HORIZON 2020 – 101021851 – NESTOR                             D8.9 – GEN-Requirement No.9


Specifically, the EtAB consists of three members:

   •                            from KEMEA, who has been assigned with the role of PEO
       and chairs the Board,
   •                     , as an internal ethics expert from CENTRIC and
   •                          , as an external ethics advisor from VUB.

For reasons of completeness, it should be mentioned that                        had initially
undertaken the role of internal ethics expert from CENTRIC and then she was replaced by
              . In addition,                                is part of KEMEA’s ethics team
responsible for the ethics management of the NESTOR project and works in close collaboration
with the PEO.




©NESTOR Consortium                                                              Page 8 of 28

HORIZON 2020 – 101021851 – NESTOR                                  D8.9 – GEN-Requirement No.9




The EtAB was responsible for the ethical and legal monitoring of the project’s activities and its
aim was to ensure their compliance with the relevant applicable laws and ethical standards.
In this context, the role of the EtAB was to address all potential ethical and legal risks including
privacy risks and to prevent or mitigate them by giving advice and guidance to the Consortium.
Therefore, the EtAB members participated in all project’s meetings and other project’s
activities and reviewed deliverables that could raise ethical or legal concerns. In order to plan
and distribute their work, they scheduled dedicated EtAB meetings. Extended reference is
made in Section 4 below.
The ethical challenges of NESTOR that had been identified from the proposal phase and have
been set out by the European Commission as post-grant requirements are related to the
following categories:

   •   Human beings;
   •   Protection of personal data;
   •   Environment, health and safety;
   •   Third countries;
   •   Dual use;
   •   Potential misuse of research results;
   •   General issues (EtAB reports).




©NESTOR Consortium                                                                    Page 9 of 28

HORIZON 2020 —- 101021851 — NESTOR D83.9 - GEN-Requirement No.9

3 COMPLIANCE WITH ETHICS REQUIREMENTS

All ethics requirements of the WP8 -including the present report- have been prepared by
KEMEA in close collaboration with the EtAB members and have been submitted as
deliverables.

In the following table, the deliverable number and title are outlined as well as the status of
every deliverable.

Table 1. Ethics Requirements submitted as Deliverables

Deliverable Number Deliverable Title SE 10109

 

3.1.1 Humans, Requirement No. 1

D8.1 H-Requirement No. 1 was focused on the research with humans and on the consent of
the participants which is the cornerstone for research ethics. The NESTOR research activities
included interviews, workshops/conferences/events and trainings/pilot demonstrations. In
this context, the informed consent procedures were described both for the participation of
humans in the project’s research activities and for the processing of their personal data. It was
highlighted that the participation would be on a voluntary basis based on consent and the
participants would be well informed about the research details before deciding whether they
wish to take part and whether they agree with the processing of their personal data by also
having the right to withdraw their consent at any time without any consequences. Templates
of Information Sheets and Informed Consent Forms were prepared and were included in D8.1.
The informed consent procedure was followed for each type of research activity based on
the relevant templates that were modified each time accordingly.

The recruitment criteria (inclusion and exclusion criteria) for the participation of humans in
the pilot demonstrations were presented. It was also confirmed by the NESTOR partners that
children, adults unable to give their informed consent, or other vulnerable individuals/groups
would not be involved in the pilot demonstrations. As confirmed, no children, adults unable
to give their informed consent or other vulnerable individuals/groups were involved in the
project’s research activities.

Finally, given that, apart from the planned findings, also unintended / incidental findings could
occur during the carrying out of some testing activities and pilot demonstrations, an Incidental

©NESTOR Consortium Page 10 of 28

HORIZON 2020 – 101021851 – NESTOR                              D8.9 – GEN-Requirement No.9


Findings Policy was drafted which included the types of anticipated incidental findings and the
procedures to be followed by the NESTOR Consortium upon their detection. Depending on
the nature of the findings, different procedures would be followed ad hoc in accordance with
the relevant international, European and national legislation. Upon detection of incidental
findings, consultation by the PEO and the EtAB would be sought. The reporting procedures
would be followed in accordance with the relevant applicable national laws. The participation
of public authorities in the project constituted an additional safeguard to the rights and
freedoms of the individuals. No incidental findings, either anticipated or unanticipated, were
identified during the lifetime of the project.

Ethics Guidelines (see in the Annex of D1.6) that included obligations related to human
participation and incidental findings were circulated to the Consortium prior to the start of
each pilot demonstration. Compliance was monitored by the PEO that was present during
the pilot demonstrations.

3.1.2 Humans, Requirement No. 2

According to D8.2 H-Requirement No. 2, the NESTOR partners that were obliged by law to
establish an ethics committee should provide a copy of opinion/approval by their committee
prior to the start of research activities with humans. In absence of an ethics committee, the
NESTOR partners should provide a relevant opinion/approval by a competent authority.
In NESTOR, four partners                                          have established an ethics
committee as required by their national legislations.
                                                                                 . The ethics
committees of                              are not competent to issue approvals for the types
of research activities conducted by these partners during the lifetime of the NESTOR project.
Therefore, a declaration of compliance was signed by                                to ensure
that applicable laws and ethics standards will be respected when carrying out research
activities with humans.
DBAM did not conduct research with humans as part of the NESTOR project. Nevertheless,
this partner signed a declaration of compliance considering its participation in a scientific
research project.
The remaining NESTOR partners signed a declaration of compliance where they confirmed (a)
that there was no obligation by national law to establish an ethics committee and that they
were not subject to a competent authority and (b) that they would conduct research activities
with humans by respecting the relevant applicable legislation and ethics standards.
All project’s research activities that involved human participants were conducted in
accordance with the applicable legislation and ethical standards. Ethics Guidelines (see in
the Annex of D1.6) that included the relevant obligations were circulated to the Consortium
prior to the start of each pilot demonstration. Compliance was monitored by the PEO that
was present during the pilot demonstrations.


©NESTOR Consortium                                                               Page 11 of 28

HORIZON 2020 – 101021851 – NESTOR                               D8.9 – GEN-Requirement No.9


3.1.3 Protection of Personal Data, Requirement No. 3

D8.3 POPD-Requirement No.3 included information and confirmations provided by the
NESTOR partners with respect to the necessary procedures that are stipulated by the GDPR,
national data protection laws and relevant guidelines and aim to ensure protection of personal
data and to safeguard the data subject’s rights and freedoms. In particular:
1. In compliance with the respective GDPR requirement, the NESTOR partners that were
obliged by law to appoint a Data Protection Officer provided the contact details of their DPO.
In case the NESTOR partners were not required by law to have designated a DPO, their detailed
data protection policy for the project was included in that deliverable.
2. The technical and organisational measures for the protection of personal data as well as the
security measures for the prevention of accidental or unlawful destruction, loss, alteration,
unauthorised disclosure or access or transfer of personal data were described by each NESTOR
partner separately.
3. The pseudonymisation/anonymisation techniques that were implemented by specific
NESTOR partners (CENTRIC, CERTH) were also included in that deliverable.
4. With respect to data transfers to/from non-EU countries, the relevant confirmations were
included in that deliverable. Any transfer of personal data from the EU partners to CENTRIC
(UK), to DBAM (Republic of North Macedonia), or to DCD (Switzerland) was in compliance with
the relevant Chapter V of the GDPR. Any transfer of personal data from CENTRIC, DBAM, or
DCD was in compliance with the national data protection legislations.
5. In case of further processing of previously collected personal data during the research
period, the NESTOR partners involved in secondary use of personal data (KEMEA, CENTRIC and
CERTH) declared the lawful basis and described the technical and organisational measures
that would be implemented.
6. With respect to processing that constitutes profiling, such processing was not carried out in
the context of the NESTOR project. The data processing operations that were performed by
CENTRIC and CERTH as part of T3.4 were not considered automated given that human
oversight and human intervention were ensured. Nevertheless, extended reference to the
possible consequences of these data processing operations and to the appropriate safeguards
was made in that deliverable as part of the assessment and evaluation of the ethics risks that
required a data protection impact assessment.
7. In case of the use of publicly available data (non-personal or personal) during the research
period, the NESTOR partners involved in such use provided the necessary confirmations.
8. An assessment and evaluation of the ethics/privacy risks was carried out which took into
consideration each data processing operation separately. Following the risk assessment and
evaluation, an opinion was drafted which considered necessary the conducting of a data
protection impact assessment in two cases: (a) for the web monitoring operated by CENTRIC
as part of T3.4 and (b) for the social media monitoring operated by CERTH as part of T3.4.

©NESTOR Consortium                                                                Page 12 of 28

HORIZON 2020 – 101021851 – NESTOR                             D8.9 – GEN-Requirement No.9


Albeit not mandatory according to the GDPR requirements, CERTH also included the data
processing operations as part of T3.1 in their carried out DPIA.
The DPIA conducted by CERTH can be found in Appendix C of D8.3. The DPIA of CENTRIC was
in progress at the time of D8.3’s submission, but it was finalised prior to the start of the
relevant data processing operations (web monitoring services) and was included in D1.5
Ethics and Societal Issues Management Initial Report. Based on the implemented measures
and according to CENTRIC’s and CERTH’s Data Protection Officers, the output of each DPIA
was that no high risks were anticipated for the rights and freedoms of the data subjects.
Considering that the DPIA is a living document, CENTRIC and CERTH were requested to
review the content and make updates, if needed. CERTH’s updated DPIA, as reviewed by
that partner’s DPO, can be found in the Annex of D1.6.
Ethics Guidelines (see in the Annex of D1.6) that included obligations related to personal
data protection were circulated to the Consortium prior to the start of each pilot
demonstration. The Consortium strictly followed the applicable international, European and
national laws to ensure a high level of personal data protection. Compliance was monitored
by the PEO that was present during the pilot demonstrations.

3.1.4 Third Countries, Requirement No. 4
D8.4 NEC-Requirement no. 4 was focused on research that involved non-EU countries and on
specific requirements that should be met in that case.
In the second chapter it was explained that fair-benefit sharing arrangements were not
required in the NESTOR project since neither low-income countries nor lower-middle income
countries participated in NESTOR, hence, this requirement was rendered not applicable.
The third chapter was focused on the materials that would be imported to or exported from
a non-EU country during the lifecycle of the project. It was clarified that no materials were
planned to be imported to non-EU countries.




    the necessary export authorisations were timely obtained, and their copies were included
in D8.6 DU - Requirement No. 6.
For the avoidance of overlaps, this deliverable did not include information about the
import/export of personal data given that extended reference to all personal data related
issues including data transfers from/to non-EU countries was made in D8.3 POPD-
Requirement No.3 as explained previously.
Ethics Guidelines (see in the Annex of D1.6) that included obligations related to the
import/export of materials and personal data were circulated to the Consortium prior to the
start of each pilot demonstration. The Consortium strictly followed the applicable
international, European and national laws. Compliance was monitored by the PEO that was
present during the pilot demonstrations.

©NESTOR Consortium                                                             Page 13 of 28

HORIZON 2020 – 101021851 – NESTOR                                D8.9 – GEN-Requirement No.9


3.1.5 Environmental Protection and Safety, Requirement No. 5

D8.5 EPQ-Requirement No.5 was focused on research activities that could entail risks related
to the health and safety of the staff and the research participants. Depending on the types of
the risks that were identified, adequate and effective mitigating measures should be in
accordance with the relevant EU and national laws.




Considering the operation of the aforementioned technologies and tools by certified and
experienced operators, the carrying-out of the activities in a controlled environment, security-
by-design functions of the technologies and tools and the procedures that were followed by
the operators themselves and by the entire Consortium, as they were presented in that
deliverable, in accordance with the applicable international, EU and national laws and with
the safety instructions issued by the manufacturers, the likelihood of harm appeared to be
remote, and the mitigating measures were considered to be adequate and effective. The
participation of trained staff and of highly qualified LEA staff members constituted an
additional safeguard and were an indicator that each pilot demonstration would be performed
with professionalism under the safest conditions.
Health risks related to the COVID-19 pandemic were also taken into consideration. Albeit the
Consortium was fully aware of the anti-COVID measures, and all partners were already
implementing those measures internally, due to its nature this specific risk did not allow us to
feel certain about the effectiveness of the mitigation actions. The Consortium committed to
take all appropriate measures in accordance with the relevant local rules and guidelines as
they were constantly updated and to exclude from the recruitment process any participants
with COVID-19 symptoms or, if necessary, depending on the circumstances, any participants
that were not medically tested prior to the start of a research activity. The research activities
that could not be carried out remotely would involve a low number of participants (the
minimum number needed for the operation of the tools and technologies and for the project’s
objectives to be successfully served) for the avoidance of unnecessary assemblies.
Only rational and healthy adults that followed the informed consent procedure participated
in the pilot demonstrations and in all research activities. The Information Sheets that were
distributed to the research participants before the start of each pilot demonstration or other
©NESTOR Consortium                                                                Page 14 of 28

HORIZON 2020 – 101021851 – NESTOR                               D8.9 – GEN-Requirement No.9


testing activity included inter alia a separate section dedicated to the potential health and
safety risks and the mitigation actions as well as a relevant Annex which offered a more
detailed description of the health and safety procedures. Informed Consent Forms were
signed afterwards provided that the participants had read, understood and agreed with the
information given to them.
Ethics Guidelines (see in the Annex of D1.6) that included health and safety obligations were
circulated to the Consortium prior to the start of each pilot demonstration. The Consortium
strictly followed the applicable international, European and national laws and the safety
instructions to ensure a high level of protection and none of the aforementioned risks
occurred during the project’s research activities. Compliance was monitored by the PEO that
was present during the pilot demonstrations.

3.1.6 Dual-Use, Requirement No. 6

D8.6 DU-Requirement No. 6 included detailed information regarding the use, production or
development of dual-use goods, software and technology in the sense of the Regulation
2021/821 within the NESTOR project, based on the input provided by all partners through the
relevant questionnaire. It was demonstrated that three partners deal with dual-use items
while the other members of the NESTOR Consortium have clarified that they do not produce
nor develop any dual-use items. For the three non-EU partners that deliverable was not
applicable.
It was explained that there would be no export from EU to non-EU countries, as foreseen in
the Regulation 2021/821, given that the NESTOR trials where the transferred items were
utilised took place in the territory of the Union (Lithuania, Cyprus and Greece). The only
applicable case was that of intra-Union transfers;




                               In addition, it was clarified that no transfer of dual-use items
would take place between the NESTOR Consortium and the External Advisory Board members.

D8.6 also outlined the potential dual-use implications and the risk-mitigation strategy. In view
of the limited potential implications, the mitigation measures were identified. It is worth
mentioning that for the above-mentioned three items, the responsible partners had already
taken all appropriate measures to obtain the relevant authorisations (where needed).



©NESTOR Consortium                                                                Page 15 of 28

HORIZON 2020 – 101021851 – NESTOR                                D8.9 – GEN-Requirement No.9


A dedicated section of D8.6 (section 6) was related to deliverable D8.4 NEC-Requirement No.4
and included the necessary copies of export licenses that were required for the transfer


Given that all deliverables of WP8 refer to the ethics requirements that should be fulfilled by
the NESTOR Consortium during the research period, in order to ensure compliance of the
research activities with applicable legal framework and ethics standards, it should be pointed
out that any transfers of dual-use items after the end of the project and potential implications
were out of the scope of D8.6 and have to be examined again under the new circumstances.
Nevertheless, it needs to be highlighted that the NESTOR research results will rely upon
existing technologies and market products and will build on the results of previous EU projects
with an exclusive focus on civil applications.

Ethics Guidelines (see in the Annex of D1.6) that included obligations related to dual use
were circulated to the Consortium prior to the start of each pilot demonstration. The
Consortium strictly followed the applicable international, European and national laws.
Compliance was monitored by the PEO that was present during the pilot demonstrations.

3.1.7 Misuse, Requirement No. 7

D8.7 M-Requirement No.7 explained the notion of ‘misuse’ to the NESTOR partners, included
a risk assessment as regards the technologies and knowledge generated or used during the
research that could be misused, i.e., could be used for unintended malicious and unethical
purposes and presents a mitigation strategy.
The potential undesirable events were identified and described by the Consortium, their
occurrence level was assessed by the risk holders after taking into consideration the nature of
the risks and the effectiveness of the preventive procedures already established in the
NESTOR project (ex-ante mechanisms), the severity level was assessed after considering the
nature of the risks and their impact upon potential materialisation, the implemented
measures were described and, finally, their level of effectiveness was presented.
The identified risks belonged to the following three categories:

           •   Research provides knowledge and technologies that could be channeled into
               crime or terrorism;
           •   Research involves developing surveillance technologies that could curtail
               human rights and civil liberties;
           •   Research develops social or behavioural profiling technologies that could be
               misused to stigmatise, discriminate against, harass or intimidate people.
The risk related to research resulting in chemical, biological, radiological or nuclear weapons
and the means for their delivery was not applicable in the NESTOR research.
No vulnerable individuals or groups were involved in the project’s research activities as further
described in D8.1 H-Requirement No.1, hence, relevant risks were not identified.

©NESTOR Consortium                                                                Page 16 of 28

HORIZON 2020 – 101021851 – NESTOR                                 D8.9 – GEN-Requirement No.9


No automated decision making was involved, and human intervention and oversight were
ensured. NESTOR takes an intelligence-led approach to focus on detecting events that are
highly correlated with known illicit activity on the borders and there is always human-in-the-
loop decision making, hence, relevant risks were not identified.
The mitigation strategy included a variety of ex-ante and ex-post protective measures that
were considered effective and ensured a high level of security of any sensitive information
used or produced within the project. The ex-ante mechanisms were procedures that had been
already established and were collectively followed in the project for the prevention of all types
of potential risks of misuse, while the ex-post mechanisms were additional measures that
were implemented by the NESTOR Consortium collectively or the risk holders individually to
avoid potential materialisation of risks or to minimise their severity upon occurrence. The
Consortium took all necessary safeguards to prevent or mitigate the potential misuse of
technologies and knowledge generated or used during the project’s activities.
Ethics Guidelines (see in the Annex of D1.6) that included obligations related to the
prevention of potential misuse were circulated to the Consortium prior to the start of each
pilot demonstration. The Consortium strictly followed the misuse mitigation strategy
presented in D8.7. Compliance was monitored by the PEO that was present during the pilot
demonstrations.

3.1.8 General, Requirement No. 8

The purpose of D8.8 was to provide a report by the Ethics Advisory Board (EtAB) about how the
NESTOR Consortium dealt with any ethics issues in order to ensure compliance with ethical
standards, the H2020 guidelines and with applicable legislation.

In view of that, in Section 2 the composition of the Ethics Advisory Board was presented as well as
its role and function.

In Section 3 the compliance of the NESTOR Consortium with the WP8 ethics requirements was
described in detail.

In Section 4 the work progress and the role of the EtAB and its contribution until M12 were
outlined in a precise way.

Finally, in Section 5 the recommendations by the EtAB were included.

The EtAB devoted special attention and provided guidance to the Consortium in the form of
written guidelines or orally during the project meetings and other project’s events and activities.

All the information included in that deliverable was made available to the NESTOR Consortium
through a dedicated session during the 3rd Project Meeting on October 24-26, 2022, in Larnaca,
Cyprus.



©NESTOR Consortium                                                                  Page 17 of 28