The privacy monster
“I’m sending out a questionnaire to study personality development, do I have to deal with privacy?”
“I’m measuring CO2 in people’s houses, that’s not personal data right?”
“I want to use medical imaging data to improve the quality of those scans, am I allowed to do that?”
These and many more questions like this enter our inbox regularly. Alarm bells go off. Researchers realize: oh dear, now I have to deal with the GDPR 1. I’ve seen this kind of response often, both in researchers as well as data support staff. As soon as personal data is on the table, more time is needed to plan a research project, more people need to be consulted, and more administrative work is usually involved. For researchers, taking into account privacy means that they need to spend valuable time and resources to make sure they are GDPR-compliant, and are limited in what they can and cannot do with the collected data. They experience the GDPR as a limitation, a monster to defeat before they can even start playing the game of research, let alone that of open science. Why, and what can we do about it?
The monster and scientific research
If you ask any privacy professional, they would tell you that the GDPR is actually very lenient in some respects when it comes to scientific research2. Some examples:
- Purpose limitation:
further processing of personal data for research purposes is always compatible with the initial purpose of data collection, provided sufficient safeguards are in place (art. 5(1)(b)). - Storage limitation:
personal data need to be removed if they are not needed anymore, except if they need to be stored for scientific research purposes and sufficient safeguards are in place (art.5(1)(e)).
- Special categories of personal data:
you can only use sensitive personal data3 in a few scenarios (art. 9(2)(j)). One of those is scientific research (provided safeguards are in place), another is explicit consent. - Right to erasure:
if a participants asks you to remove their data, you do not need to do that if it would “seriously impair” the achievement of the research purpose (art. 17(3)(d)).
So in reality, when one uses personal data for research, the GDPR is much more lenient than for, say, commercial companies. The GDPR is not so much as monster to defeat, as it is a creature to tame and keep happy. Yet, researchers I have generally been in touch with do see privacy as a time- and resource-intensive monster, to be fought with each time they want to use personal data. Why?
Taming the monster
In Dutch we say “zoveel mensen, zoveel wensen” (many people, many desires), and so there is most likely no one reason that all researchers who feel limited by the GDPR do so. But I can take a guess based on the survey and subsequent one-on-one conversations we held recently. The survey for example showed that:
- Having personal data in a project means having to fill out many more administrative forms before one can start collecting data. For example, besides a data management plan, there is the ethics assessment, a privacy scan (sometimes called “privacy review”, “DPIA-light”, or “pre-DPIA”), and officially also an obligation to register the project in a processing registry.
- Roles, responsibilities and requirements are not always clear: who can help with figuring out how to set up a privacy-compliant project? Whose responsibility is it to be GDPR-compliant? What steps do researchers need to take before they can start collecting data?
- A distance between researchers, who just want to hear how they have to do things, and legal staff, who point out what researchers cannot do according to the law.
- Existing information is too abstract to use in research practice. Moreover, it is sometimes unclear which tools and techniques are available that would make things easier, or their learning curve is too steep for researchers to tackle on their own.
The GDPR “monster” is relatively new, and so are the strategies we have to tame it. The fact that support may not always be findable or helpful may simply be because up until recently, there was none. Moreover, while ethical committees have been in place for years, privacy offices haven’t, and so many researchers find help from a privacy professional only when the ethics committee tells them to. This can lead to some nasty situations, where in some cases entire projects that were ready to start data collection got blocked, because their plans were not GDPR-compliant.
How can we make it easier?
The way I see it, privacy professionals can take the approach of ethics committees as an example: give researchers a recipe and all the ingredients to keep the monster happy:
- Provide clear instructions on what steps to take when.
- Provide ready to (re)use solutions, i.e., documents, workflows and technical solutions without a steep learning curve.
- Provide smooth and low-threshold in-person support.
Some of these ingredients may already be there - or in development4 - and some may be combined with other recipes such as that of ethics applications and data management plans. But only all of them combined leads to a happy monster, or rather, a small pet that simply needed feeding5. Who knows, maybe handling personal data may end up as routine business for researchers, much like feeding your cat every day.
Footnotes
The General Data Protection Regulation.↩︎
See also this resource outlining the GDPR and its position towards research.↩︎
Data on mental or physical health, racial or ethnic origin, political opinions, religion, trade union membership, genetic or biometric data, sex life or sexual orientation.↩︎
Some shameless self-promotion: we are currently working on an open source resource about privacy in research that includes as concrete information and tools as possible: the Data Privacy Handbook.↩︎
+1 if you’re also thinking about a chocolate bar ad saying “You are not yourself when you’re hungry” 😉↩︎