Is the BSS faculty too compliant?
Privacy comes at a cost
If experimental psychologist Hedderik van Rijk has his first-year psychology students participate in a study, and one of those students is a 52-year-old man, it would be easy enough for someone to use social media to identify that student. It would be easy even if the man were assigned a unique code instead of identified by name. After all, there aren’t that many 52-year-old first-year students. Is Van Rijn allowed to share the subject’s data with his fellow scientists?
Students and the GDPR
Researchers aren’t the only people impacted by the new privacy law; students are as well. ‘We’re much more diligent when it comes to students’ information’, says RUG data protection officer Arjen Deenen. ‘We’re much more cautious when it comes to sharing data with third parties. We remove information when we no longer need it. The new guidelines are being drafted right now, if they haven’t been already.’
The university recently started using a new way to generate schedules. The old schedule displayed which classrooms and labs had been reserved and by whom, including their name and student number. That wasn’t in accordance with the GDPR, and the new generator no longer includes names or numbers.
Lecturers can no longer e-mail test results to their entire class. ‘When I was a student they put up a list at the faculty which included your name, your student number, and your grade. We don’t do that anymore’, says Deenen.
Questions like this one have become harder to answer after the introduction of the General Data Protection Regulation (GDPR). On the one hand, the open science movement exerts quite a lot of pressure on scientists to share their data so others can confirm their research. On the other hand, most people agree that people’s private information should be protected.
But when all personal details – such as sexual preference or religion – are scrubbed from the datasets, scientists lose potentially important information. ‘It’s an important issue’, says Jacob Jolij, research support department head at the Faculty of Behavioural and Social Sciences (BSS) and assistant professor of experimental psychology.
GDPR-proof
He has spent almost half his time in the past year focused on the GDPR, a law that standardises the rules for how European corporations and government agencies process personal information. The social faculty makes good use of its privacy coordinator, says Jolij. ‘All the research we do here – about a thousand studies each year – deal with personal information. Having someone to deal with that on a full-time basis is a necessity.’
Conducting GDPR-proof research can be a challenge. Take observational research in classrooms, for example: ‘Before the GDPR, consent was passive; people would participate in the study unless they didn’t want to. That’s no longer an option. Children have to take a note home for their parents to sign and give consent. But oftentimes, children lose the note or parents forget to fill it in. Before you know it, there are ten children you can’t include in your research.’
Is the RUG GDPR-compliant?
Since the law took effect on 25 May, 2018, organisations have to be able to prove that they are complying with all its demands. Corporations that violate the law can be fined up to 4 percent of the annual revenue. If the RUG messes up, the maximum fine they’d be charged is twenty million euro.
Over the past few months the university has worked hard to become privacy-proof. At least sixty people have been working on it, fifty of them in the capacity of privacy or security coordinator.
Supervisor Arjen Deenen draws up the annual reports and provides advice and information concerning the GDPR to the board of directors. The RUG isn’t quite there yet, but they’ve come a long way. ‘We can show what we’ve been doing and what we’re working towards’, he says. Groningen won’t have to be afraid of any fines, then.
No one really knows the solution to this problem just yet. ‘There are no set rules; researchers just have to figure things out as they go along. But that takes time, and we’re already so busy with teaching and publishing that taking on the GDPR just adds more pressure.’
Plenty of criticism
The GDPR led to new rules and new research portal. Now researchers have to register every single proposal before they take it to the ethics committee. ‘The board of directors requires us to register our research. The ethics committees used to take care of that’, says Jolij.
The requirement was met with plenty of criticism. ‘It’s a lot of extra work and it’s not always clear why we have to do it’, says Van Rijn. ‘We want to avoid being fined, of course, but it’s screwed up that companies like Google and Facebook do all these awful things, when I’ve never known an academic who intentionally violated their test subjects’ privacy. We don’t want to violate anyone’s privacy, but where does it end? The law takes it so far.’
Other faculties don’t have nearly as many rules
Since there is very little jurisprudence involving the GDPR, the university wants to take extra care to avoid fines, which could run up to twenty million euro.
So the researchers complain not just about the added stress of the portal, but also because BSS is supposedly the ‘goody two-shoes’ of the Netherlands – faculties at other universities don’t have nearly as many rules. ‘We understand that there are laws and rules we have to follow’, sociologist Michael Maas said during a faculty council meeting. ‘What we don’t understand is why we have to ask for permission for every single thing.’
Strictest interpretation
Van Rijn also thinks BSS is ‘particularly cautious’. ‘Many academics feel like we’re supposed to work according to the strictest interpretation of the law, like researchers should be inviolable. Then again, maybe in five years all the other universities in the country will have been fined, except for the RUG. Maybe all the extra work will have been worth it; who knows. It doesn’t feel like it, though.’
Managing director Rita Landeweerd says the faculty deliberately opted for this interpretation of the legislation. ‘We are ahead of the curve’, she says. ‘The university is working on a GDPR-proof portal for the whole institute. We estimated that if we’d waited for the law to tell us to have one, it would have been much more complicated to set it up. In the research portal, academics can register and store their work, and the ethics committees can assess it. It prevents extra work.’
It’ll be a while before people start reaping the benefits
The faculty may be cautious, but ‘you can’t be cautious enough when you’re working with personal information’, says Landeweerd. ‘Our proactive approach might have some consequences people weren’t ready for, but I also think that other faculties will start following suit.’
It saves time
Jolij also says the portal actually saves time. ‘At least half an hour. All the ethical proposals are stored in a database. The researchers can’t see it, but there’s a whole underlying structure at work in the portal. It’ll be a while before they start reaping the benefits of that.’
Jolij does understand the resistance to the new rules. ‘It takes time and effort on top of all the other work they have to do. I hope they know that we’re not picking on them.’