 27701:2019 7.2.[1-5], 7.3.[1-10], 7.5.1 NIST 800-122 2.1, 2.3   M GDPR Art 6, Art 19, Art 44 NIST 800-122 2.1, 2.3   L ISO/IEC 27001:2013 4.[1-2], 6.1,A.18.1.1 ISO/IEC 27002:2013 18.1.4 ISO/IEC 27017:2015 18.1.4   Ensure appropriate IT & security controls to protect the confidentiality of PII at rest and in transit. Ensure PII is stored securely (as above) H GDPR Art 5.5(f), 6, 24.2, 27.1, 27.2(a-b), 27.[3-5], 32.1(a-c), 32.2, 37.1.(a-c), 37.[2-7], 38.[1-6], 39.1(a-e), 39.2 ISO/IEC 27018:2014 9-12 ISO/IEC 27701:2019 6.1-6.15 NIST 800-122 3.2.6, 4.2.1, 4.3 M ISO/IEC 27002:2013 6.1.[1-2], 6.2.[1-2], 8.1.[1-4], 8.2.[1-3], 8.3.[1-3], 10.1.[1-2], 11.1.[1- 6], 11.2.[1-9], 12.1.[1-4], 12.2.1, 12.3.1, 12.4.[1-4], 12.5.1, 12.6.[1-], 13.1.[1-3], 14.1.[1-3], 14.2.[1-4], 14.2.[3-8] ISO/IEC 27017:2015 8.1.1, 8.1.2, 8.2.2, 10.1.1, 10.1.2, 12.1.2,12.1.3, 12.3.1, 12.4, 12.6.1, 13.1.3, 14.2.1, 15.1.[1-2], 18.1, 18.1.2, 18.1.3, 18.1.5 NIST 800-171 3.1.[1-22],3.4.[1-9],3.5.[1- 11],3.7.[1-6],3.8.[1-9],3.10.[1-6],3.13.[1-16],3.14. [1-7] L ISO/IEC 27001:2013 A.8.1.[1-4], A.8.2.[1-3], A.8.3.[1-3], A.10.1.[1-2], A.11.1.[1-6], A.11.2.[1-9], A.12.[1-7], A.13.1.[1-3], A.13.2.[1-3], A.14.1.[1-3], A.14.2.[1-9] ISO/IEC 27017:2015 8.1.1, 8.1.2, 8.2.2, 10.1.1, 10.1.2, 12.1.2,12.1.3, 12.3.1, 12.4, 12.6.1, 13.1.3, 14.2.1, 15.1.[1-2], 18.1, 18.1.2, 18.1.3, 18.1.5 NIST 800-171 3.1.[1-2],3.4.[1-2],3.5.[1-2],3.7.[1- 2],3.8.[1-3],3.10.[1-2],3.13.[1-2],3.14.[1-3] Transfers of PII should be undertaken on a confidential basis subject to appropriate legal and technological controls, and pro-privacy analytical tools should be used whenever feasible to do so. H GDPR Art 6, Art 44, Art 45, Art 46 ISO/IEC 27018:2014 8.1.1, 8.1.2, 8.2.2, 10.1.1, 10.1.2, 12.1.2,12.1.3, 12.3.1, 12.4, 12.6.1, 13.1.3, 13.2.[1-4], 14.2.1, 15.1.[1-2], 18.1, 18.1.2, 18.1.3, 18.1.5 ISO/IEC 27701:2019 7.2.[1-4], 7.5,[1-4], 8.5.[1- 8], A.7.5.[1-4] NIST 800-122 4.1.1, 4.3 (SI-4), A.9.3 M ISO 27002:2013 10.1.[1-2], 13.2.[1-4], 14.1.[2-3] ISO/IEC 27017:2015 8.1.1, 8.1.2, 8.2.2, 10.1.1, 10.1.2, 12.1.2,12.1.3, 12.3.1, 12.4, 12.6.1, 13.1.3, 14.2.1, 15.1.[1-2], 18.1, 18.1.2, 18.1.3, 18.1.5, NIST 800-171 3.1.[1-2],3.4.[1-2],3.5.[1-2],3.7.[1- 2],3.8.[1-3],3.10.[1-2],3.13.[1-2],3.14.[1-3] L ISO/IEC 27001:2013 A.8.3.3, A.13.2.[1-3] ISO 27002:2013 10.1.[1-2], 13.2.[1-4], 14.1.[2-3] ISO/IEC 27017:2015, 10.1.[1-2] NIST 800-171 3.8.1, 3.8.6, 3.13.8, 3.13.10, 1.13.11 44 Dealing with Data Privacy and Security to Support Agricultural R&D FUNCTION GUIDELINE SUBCATEGORY RISK LEVEL APPLICABLE STANDARDS Review Regularly Review institutional and other compliance requirements; review the compliance Landscape and seek expert support Reevaluate the likelihood of (re)identification H GDPR Art 24 ISO/IEC 27108:2014 0.6, 5.1.1, 8, 17 ISO/IEC 27701:2019 5.1, 5.7.2, 6.5.1.1, 6.5.2.[1-3], 7.2.2, 7.2.5 NIST 800-122 3.2.1, 4.2.2, 6, 17.1.[1-3]   M ISO/IEC 27001:2013 8.1, 8.2, 9.2,9.3, A.5.1.2, A.8.1.1, A.8.1.3, A.8.2.1, A.8.2.2, A.17.1.3, A.18.1.1, A.18.2.2 ISO/IEC 27002:2013 8.2, 17.1 ISO/IEC 27017:2015 8.2, 17.1 NIST 800-171 3.11.1, 3.12.1 NIST 800-122 2.3, 3.2.1, 4.2.2   L ISO/IEC 27001 8.1, 8.2, 9.2,9.3, A.5.1.2, A.8.1.1, A.8.1.3, A.8.2.1, A.8.2.2, A.17.1.3, A.18.1.1, A.18.2.2 ISO/IEC 27002 8.2, 17.1 ISO/IEC 27017:2015 8.2, 17.1 NIST 800-171 3.11.1, 3.12.1 Source: Developed by authors. Notes: Standards used in this mapping are described in Table 2 and security tiers in Table 5. 45 Dealing with Data Privacy and Security to Support Agricultural R&D