Teaching researchers about data protection law: a terrible idea

Posted on

Written by Elizabeth Green (UWE Bristol), Felix Ritchie (UWE Bristol) and Amy Tilbrook (University of Edinburgh)

Many researchers in the UK working with confidential data attend the ‘Safe Researcher Training’ course (SRT). This training course was commissioned by the Office for National Statistics (ONS) in 2017 and is (so far) the only accredited training programme for researchers under the Digital Economy Act 2017. Attendance is compulsory for all those using the ‘safe havens’ or ‘trusted research environments’ run by the ONS, the UK Data Archive, Health and Social Care NI, the Northern Ireland Statistics and Research Agency, HM Revenue and Customs, various big data research centres, and those using certain public sector datasets in Scotland,

The SRT was designed using novel principles of confidentiality training, recognising that researchers are human: intrinsically motivated (i.e. threats of fines and punishment don’t work); self-interested but also well-intentioned; mostly quite bright but occasionally very foolish; and, crucially, able to engage in nuanced discussions about the safe and effective use of confidential data. Over three thousand researchers (from academia, government and the private sector) have been through the training and taken the test since 2017, and the SRT has become a reference point for basic training in research good practice, with materials being adapted for use in Europe, North America and Australasia. The training is delivered by several UK organisations; each has taken a slightly different approach to delivery of the core material but the learning outcomes (as measured by test results) are broadly similar, suggesting the core training material is robust to the presentation style of different trainers.

One omission from the SRT is a detailed discussion of data protection laws: which laws govern access, what the researcher’s formal rights and responsibilities are, what penalties can be incurred. This is in direct contrast to many data management and governance training courses; indeed, the SRT’s predecessor included a before-and-after ‘quiz’ parts of the Data Protection Act 1998 relevant to research. This omission of a detailed exposition of the applicable law(s) causes concern amongst organisations who require users of their data to take the SRT and pass the test.

The rationale of this position is: how can you expect researchers to obey the law if they don’t know what the law is? Researchers should know

  • which laws are relevant, including common law duties of confidentiality
  • the lawful basis of access
  • the specific limitations of each law in relation to their data
  • the consequences of breaches (for which read: fines and jail)

By outlining these legal specifics, researchers should have no doubt as to their responsibility. This also transfers responsibility from the data holder: those who breach laws (intentionally or, more likely, accidentally) cannot attribute the breach to a lack of knowledge around these laws.

This approach arises naturally from the ‘defensive’ approach to data governance typically taken by data holders, aiming to ensure that all potential risks are covered before release is considered. Intellectually, the foundation of this idea is economic models of rational decision-making: data has value and so may be misused, but only if costs exceed benefit. Providing data users with a clear legal basis, evidence of monitoring and control, and knowledge of the severe penalties for transgressing the limits, researchers stay on the right side of the line. Moreover, if they do transgress, the data user has a solid foundation for civil or criminal prosecution, which in itself should increase compliance.

The trouble with this approach is that it lacks any substantive evidence to support it. In contrast, there is a great deal of well-founded evidence, particularly from psychologists, to suggest the opposite. This evidence consistently aligns with our psychological understanding of human behaviour.

Alongside the fundamental misunderstanding of human nature, simplistic training assumptions about legal liability are also likely to be misaligned with real life case law and may miss nuances of legal rules and pathways resulting in further confusion. Most importantly, focusing on legal liability ignores the fact that genuine breaches of confidentiality in research are vanishingly small and very difficult to prove. In contrast, breaches of operating procedures (but not law) are not very unusual, and are generally easy to prove.

Some data controllers see this communication as part of being a responsible data controller – even if the attendees don’t register the detail, they remember the message about legal conditions being important and costly to break. So what is the harm in including this in the course?

The main argument against this is that it is counter-productive in the context of the SRT. The SRT is designed to build trust and community engagement. An assumption of lawlessness and the highlighting of inappropriate behaviour disrupts that message, by implying “I don’t trust you, so here’s what will happen if you put a finger wrong”. This weakens the community message.

In contrast, SRT is designed so researchers know what constitutes safe behaviour with data in most research cases. Researchers are shown how operating procedures serve to protect researchers from accidentally breaking the law, and how to actively engage with them. Researchers are encouraged to discuss the compromises involved in designed data access systems, and so develop a sense of shared responsibility. It is not a textbook for how to complete a successful data application or project to each data controller/research centre, but it is a way to approach such tasks so both parties are satisfied that all risks have been covered. Therefore the SRT approach to legal aspects is grounded in three questions:

  • What do researchers need to know to behave safely?
  • How and what do they learn?
  • How do we build a community identity so that when things do go wrong we co-operate to resolve them?

Focusing on the above three questions allows researchers to actively reflect on their own actions and conceptualise their responsibility to the project and the data. Moreover, in not examining and outlining specific laws the material retains relevance even if law changes, or if the material is used in different countries or for international projects (as it has been). There are evidence-based answers to these three quesitons, and in our next blog we explore them further

Finally, for those who still believe that threats are helpful, it is worth noting that criminal sanctions are not seen as credible. The lack of successful prosecutions, the researcher’s own self-belief that they are not law-breakers, and the obvious disincentive for data holders to publicise a data breach means that criminal sanctions become a straw man, and the teacher’s authority is damaged. In contrast, the SRT focuses on ‘soft’ negatives (reputation, kudos, access to funding, access to data, employability), and emphasises the difference between honest mistakes and selfish behaviour. As well as being more meaningful to researchers, these also align to the ‘community spirit’ being developed. The consistency of the message on this topic is as important as the contents.

UWE staff appointed to help ESRC plan its data infrastructure strategy

Posted on

The Economic and Social Research Council (ESRC), the body that allocates and oversees social science research funding across the UK higher education sector, will face some significant decisions in data infrastructure and services over the next few years: several of its major investments are due for re-tendering, while others are already in the process of restructuring. At the same time UK Research and Investment (UKRI) is reviewing the wider investment landscape.

As a result the ESRC has begun a major exercise to review the research data infrastructure and services landscape. This project began In August 2021, with a public engagement exercise to identify key issues. This year, ESRC advertised two Future Data Services (FDS) ‘Strategic Fellowships’, and we are pleased to announce that two UWE staff, Elizabeth Green and Felix Ritchie from the Data Research Access and Governance Network (DRAGoN), were successful in bidding for the roles.

This is a great opportunity for UWE: DRAGoN staff are widely involved with all aspects of data access and governance, in the UK and abroad, but this will provide Felix and Lizzie with a unique insight into the strategic decision-making process for UK research investments; and they in turn will be using their expertise and networks to help ESRC design and evaluate a data services infrastructure for the social sciences that will take on board best practices, and challenge ways of thinking.

Professor Ritchie notes that “The UK starts from a strong position, with a long track record of successful investment in data services, and thought leaders across the data landscape. But that landscape continually changes, and although we do many things well in the UK, there are also many examples from other countries of doing things better.”

Some of the gaps are about co-ordination and communication: for example, how can we better share good practice in data governance or researcher training? Others are about adapting the experience of others to the UK: for example, what can we learn from other countries about creating a default-open model of data accessibility and sharing? And some gaps are where we have to fundamentally (re)think basic concepts: how do we put a value on effective data services when we can’t even put a meaningful value on the data itself?

These aren’t straightforward problems, or we wouldn’t need a two year strategy development period. But they are – or will have to be – solvable, and the benefit of getting it right will be felt across the UK research community, as well as in other countries.”

The ESRC commented “ESRC is delighted to make this award.  With ongoing transformations in the data services landscape, this is an exciting time to be undertaking our Future Data Services strategic review. We look forward to working with Felix Ritchie and Elizabeth Green who will provide a very valuable contribution to this review”.

Back to top