GDPR and research: what determines whether you may share data?
There is currently a trend towards making research findings more accessible, and sharing the underlying data with other researchers. This is what the funding organisations for research want, and the National Plan on Open Science is setting some concrete goals to facilitate this. At Leiden University, privacy protection is a part of these considerations, based on the principle of 'Open if possible, closed if necessary.'
In the near future, all researchers will make a data management plan before they embark on their research. The plan has to cover such questions as: Where and how should you store data during and after yourresearch? Are there any ethical aspects that need to be taken into account? How can the data be shared? Laurents Sesink, head of the Centre for Digital Scholarships (CDS) at Leiden University Library, believes it is a good idea to start using the data management plan as a guideline already. The plan makes it easy to meet the AVG's requirements for research using privacy-sensitive data.
‘The advantage,' Sesink explains, 'is that a whole range of different aspects are planned out systematically in advance, and the researcher is aware that he or she has to make decisions about how to handle the research data. The GDPR imposes a range of conditions on how personal data are processed. Funders of research, on the other hand, stipulate that the research data should be reused once a project has been completed. Once the right measures are in place, that's relatively easy to arrange for a lot of data. We at the CDS are there to help and provide advice. We guide the researcher through the process step by step. That way, when you finish your research, there's less for you to worry about.' Particularly when privacy-sensitive data or ethical issues are involved, a researcher currently has to consult all kinds of different authorities. Sesink: ‘Any researcher can get in touch with the CDS for questions about data management and Open Science.’ And we have a Data Protection Officer who is a specialist in the more complex aspects.'
Organising data management
The University has drawn up a Data management regulation that states clearly who is responsible for handling data -the researcher, the academic director or the dean, for example - as well as when and how. The regulation offers faculties the opportunity to adapt their data management to the specific faculty situation within a particular framework. At the request of the Executive Board, a three-year data management programme has been set up, run by the Information Management department of Administration and Central Services. The programme is intended to help implement data management in the faculties. The CDS and ISSC are both involved in this. The programme has to ensure that researchers can store their data securely during their research. Once the research is completed, researchers can decide for themselves where they want to store their research data, provided the`location meets the (strict) conditions of a Trusted Digital Repository. There are all kinds of different facilities, such as DANS from the Royal Netherlands Academy of Arts and Sciences (KNAW), for the Social and Behavioural Sciences, and 4TU, a data storage system for technical data from the three technical universities and the University of Wageningen.
What do the faculties want?
The programme is currently at the stge where the faculties are considering what their needs are: to create their own facilities, buy space from DANS or 4TU or look at the possibilities of a university or even national system, in cooperation with SURF. ‘In all cases, the University is keen to be a partner in the system,' Sesink comments. 'We want to have clear agreements in place with all parties.'
There is more research data containing personal information held within the University there are more research data than you might think. The Faculties of Medicine and Social and Behavioural Sciences are obvious places. Sesink: ‘Actually, Medicine is not included in our programme. The LUMC deals with nothing but the most confidential personal data and has long experience in how best to handle such data. They are constantly improving their processes and we work together so that we can benefit from the existing knowledge. At a faculty like Law, as well, alot of personal information is gathered in the context of research activities. Just think of interviews or research within Criminology. And more corporate research is conducted in The Hague.'
Every research study is different
Sesink stresses that every research study is different: 'There is a big difference in the systems governing data held by companies, where there is a set format for handling information. It's easier to keep a grip on things in that environment. Things are different in research. For every idea there is a point in time when the best research method has to be chosen, and that is different for every study. Not only that, new methods and techniques for research are constantly being developed.' That's another good reason to write a data management plan for every study, as the Data Management Regulation prescribes. It's a way of making sure that all researchers are fully aware of the things they have to arrange.
Levels of availability
There are major differences in the level of privacy sensitivity, but with the right regulations a lot of datasets can be reused. Sesink: ‘You can make data freely available, keep the door firmly closed or make data available with strict or less strict restrictions. All variants are possible. Technically, in many cases it's possible to separate the personal data from the other data and to anonymise it, although that doesn't work in all cases. Interviews are, of course, easy to trace back to a particular person, and there are also interviews recorded on video. And there's another question: once you have extracted the personal data, what do you do with it then? Does it have to be stored somewhere differently from the research data? These are the kinds of questions the University is looking at.'
How to handle the data and where to go for advice
The need to study the large amounts of available data using new methods and techniques was already a good reason to look at how the data are used and stored. It's by no means new for researchers to handle personal information responsibly, but the requirement to record the process is new. As the GDPR now requires a register detailing descriptions of the personal data and the way they are handled, there's extra reason to make sure that researchers know how to handle the data and where they can get the right advice.
Text: Corine Hendriks
Mail the editors
Not a great deal has changed in terms of the content of the new regulation: the rules are the same. But the Personal Data Authority will monitor compliance with the rules much more closely than before and the fines for non-compliance are much higher, up to € 20 million or 4% of the turnover. Every company and institution has to have a so-called process register that describes exactly what personal data are held and how they are protected. Larger organisations also have to employ an independent data protection officer.