Longread
Good research starts with data protection
Researchers love their data. Well, ‘their data’: it inevitably includes a lot of other people’s data. What can you do to keep that sensitive information as private as possible?
Nowadays, we all have to be careful not to let anyone steal our data. Identity theft, extortion and an emptied bank account are no longer the stuff of science fiction.
But some of us have to be extra mindful of privacy. WUR researchers are an example, because the terabytes of data they collect are not just valuable to them, but they contain a lot of other people’s personal data, from the routes and catches of fishing vessels to the health information of trial subjects and test animals.
This data has to be fully protected and safeguarded, not only for the sake of the law, but also for the University’s reputation and, perhaps most importantly, in order to not damage the trust with which it was given. Data awareness has grown enormously within WUR in recent years. Regular password changes are now part of standard practice, and USB sticks have been banned as a means of transporting data. Logging in via VPN, two-factor authentication and data management plans are now commonplace.
For researchers, it is extremely important to keep an eye on what data they are collecting and what they do with it, even after the research has been completed. Prevention is always better than cure, but providing regulations is also important. At the very least, it is essential to know what to do in the event of a data incident.
Meeke Ummels is Serious About Data
“We carry out a lot of clinical nutrition research, for example into the effects of food on certain health parameters, such as blood sugar levels and the digestibility of certain foods, so we work with a lot of participants who we collect data from.
Read more
“The interesting thing is that a lot of our field is becoming more digitalised. In the project ‘Sensing Potential in the food supply chain’, we look at how we can use sensors to estimate food intake. An example is using a colour depth and near infrared camera that uses artificial intelligence to try to estimate portion sizes and thus predict quantities of ingredients and carbohydrates, proteins and fats.
“For clinical nutritional research that is covered by the WMO (medical research involving human subjects act), we adhere to the Central Committee on Research Involving Human Subjects guidelines. Then a research proposal must be submitted that is then assessed for its ethical aspects. In doing so, we also comply with the AVG legislation by, for example, ensuring test participants are properly informed about the collection and processing of both personal data and research data, and requiring consent from them.
“As a researcher, I make sure that the data we collect from participants is only processed using systems and applications that are in the ApprovedApps Tool. The privacy-sensitive data that we use can include names, telephone numbers, addresses and IBAN numbers; we need this for payment purposes. Some participants are aware of potential privacy issues while others put their whole lives in an email, so to speak. In these cases, I tell them that they can bring the reimbursement form to us, for example, and we then enter that into the system. That paper then goes straight into the blue container for test participant information and is destroyed.
“I have noticed that there has been a greater focus on privacy since 2018 when the AVG legislation was introduced. We are all much more aware of it. This also applies to what you write in your emails; no personal data, but a participant number. We also take the retention period into account. Participants’ data should not be kept longer than necessary. This depends on the applicable retention period for the type of information.
In addition to personal data, we also have retention periods for research data. For clinical nutrition research, this is 15 years; for consumer research, we follow the WUR guideline of ten years. One major improvement in recent years is that we have extended these guidelines to digital folders that we keep on the secure digital WUR drive.”
Dolf Bekius is Serious About Data
“Originally, I was a geographer. I have been working on the management and development of databases and web services in Wageningen Marine Research for two and a half years. My work location is in IJmuiden. Privacy-sensitive data is stored there for our research into the activities of the fishing industry, among other things. Do fish have privacy? No, but fishers do. Our databases are populated with data provided by the Ministry of Agriculture, Nature and Food Quality. This includes some fairly large quantities of data containing catch data and the GPS routes of fishing vessels, which can be traced back to fishing companies.
Read more
“We have protocols on who should have access to this data. These individuals also have to sign a declaration that they will not leak any confidential data. Not everyone has the same rights and access; most employees use data tables in which the names of fishing companies and vessels are anonymised using a code. In the analyses, catch data is also aggregated to prevent it from being traced back to specific companies.”
“Even as an administrator, I cannot access everything. The most important databases are managed at the highest level by FB-IT, the facilities company of the IT services within Wageningen University and Research. We use databases they host. The advantage of this is that they take care of the databases’ security and provide technical updates. We also use managed servers where other applications are installed, and these need to be managed too. FB-IT largely takes care of security, taking control of standard updates and management of the firewall and user accounts. We are responsible for the management of the applications we install on these servers, which can create risks if they are not updated in time. I try to avoid those risks as much as possible by using software that is technically maintained by FB-IT.
“Things can always go wrong with privacy-sensitive information. We have reported two potential data breaches. These were acted on quickly, according to procedure. The last thing you should do in these instances is to freeze or sit around. There is a whole page on the intranet with instructions on what steps you need to take. It is like traffic. You can be as careful as you like, but accidents can happen. You have to do your best to prevent them, but if things go wrong, you have to deal with the situation as quickly as possible.”
Kiki Streng is Serious About Data
“I am researching the occurrence and spread of a number of mosquito-borne viruses in the Netherlands. As well as the Usutu virus, there is also the West Nile virus, which was first detected in wild birds in the Netherlands in 2020. Vets all over the country send me blood samples from healthy horses and dogs. To do this, they asked for informed consent from owners. The blood sample is accompanied by a form with a signature on it. I need a lot of data to achieve good baseline measurements. It includes personal data too, because there are always locations involved: that of veterinary practices as well as that of the animal or its owner. According to the AVG, being able to trace data back to a person is not desirable.
Read more
“Another reason to protect the data is that if my results are stolen, I can no longer publish my work, so I am personally invested in being as careful as possible. Logging in via VPN and two-factor authentication is standard practice. The latter has proven difficult when doing lab research in Lelystad. You are not allowed to bring anything into the High Containment Unit. You have to shower afterwards, so you can’t even take your phone with you. If you want to log into your account at the lab, you can only do so with a special security key for identification.
“I also drew up a data management plan. It describes how you should take care of your data. I stick to those rules. If there ever is a data breach, privacy officer Rita Hoving would be the first person I would call, and I would look on the intranet to see what follow-up steps I should take.”
Niels Hintzen is Serious About Data
“For my PhD research into fishers’ behaviour on a small geographical level, I analysed their GPS data in combination with their logbooks, which records the gear they use, the species they fish, the number of kilos they catch and so on. GPS data immediately raises privacy issues. Some people record their entire runs on Strava, but this is commercial data, described in the law as information that has to be protected. This applies to fishing grounds in particular.
Read more
“Every ship has the name of its home port as well as a number: the Urk 1 or the Scheveningen 65. An important choice is which employees have access to the actual name of the ship. Others only see its name in anonymised form: the Urk 1 is called ship 47, for example. You can still see that the ship is fishing for herring or blue whiting, but you cannot trace which ship it is.
“The datasets are currently stored on the well-secured WUR servers and will remain there. Our hard drives on the PCs and laptops are encrypted with bitlockers, so unauthorised figures cannot access them easily. But you don’t want this to become a potentiality, so our policy is to keep everything on the network drives. Only a select group has access to these files. Everyone has to provide a statement in writing to access them. I am the first to do this every year.
“Not everyone has access to everything; many employees can only access the data in its aggregated form or only a part of it. If we make maps or products based on the data, then I check with a colleague whether there is adequate assurance of anonymity in what we make public. If it is not, then we do not publish it.
“If we do not handle the data we have been given with care, there can be huge consequences. The loss of trust — something especially important with fishers. The government may also decide to not supply us with any more data sources, or cease to provide data in its current format: raw data that enables us to do innovative research. So there are implications for research trajectories as well as for the knowledge we develop about fisheries.
Read more stories in the magazine: WUR is serious about Data