Tackle data processing seriously

Photo: Guy Ackermans

How should a student or researcher deal with third-party data? How do you collect and store it? Two students talk about sensitive data and other tricky issues. WUR’s corporate privacy officer Peter Ras concludes with some good advice.

Rosa Thijssen

Second-year Nutrition and Health Master’s student

Koen Manusama

Promovendus at WUR

Peter Ras

Corporate privacy officer at WUR

‘I didn’t realise that data management would be such an important part of the study’

Rosa Thijssen (24) is a second-year Nutrition and Health Master’s student in the Human Nutrition and Health group. She is investigating how the right nutrition can help nurses stay healthier and more alert when working night shifts. This involves processing confidential data, which she does with great care.

“For my Master’s thesis, I’m working on the ‘Time to Eat’ study under the supervision of a PhD student. We look at nurses on their night shift. We want to find out what the right dietary pattern would be for them. It is known that nutrition can affect your alertness during a shift, and if you’re less alert, there is a greater risk of medical errors and accidents. People experience a biological dip in their alertness between two and five o’clock in the morning. A large meal before you start your shift can make that dip worse. So during our study, the nurses who are taking part get one relatively small yoghurt meal during their shift, three such meals or none. We are monitoring 60 nurses for one year. My task is to ask them questions during and after their shifts.”

Keeping data confidential

“I use questionnaires that I send by e-mail or run through on the phone. I collect a lot of data during this research and we take due care processing it. First of all, I use a project phone rather than my own smartphone. That means I don’t collect the phone numbers of the participants unnecessarily and they don’t get my private number either. All data is treated confidentially. That is possible because each participant is assigned a unique, anonymised code. Only the researchers can see the list of codes and it is stored on an internal network that is password-protected. The researchers have to sign a statement of confidentiality beforehand, in which they guarantee that they will not provide any personal information to other people or organisations.

Now that I’m involved with it, I find data management really interesting. I feel like a genuine nerd when I’ve figured out a programme

The nurses sign a consent form stating who is allowed to see their data. There was also an informative online session on this topic. It served the same purpose as a cookie statement on a website, but it was a lot more detailed.”

The easiest option

“The degree programme should include more discussion of how such rules work and why they are there. Now you are just told that’s how it is; you don’t hear about the risks if something goes wrong and data ends up in the public domain, for example.

My generation is used to convenient tools. In study groups, it is tempting to just work with Google Forms rather than the by WUR approved and facilitated tools. The university tells you which programmes you should use, of course, but in practice people still tend to go for the easiest option.

When I started my degree, I didn’t think data would be such an important part of it. You tend to associate that with the more hard-core science subjects. But now that I’m involved with it, I find it really interesting. When I manage to figure out a programme, I feel like a genuine nerd. The nice thing is that we will be making a recommendation that could be implemented in practice. The fact that it is based on data will give it more weight.”

‘You can make the world a better place with data’

Koen Manusama (29) joined WUR as a research assistant three years ago and started on his PhD last year. His research is on fatigue among people who have had cancer of the large intestine.

“I collect all my data myself and I did a course on good clinical practice for the purpose. That covers the relevant standards on data management and study execution that make sure you do good research. In the past, a lot of researchers didn’t pay that much attention to these aspects; the rules weren’t as strict then. You may think doing research is a harmless activity but the good clinical practice course teaches you why you need those rules. Good clinical practice = ethics + data quality. To give an example: you say you want to take part in a study. The researchers record your alcohol consumption for the inclusion criteria but it turns out you drink too much so you can’t take part. Years later, you apply for an important job but you get rejected because you used to drink too much. The researcher shared the information by mistake without your consent. No one wants this to happen but it can because of poor data management. Researchers who don’t keep to the rules may even be committing a criminal offence. Take the Municipal Health Service data leak. Of course, there are monitors — people who check the quality of your study — but data management really is something you need to get a grip on yourself.”

Citizen service number in the wrong hands

“As a researcher, you are responsible for a lot of confidential data. Sometimes, the people who take part in a study receive remuneration and then you need their citizen service number (BSN). If that gets into the wrong hands, it could lead to fraud so you must make sure not to lose that data. If you do, the university will eventually have to report it to the Dutch Data Protection Authority. It can happen before you even notice. Unfortunately, most people only realize how important this is when something goes wrong.

If you manage your data well, others can reproduce your research without any problems

In fact, good data management doesn’t just reduce risks, it also has benefits for the research as it helps you find things again more easily later.

Many people think people who like rules are nit-picking. I know that isn’t the case as I was taught by a strict mentor who previously worked in the pharmaceutical industry. The rules protect your data subjects and if you manage data well, others can reproduce your research without any problems. You do research not for yourself but for others. You do it for science as a whole so that you can make the world a better place.”

‘Make sound data use a compulsory course in the Bachelor’s programme’

Peter Ras is the corporate privacy officer at WUR. He gets pressing questions about data use and privacy every day. We ask him about the increasing importance of due care in data use in Wageningen’s degree programmes.

“There has been a big increase in the past year in the number of questions about privacy at the university, but there has also been a shift in the topics now that people are working almost entirely from home. Although a clean desk policy has applied for a while on campus, that is rather different at home. So one of the questions I got last year was, ‘Am I allowed to leave my documents on my desk at home where my wife and kids can see them?’

People are also sending more cards and flowers since the pandemic started; of course, the question is then whether the employer is allowed to give you a colleague’s personal details so you can send them cards and flowers.” (If you have questions on this topic, you will find the answers here, ed.).

The good thing about such questions, according to Ras, is that they show privacy issues are clearly more ‘top of mind’ at the university than a few years ago. He has seen a real change in privacy awareness over the past few years. “That is particularly evident in the digital native generation who grew up with Facebook and Instagram, apps that have been collecting vast amounts of data for the past decade or so. In the early days, users had very little privacy awareness but that has improved immensely in the past three to four years. That applies to the university too. This is the combined effect of messages in the media, targeted actions by the Executive Board and a younger generation that is more aware than older generations.”

Exchanging sensitive data files via Dropbox absolutely does not meet our security standards

There are many different reasons why students may need to take the rules on data use into account, often without realising it. “Think about the situation where you draw up a list of 500 contacts with their names and e-mail addresses. How do you store that information and what software do you use? Another example is the interviews you do for your research. Do you need to ask the respondents for permission every time you share the study or is one-off consent sufficient? Can you record the interviews using the record function on your own smartphone or do you need to use a WUR device? Students don’t need to have the answers to all these questions but they do need to develop a feel for when they should ask for advice. If so, they can turn to the WUR privacy desk for students. You can always send an email to privacy1.student@wur.nl.”

Room for improvement

Despite the increased awareness of privacy as an issue, Ras still sees room for improvement. “People collaborate a lot at the university, so they frequently exchange files containing personal details. At present that is often done using tools such as Dropbox or Google Workspace, but that software definitely does not meet our security standards. There are safer alternatives that WUR supports, such as WUR OneDrive and SURFfilesender.”

Ras thinks it is a pity that students and staff sometimes only pay attention to privacy and proper data use because they are afraid of fines. “I much prefer to see it as our intrinsic duty to protect privacy as a basic right. Everyone in the organisation should therefore be motivated to treat personal data responsibly. It is important to drill this into students from the start. That is why privacy and ethics should be a compulsory course for Bachelor’s students.”