Abstract
In the second quarter of 2022, Utrecht University (UU) Research Data Management Support (RDM Support) sent out a survey among all scientific personnel at UU, and organised one-on-one meetings with a selection of them. The aim of these efforts was to investigate 1) How UU researchers currently deal with personal data in their research, 2) What challenges they run into when handling personal data in research, and 3) How support at UU can improve their services concerning personal data in research. The results showed that most researchers knew to take privacy into account in their projects. However, there were vast differences in knowledge on this topic, as well as in how privacy-related practices were applied. Many researchers expressed concerns on the current quantity, findability and quality of privacy-related support at UU. These concerns were translated to recommendations in the current report. In short, our recommendations concern organising privacy-related research support in a way that makes handling personal data less of a burden for researchers. Moreover, it is important to increase the visibility and findability of existing and new privacy-related support, and create materials and expertise that are more tailored to academic practice. Taking up these recommendations within the organisation will likely both increase overall GDPR compliance and help researchers focus more on performing high-quality research.
Scientific research often includes some form of personal data. However, researchers may be unaware of what personal data are or whether they are being collected. With the implementation of the General Data Protection Regulation (GDPR) in 2018, stricter legal requirements apply to handling personal data and its sharing and publication. In our own experience, the number and complexity of questions on handling personal data in scientific research at Utrecht University (UU) is increasing.
Our goal at Research Data Management Support (RDM Support) is to assist researchers with any issues surrounding the management of their research data, including research data that contain personal data. To understand how we can best help researchers with their privacy-related questions and needs, we wanted to investigate:
To answer these questions, we set up an online survey and planned one-on-one meetings with a selection of UU researchers. This report summarises our findings, and describes recommendations to improve privacy-related services for research at Utrecht University. For a full description of the methods and results, please refer to the Data Privacy Survey Report.
This survey was part of a larger project, the Data Privacy Project4, a data support effort led by RDM Support at UU that aims to provide actionable and FAIR (Findable, Accessible, Interoperable, Reusable) information and tools for researchers to handle personal data in their research.
The Data Privacy Survey consisted of two parts:
All relevant materials can be found in the GitHub repository and are described in the full report.
Below is a summary of all results, which are described in full in the Data Privacy Survey Report.
The Data Privacy Survey showed that personal data are processed in research from each faculty and across all academic positions at Utrecht University. Most researchers indicated to be familiar with concepts like anonymisation and pseudonymisation, access control, and UU-approved tools for handling personal data. However, the knowledge level differed quite a bit. For example, some researchers indicated storing personal data on locations where it is officially not allowed. Data sharing was common, but the right measures were not always taken to do so securely. Additionally, some measures to securely handle personal data in accordance with the GDPR seemed to be unknown, such as the processing register, Data Protection Impact Assessment, and Standard Contractual Clauses. Finally, there seemed to be a lack of clarity among researchers on specific issues, such as when sharing data is allowed, or when data are personal.
In both the survey and the one-on-one meetings, many researchers mentioned that privacy caused a high administrative burden in the research process. For example, they mentioned that processes have taken a long time to complete (e.g., writing and reviewing a Data Privacy Impact Assessment), and that there are too many forms to be filled out which have overlapping content. Examples of such forms are the Data Management Plan, Privacy scan, Data Protection Impact Assessment, and the ethics application in which privacy is sometimes also included.
The high administrative burden was also partly caused by the fact that researchers did not know what was expected of them: what actions are required from their side, when and from whom should they ask help? The latter question is relevant when considering the large variety of support personnel in each faculty: privacy officers, data managers, security officers, Ethical Review Boards, Research Support Officers and the Data Protection Officer can all help researchers, but their exact role is often unclear to researchers and may even differ across faculties.
Some researchers were not content with the support they had received in the past. For example, their research project may have suffered significant delays due to the fact that support personnel only pointed them at what they could not do, rather than how to solve privacy-related issues. We noticed many researchers that argued for more hands-on support, rather than advise with no concrete direction on how to apply it in practice.
Several researchers noted that they found it difficult to find the correct (UU-specific) information and tools to handle personal data in research, in some cases leading to them “googling” for the information they needed. This was due to two reasons:
Finally, many problems seemed to arise from the fact that privacy had not been taken into account from the design phase of a research project. This generally led to data support staff being contacted too late in the process, who then had to tell the researcher to retrospectively make changes in their design in order to move forward.
Based on our findings, the most important recommendation we want to highlight is to decrease the burden on researchers to protect personal data throughout the research cycle. As described above, many researchers see privacy as an administrative hurdle, which takes up too much of their time and effort. Below we make this recommendation more concrete:
We recommend to create a clear overview of labour and responsibility of both researchers and all types of data support staff. Which steps do researchers have to take before they can start executing their research, who is responsible for (supporting) which step, and when is there an official “green light” for researchers to move forward with their project?
Faculty-level support, consisting of privacy officers, data managers, Research Support Offices, and Ethical Review Boards, should come to agreements on support routing: which steps should researchers take when processing personal data, which support staff team tackles which kind of questions, and when should researchers contact them? A good example has been set by the Faculty of Geosciences, in which all faculty-level data support is organised in one team, the members of which regularly discuss cases and prevent projects from falling through the cracks or contacting a privacy expert too late in the process.
As indicated by many researchers, the administrative burden of preparing research can be greatly reduced if the overlap between several forms is decreased. Our recommendation is therefore to use one system for all research-related administration. Such a system should include not only the Data Management Plan, but also the ethical application (if applicable), Privacy scan, Data Protection Impact Assessment, and processing register. A similar infrastructure is currently being built at the Faculty of Humanities and may be valuable to also use at all other faculties.
Additionally, to lower the administrative burden, the process of performing a Data Protection Impact Assessment (DPIA) should be smoother and more clear: privacy officers should make agreements on when a DPIA should be performed. DPIAs from similar projects – also from other faculties if relevant - should be reused to prevent having to perform a DPIA from scratch. Ideally, a DPIA should only be performed if absolutely necessary. At the moment, UU’s privacy officers are already working on this recommendation.
As several researchers indicated to have difficulties finding the correct information and tools among the many sources of information, we recommend to:
A selection of researchers indicated to have bad experiences with data support staff in the past. To prevent this from happening in the future, we recommend all data support staff to:
As stated above, in case researchers were able to locate the correct information resource and tools, they did not always experience those as being helpful. We therefore recommend to:
Research Data Management Support, Utrecht University, ORCID: 0000-0003-3282-8083↩︎
Research Data Management Support, Utrecht University, ORCID: 0000-0003-1412-4402↩︎
Information Technology Services, Utrecht University, ORCID: 0000-0001-9510-0802↩︎
The Data Privacy Project was funded by Utrecht University’s Research IT program and a Digital Competence Center grant from the Dutch Organization for Scientific Research (NWO).↩︎