Wednesday, November 5, 2014

The wonderful world of data protection – an academic odyssey

First of all, let me make one thing perfectly clear: I’m pro data protection. Point blank. Data protection is an important aspect of privacy, and I consider privacy to be one of the most important values of contemporary societies. Hell, I have even pointed out the detrimental potential of data collection, transfer, and processing in several articles on discrimination and trusted traveler programs. But right now, data protection is driving me nuts. How come? We might call this a chain of unfortunate circumstances, but data protection has successfully blocked my research for a couple months now. 

It all started with the EU Commission’s prerequisite that all research projects that are funded under the FP7 framework need to comply with ethical standards. Rightfully so. After all, ethical regulation (or rather the lack thereof) has been something that had been criticized in EU funded research in the past, especially in the fields of medicine and biology. So, “ethics”, this broad and seldom clearly defined term, has become an integral part of research. And data protection has become incorporated under the umbrella of ethics.

In 2013, DG Research and Innovation has even published a document entitled “Ethics for researchers”, stating that “ethics is an integral part of research from beginning to end and ethical compliance is pivotal to achieve real research excellence.” (p. 2) Again, rightfully so. I’m actually familiar with those issues first hand. I have been working at an ethics institution for almost 4 years now, I have been on a FP7 project’s ethical advisory board before, I have conducted ethical impact assessments, and a large part of my work looks at security and the politics of security through an ethical lens.

Anyway, now data protection is part of research ethics, and the Commission is very keen on the adherence of this principle. Again, and I can’t point this out often enough, I consider this to be a good thing. However, it has led to the inclusion of a little passage in one of my current project’s description of work that reads as follows: 

“beneficiaries will submit research protocols to competent local/national ethical boards/bodies/administrations and DPAs for authorization/opinion/notification. Information provided to competent local/national ethical boards/bodies/administrations and DPAs will include: (1) detailed information on the source of personal data; (2) detailed information on the procedures that will be used for the recruitment of participants (e.g. number of participants, inclusion/exclusion criteria, direct/indirect incentives for participation, the risks and benefits for the participants etc.); (3) detailed information on the nature of the material that will be collected; and (4) detailed information on privacy/confidentiality and the procedures that will be implemented for data collection, storage, protection, retention and destruction and confirmation that they comply with national and EU legislation.” 

Does not exactly sound like a problem, right? After all, my role in the project is societal impact assessment which, apart from desk research, includes a handful of expert interviews on possible ethical and social issues of disaster management. So shouldn’t this rather be a formality? Far from it! This is where the trouble started!

“Competent local/national ethical boards/bodies/administrations and DPAs.” Now who would that be? The terminology has been kept rather vague, as it must of course fit partners from 10 different countries. So, I wondered who in Germany would be the competent contact for a researcher who wants to conduct a small number of expert interviews. First, I called the university’s EU liaison office – assuming they might have some experience on such matters. They were in fact very helpful, but it turns out that my university does not have an ethics committee, so they referred me to the university’s legal department, that deals, among others, with matters of data protection. When I told them about my troubles of finding someone to report to, they told me that they were only concerned with questions of data protection in the university’s administration, and not with actual research. 

So, I made a couple further inquiries, spoke to colleagues, and eventually ended up with the state data protection office. They told me, however, that they were not the appropriate contact either, and referred me to an institution that advises all universities in my state in data protection issues. Eventually turns out that legally speaking, an interview that is digitally recorded before transcription is defined as “automated processing of personal information”, which in turn triggers a very complicated application procedure for a “Verfahrensverzeichnis”, which is basically a documentation that can be accessed by the public. Which, again, I think is a great thing in terms of transparency and accountability. However, the 11-page application form is apparently so inaccessible that it comes with a supplementary document twice as long that is supposed to help you fill out the application form.

Problem is: most of the information required is technical stuff – computer hard- and software, server infrastructure, encryption, back-ups, etc. In other words: things that I know little of. So I called our in-house IT guy for help. He referred me to the university’s central IT office. I called them and they told me to send the form over. Next day I receive a mail saying that they are not authorized to fill it out and instead referred me to the university’s legal department. The one from above, remember? That was the moment when I felt like bouncing my head against the wall until everything went away – or until they would put me away…

And it was the moment when I realized that I needed to vent. Now one could of course say that this is not actually about data protection. One could say that this is rather one of those bureaucratic cycles of madness that Kafka has written so wonderfully about. Or one could say that this is just back luck. I am not even looking for deeper insight here. However, I feel like this data protection odyssey in fact tells us something about the state of data protection itself. How its regulations and practices diverge. How it is preoccupied with technical details instead of content. And how hard it sometimes can be to cherish it appropriately.

To be continued.

No comments