Science

Is the BSS faculty too compliant?

Privacy comes at a cost

The new General Data Protection Regulation is intended to protect people’s privacy, including that of test subjects. How does a faculty that relies on human test subjects function under this law? ‘Where does it end?’
By Lyanne Levy / Translation by Sarah van Steenderen

If experimental psychologist Hedderik van Rijk has his first-year psychology students participate in a study, and one of those students is a 52-year-old man, it would be easy enough for someone to use social media to identify that student. It would be easy even if the man were assigned a unique code instead of identified by name. After all, there aren’t that many 52-year-old first-year students. Is Van Rijn allowed to share the subject’s data with his fellow scientists?

Students and the GDPR

Researchers aren’t the only people impacted by the new privacy law; students are as well. ‘We’re much more diligent when it comes to students’ information’, says RUG data protection officer Arjen Deenen. ‘We’re much more cautious when it comes to sharing data with third parties. We remove information when we no longer need it. The new guidelines are being drafted right now, if they haven’t been already.’

The university recently started using a new way to generate schedules. The old schedule displayed which classrooms and labs had been reserved and by whom, including their name and student number. That wasn’t in accordance with the GDPR, and the new generator no longer includes names or numbers.

Lecturers can no longer e-mail test results to their entire class. ‘When I was a student they put up a list at the faculty which included your name, your student number, and your grade. We don’t do that anymore’, says Deenen.

Questions like this one have become harder to answer after the introduction of the General Data Protection Regulation (GDPR). On the one hand, the open science movement exerts quite a lot of pressure on scientists to share their data so others can confirm their research. On the other hand, most people agree that people’s private information should be protected.

But when all personal details – such as sexual preference or religion – are scrubbed from the datasets, scientists lose potentially important information. ‘It’s an important issue’, says Jacob Jolij, research support department head at the Faculty of Behavioural and Social Sciences (BSS) and assistant professor of experimental psychology.

GDPR-proof

He has spent almost half his time in the past year focused on the GDPR, a law that standardises the rules for how European corporations and government agencies process personal information. The social faculty makes good use of its privacy coordinator, says Jolij. ‘All the research we do here – about a thousand studies each year – deal with personal information. Having someone to deal with that on a full-time basis is a necessity.’

Conducting GDPR-proof research can be a challenge. Take observational research in classrooms, for example: ‘Before the GDPR, consent was passive; people would participate in the study unless they didn’t want to. That’s no longer an option. Children have to take a note home for their parents to sign and give consent. But oftentimes, children lose the note or parents forget to fill it in. Before you know it, there are ten children you can’t include in your research.’

No one really knows the solution to this problem just yet. ‘There are no set rules; researchers just have to figure things out as they go along. But that takes time, and we’re already so busy with teaching and publishing that taking on the GDPR just adds more pressure.’

Plenty of criticism

The GDPR led to new rules and new research portal. Now researchers have to register every single proposal before they take it to the ethics committee. ‘The board of directors requires us to register our research. The ethics committees used to take care of that’, says Jolij.

The requirement was met with plenty of criticism. ‘It’s a lot of extra work and it’s not always clear why we have to do it’, says Van Rijn. ‘We want to avoid being fined, of course, but it’s screwed up that companies like Google and Facebook do all these awful things, when I’ve never known an academic who intentionally violated their test subjects’ privacy. We don’t want to violate anyone’s privacy, but where does it end? The law takes it so far.’

Other faculties don’t have nearly as many rules

Since there is very little jurisprudence involving the GDPR, the university wants to take extra care to avoid fines, which could run up to twenty million euro.

So the researchers complain not just about the added stress of the portal, but also because BSS is supposedly the ‘goody two-shoes’ of the Netherlands – faculties at other universities don’t have nearly as many rules. ‘We understand that there are laws and rules we have to follow’, sociologist Michael Maas said during a faculty council meeting. ‘What we don’t understand is why we have to ask for permission for every single thing.’

Strictest interpretation

Van Rijn also thinks BSS is ‘particularly cautious’. ‘Many academics feel like we’re supposed to work according to the strictest interpretation of the law, like researchers should be inviolable. Then again, maybe in five years all the other universities in the country will have been fined, except for the RUG. Maybe all the extra work will have been worth it; who knows. It doesn’t feel like it, though.’

Managing director Rita Landeweerd says the faculty deliberately opted for this interpretation of the legislation. ‘We are ahead of the curve’, she says. ‘The university is working on a GDPR-proof portal for the whole institute. We estimated that if we’d waited for the law to tell us to have one, it would have been much more complicated to set it up. In the research portal, academics can register and store their work, and the ethics committees can assess it. It prevents extra work.’

It’ll be a while before people start reaping the benefits

The faculty may be cautious, but ‘you can’t be cautious enough when you’re working with personal information’, says Landeweerd. ‘Our proactive approach might have some consequences people weren’t ready for, but I also think that other faculties will start following suit.’

It saves time

Jolij also says the portal actually saves time. ‘At least half an hour. All the ethical proposals are stored in a database. The researchers can’t see it, but there’s a whole underlying structure at work in the portal. It’ll be a while before they start reaping the benefits of that.’

Jolij does understand the resistance to the new rules. ‘It takes time and effort on top of all the other work they have to do. I hope they know that we’re not picking on them.’

Nederlands

LEAVE A REPLY

Please enter your comment!
Please enter your name here