Per Article 30 of the European Union General Data Protection Act, this report documents Open Humans personal data processing activities in writing. Because our platform enables users to create new personal data inputs and outputs, we maintain a semi-automated report based on the current active projects.

Name & contact details

Data controller is the Open Humans Foundation, which manages the Open Humans platform:

Open Humans Foundation
500 Westover Dr #10553
Sanford, NC 27330
USA
email: support@openhumans.org
phone: +1-252-513-4188

Data protection officer is designated to be:

Mad Ball
Open Humans Foundation
500 Westover Dr #10553
Sanford, NC 27330
USA
email: support@openhumans.org
phone: +1-252-513-4188 Extension 1

European Union representative is designated to be:

Marja Pirttivaara, PhD, MBA
Sepontie, FI-02130 Espoo, Finland
email: marja.pirttivaara@gmail.com
phone: +358 40 766 2475

Purposes of personal data processing

Member-managed personal data sharing with third parties

Members can explicitly opt-in to share selected personal data with arbitrary third party projects that operate on the site. These projects include the following potential uses members may wish to have:

  • data analysis and exploration tools
  • data cleaning tools
  • data donations to research and citizen science projects

Contact and notification

Emails are collected from users to enable contact regarding events specific to their account, messages sent to them by other members or projects, and substantive changes to the site, as well as newsletters for users that opt-in to receiving these.

Personalization

Users are invited to create and share the following public data to personalize their accounts within the community: username, name, profile picture, and "about me" text. Naming guidelines do not require individuals to divulge their real name.

Logging

The Open Humans site collects logs of web usage, which may contain personal data (e.g. IP address).

Categories of data subjects and personal data

Data subject categories

Members

Our primary data subjects consist of 7718 member accounts created on the site. Users are required to be 16 years of age or older. Account data may come from children only through an account managed by that child's legal guardian.

Site visitors

Individuals that visit the site and are not logged in may have personal data (IP address) collected within our logging.

Personal Data Categories

Account data

Primarily this is email address, which is private personal data. Users may also publicly share a name, username, profile picture, and "about me" information. These may be identifying but are not required to be.

Logging data

Primarily this contains IP addresses. This is collected by servers to enable us to audit usage and debug site issues.

Project data

Projects deposit data at the explicit opt-in behest of a member to their account. This data is typically personal data of diverse categories, and is known to include genetic data, location data, and other identifiable data.

The following project data sources are documented for Open Humans:

Categories of data recipients

Projects

Projects operated in the site are potential recipients of personal data. Data is only accessible by a project if a member explicitly opts in, joining the project and authorizing Open Humans share one or more categories of personal data in their account.

Projects are required to follow the site terms of use, which include project guidelines that mandate secure practices and transparent communication with members, including the presence of identifiable data and potential risks. Projects undergo a community review process prior to being made broadly available to members.

The following project data recipients are documented for Open Humans:

Time limits for erasure

Account data and project data should be permanently deleted after 60 days, and are immediately removed from processing activities when requested by a member. Logging data should be permanently deleted after 120 days.

Security measures

Pseudonymization and encryption

Project data shared with data recipient projects is done via randomly assigned project-specific identifiers. Data itself may or may not contain non-anonymous content. Projects are required by project guidelines to make members aware of identifiable features in data they offer to add to a member's account.

All interactions with the website and API are enforced to use SSL encryption. Data in the database and file storage is encrypted at rest.

Ensuring ongoing integrity and security of processing systems and operations

The site and other infrastructure are operated with major cloud services providers that provide up-to-date secure platforms for operating technical infrastructure. These service providers are: Heroku, Amazon Web Services, Google Cloud Services, and Digital Ocean.

The site software uses the Python/Django framework and is regularly updated to new releases, and is openly available for third party inspection as an open source project.

Data preservation

Backups are automatically performed for account data on a daily basis, and are retained for a minimum of one month. Backups of project data occurs automatically on a continuous basis and are retained for 60 days.

Security review

Projects are made broadly available on the site only after they pass a community review process. This provides an open forum for regular review of security measures in the platform and project operations. Open Humans also maintains a public community chatroom and open source repositories, encouraging discussion and feedback on potential improvements.