First of all, let me make one thing perfectly clear: I’m pro
data protection. Point blank. Data protection is an important aspect of
privacy, and I consider privacy to be one of the most important values of
contemporary societies. Hell, I have even pointed out the detrimental potential
of data collection, transfer, and processing in several articles on
discrimination and trusted traveler programs. But right now, data protection is
driving me nuts. How come? We might call this a chain of unfortunate circumstances,
but data protection has successfully blocked my research for a couple months
now.
It all started with the EU Commission’s prerequisite that all
research projects that are funded under the FP7 framework need to comply with ethical
standards. Rightfully so. After all, ethical regulation (or rather the lack
thereof) has been something that had been criticized in EU funded research in
the past, especially in the fields of medicine and biology. So, “ethics”, this
broad and seldom clearly defined term, has become an integral part of research.
And data protection has become incorporated under the umbrella of ethics.
In 2013, DG Research and Innovation has even published a
document entitled “Ethics for researchers”, stating that “ethics is an integral
part of research from beginning to end and ethical compliance is pivotal to
achieve real research excellence.” (p. 2) Again, rightfully so. I’m actually familiar
with those issues first hand. I have been working at an ethics institution for
almost 4 years now, I have been on a FP7 project’s ethical advisory board
before, I have conducted ethical impact assessments, and a large part of my
work looks at security and the politics of security through an ethical lens.
Anyway, now data protection is part of research ethics, and
the Commission is very keen on the adherence of this principle. Again, and I
can’t point this out often enough, I consider this to be a good thing. However,
it has led to the inclusion of a little passage in one of my current project’s
description of work that reads as follows:
“beneficiaries will submit research protocols to competent local/national ethical boards/bodies/administrations and DPAs for authorization/opinion/notification. Information provided to competent local/national ethical boards/bodies/administrations and DPAs will include: (1) detailed information on the source of personal data; (2) detailed information on the procedures that will be used for the recruitment of participants (e.g. number of participants, inclusion/exclusion criteria, direct/indirect incentives for participation, the risks and benefits for the participants etc.); (3) detailed information on the nature of the material that will be collected; and (4) detailed information on privacy/confidentiality and the procedures that will be implemented for data collection, storage, protection, retention and destruction and confirmation that they comply with national and EU legislation.”
Does not exactly sound like a problem, right? After all, my
role in the project is societal impact assessment which, apart from desk
research, includes a handful of expert interviews on possible ethical and
social issues of disaster management. So shouldn’t this rather be a formality?
Far from it! This is where the trouble started!
“Competent local/national ethical
boards/bodies/administrations and DPAs.” Now who would that be? The terminology
has been kept rather vague, as it must of course fit partners from 10 different
countries. So, I wondered who in Germany would be the competent contact for a
researcher who wants to conduct a small number of expert interviews. First, I
called the university’s EU liaison office – assuming they might have some
experience on such matters. They were in fact very helpful, but it turns out
that my university does not have an ethics committee, so they referred me to
the university’s legal department, that deals, among others, with matters of
data protection. When I told them about my troubles of finding someone to
report to, they told me that they were only concerned with questions of data
protection in the university’s administration, and not with actual research.
So, I made a couple further inquiries, spoke to colleagues,
and eventually ended up with the state data protection office. They told me,
however, that they were not the appropriate contact either, and referred me to
an institution that advises all universities in my state in data protection
issues. Eventually turns out that legally speaking, an interview that is
digitally recorded before transcription is defined as “automated processing of
personal information”, which in turn triggers a very complicated application
procedure for a “Verfahrensverzeichnis”, which is basically a documentation
that can be accessed by the public. Which, again, I think is a great thing in
terms of transparency and accountability. However, the 11-page application form
is apparently so inaccessible that it comes with a supplementary document twice
as long that is supposed to help you fill out the application form.
Problem is: most of the information required is technical
stuff – computer hard- and software, server infrastructure, encryption,
back-ups, etc. In other words: things that I know little of. So I called our
in-house IT guy for help. He referred me to the university’s central IT office.
I called them and they told me to send the form over. Next day I receive a mail
saying that they are not authorized to fill it out and instead referred me to
the university’s legal department. The one from above, remember? That was the
moment when I felt like bouncing my head against the wall until everything went
away – or until they would put me away…
And it was the moment when I realized that I needed to vent.
Now one could of course say that this is not actually about data protection.
One could say that this is rather one of those bureaucratic cycles of madness
that Kafka has written so wonderfully about. Or one could say that this is just
back luck. I am not even looking for deeper insight here. However, I feel like this
data protection odyssey in fact tells us something about the state of data
protection itself. How its regulations and practices diverge. How it is preoccupied
with technical details instead of content. And how hard it sometimes can be to
cherish it appropriately.
To be continued.
No comments
+ add yours