As everyone knows, the AVG has been in effect since May 2018: a robust update to privacy laws in EU member states. Every organization that does anything with personal data has to deal with it: data subjects have more rights, and as processors we must not only safeguard those rights, but also proactively demonstrate that we handle personal data with care. Despite the fact that the AVG did not come out of the blue, this is quite a task, especially for universities.
A university is an enormously complex organization, in which an enormous amount of personal data is processed: from salary administration to student files and exam results. Personal data for research occupy a special place. After all, a lot of research, especially at the alpha, gamma and medical faculties, involves people. Then you are almost automatically talking about personal data.
Like the Personal Data Protection Act, the AVG Implementation Act has exceptions ("derogations") for research. And that is just as well: in much research, for example, we work with special personal data, which normally should not be collected. Think, for example, of religious or political beliefs - a religious scientist or political scientist can pack his bags if this cannot be asked. Certain rights of data subjects, such as the right to be forgotten, may also be waived for scientific research under certain conditions. And that's handy: many scientists in the empirical sciences use statistics to reach their conclusions. From such statistical analysis come numbers such as averages, standard deviations and probabilities of error, which play an important role in scientific publications. But what if a data subject indicates that his or her data should be removed from a dataset? It would mean that all analyses would have to be redone, all numbers adjusted, and perhaps one or more publications rewritten. Not convenient. That's why the legislature - thankfully! - allows exceptions to the AVG in such narrowly defined cases.
But yes, that is not the end of the matter, of course. I am a psychologist myself and work at a faculty of Behavioral and Social Sciences. It is precisely in this field that we find that there is still much to learn. Personal data for research in the behavioral sciences falls a bit between the very sensitive medical records on the one hand and the registry data, such as from the CBS, for example. With both medical data and registry data, of course, an enormous amount of experience has already been gained in terms of pseudonymization and anonymization, for example. Unfortunately, much of that experience cannot be transferred one-to-one to the behavioral sciences: many researchers in our institute are pre-eminently interested in individual differences. Most common anonymization models and algorithms make datasets unusable for scientific research. Added to this is the challenge that datasets are created specifically for research in, for example, behavioral experiments. The number of variations on variables that researchers collect in those experiments is literally endless, making cataloging and constructing standard measures a pagan task.
The nice thing about this, but at the same time enormously difficult, is that science is always changing. Data that would not qualify as special personal data today may become so in the future. Think, for example, of eye movement recordings. A fairly innocuous measure, you might say. Yet you can learn a lot about a person from eye movement patterns: there are indications that eye movements can say something about your personality, but also about predisposition to autism, for example. This would make eye movement data special personal data. You see something similar with reaction speeds in certain visual search tasks: there is a statistical connection between, for example, religious beliefs and the speed with which research participants solve certain visual puzzles. Does this mean that we should now include reaction times under special personal data because they might give something away about a person's beliefs?
Clearly, some scientists are concerned about the AVG, especially as the scope of the new legislation becomes increasingly clear. Privacy, fine, it is often said, but it should not come at the expense of the ability to do good research! Fortunately, the legislator and also the European Data Protection Board (EDPB) have foreseen that science does not stand still and will always encounter situations that cannot be captured in specific do's and don'ts or checklists. The EDPB, for example, assigns an important role to ethical review boards, which can issue rulings on complex privacy questions. The data protection impact assessment, or DPIA(data protection impact assessment) is a useful tool in this regard. In a DPIA, risks and possible measures can be systematically mapped out and a careful balance can be struck between the interests of scientific research and the rights of those involved.
By now we have gained the necessary experience with this methodology within our institute and, after some bumps and start-up problems, we are now reasonably up to speed. And that's good, because in this way we can arrive at best practices: what is the best approach for certain scenarios? We try to tackle this as much as possible nationally, for example through the National Coordination Point Research Data Management (LCRDM) and the national consultation Ethics Committees in the behavioral sciences Nethics. However, there is still much to do and learn, where we often depend on, for example, scientists on Ethics Committees who 'voluntarily' do this work on the side, and researchers who neatly submit their research for a full DPIA. It is to be hoped that universities will come to appreciate this hard work, as it is much needed!
This article can also be found in the AVG file
