Marlon Domingus, February 19 2017.
On May 25 2018, our universities are ready to act in accordance with the European General Data Protection Regulation (GDPR). The Regulation is binding in its entirety and directly applicable in all Member States and safeguards the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
How did we achieve this? It all started with awareness, which caused a ripple effect through our individual institutions and our collective. We started working together on the relevant issues, once we knew what they were, both within our university and between universities.
As citizens, we value our privacy. We don't appreciate our service providers to leave our personal data unguarded; we trust them to take the necessary precautions to protect our privacy. The Dutch book: Je hebt wél iets te verbergen, by journalists Maurits Martijn & Dimitri Tokmetzis, played a significant role in the public awareness of the various threats to our privacy. They achieved this by an easy to read and clear message. By exposing the many ways in which our privacy is intruded by many public and private organisations or individuals. You typically start the boor with a lingering implicit and inconvenient gut feeling, and it becomes an overwhelming explicit insight in the world behind our computer screens.
Paul Nemitz (Director Fundamental Rights and Union
citizenship; DG Justice and Consumers), revealed recently at the Annual conference of the Privacy & Identity Lab , that the GDPR is based on Kantian moral philosophy. To cite some of the formulations of what Immanuel Kant (1724 – 1804), German philosopher and generally accepted as highly influential for modern philosophy, coined the 'Categorical Imperative':
The categorical imperative is, Kant states, an absolute, unconditional requirement that must be obeyed in all circumstances and is justified as an end in itself. Kant proceeds in his second formulation of the categorical imperative:
— Immanuel Kant, Groundwork of the Metaphysics of Morals (1785)
So with Nemitz's appeal to Kantian moral philosophy, we see our own role as guardians of our own privacy and the privacy of others. Translated to the context of research: guardians of the privacy of our data subjects.
This, to me, is an elegant way of looking at guarding privacy: if you think about it, it is something we expect from others in the same way we can be expected by others - not because the GDPR states it, but because we want to be treated as an end, not a means, and we pay this respect to others in a similar way. The practical application of this approach being, that it is less relevant to wait for the GDPR fully specified and fully implemented, to start implementing the suitable technical and organisational measures at our institutes.
Nemitz also argued, that the GDPR is intended as a regulation still relevant in future years, in a context of fundamental changes in the way we process information. Rather than listing all possible scenarios and corresponding rules, based on today's reality, he prefered a sustainable regulation that is based on principles and interpretation of these principles in specific cases.
Picture by Sergiu Bacioiu, Romania. CC BY 2.0.
An elegant approach, however, only serves as a good starting point to actually guard the multifaceted aspects of privacy. What are these aspects, and what makes our job complex?
We know that we don't know many relevant aspects. This entails: data classification for research data, corresponding appropriate measures, ways to assess risks for data subjects with respect to their fundamental rights and freedoms, in particular their right to the protection of personal data. What are the derogations or exemptions from which provisions in the GDPR for the processing of personal data for the purpose of academic expression? Which contracts must be drawn up, and which are the relevant and clever provisions?How are we to understand the principles of: ‘lawfulness, fairness and transparency’, and how are we to implement these principles? What does 'transparency of algorithms', for instance, mean?How do we implement these (data subject's) rights:
Right of access by the data subject,Right to rectification,Right to erasure ('right to be forgotten'),Right to restriction of processing,Right to data portability,Right to object and automated individual decision-making?
Finally; we can, utter the words: 'pseudonimisation', 'anonimisation', 'data minimisation', 'privacy by design', but when asked to reveal the why, when and how, in most cases, not a consistent shared body of knowledge emerges. Let alone the technical application of these concepts in user friendly tooling.
We are to register the processing of data and the relevant roles in this process, but research is typically conducted in tailored and diverse ways; very unlike uniform business operations. What's more, 'research infrastructure' is more than often constructed by combining components and functionality from both within our institutes, and partner institutes and private and public cloud services. A lot of research takes place in so called 'hidden IT', or 'own built IT'; unknown and unsupported by the researcher's university. How is one to build a register that covers these aspects as well? Furthermore, within our universities we have a generic responsibility to safeguard the privacy of all our students, faculty and staff, as well as a specific responsibility within research, as mentioned above. This aspect makes data protection a combined (generic and specific) task for a manyfold of stakeholders: Faculties and Institutes, IT, Legal, Policy, Library, Communication. Governance for institution-wide innovation, even change, is traditionally difficult, due to the central vs. decentralised distributed responsibilities.
I conclude this blog with the observation that we can tackle these issues, if we are aware of the matters at hand, and if we collaborate effectively. We need a sense of urgency and we need help. From each other and from outside.
Please share your comments and thoughts, and participate in the ripple effect. Create your own wave or pass on the ripple(s), much like the image below envisions:
By: Laurel Papworth. CC BY-NC-ND 2.0