by Dr Rachel Humphris, Lecturer in Social Policy and IRiS Research Fellow
Have you been inundated with emails asking you to resubscribe to contact lists lately? That’s the new General Data Protection Regulation (GDPR). I spent an afternoon with fellow anthropologists at SOAS on 9th May discussing to discuss what it might mean for us as a discipline; and for our research practice. Is anthropology in danger of being legislated out of existence?
Anthropologists (and other ethnographically inclined researchers) have long been finding their way through forests of conflicting demands in terms of policies and guidelines at different institutional levels that often contradict each other. Institutions, researchers, and informants form a triangle of demands and interests that need to be balanced. The codes often used to guide us are designed for data protection; marketing and social media – not anthropology and the GDPR will force us to rethink how we go about our research.
What is the GDPR?
The new EU wide data protection regulation that will replace the current UK Data Protection Act (1998) when it comes into force in the UK on the 25th May 2018.
The stated aims of the GDPR are:
- enable data subjects to have greater control over their personal data whilst also modernising and unifying European data protection rules.
- as well as creating new rights for data subject, the GDPR will strengthen and enhance previous rights that data subjects hold under the Data Protection Act.
- The GDPR requires that data controllers (often the University) and processors provide clarity and transparency to data subjects about how and why their personal data is being processed.
The GDPR permits EU Member States to make specific domestic provisions for particular aspects of the GDPR. The UK Government is seeking to achieve this through the Data Protection Bill, which is currently progressing through Parliament. The GDPR applies to all data or all researchers from and within the EU (there is no idea how Brexit will affect this yet).
The specifics of the GDPR have not yet been formalised and the UK Data Archive has not yet released guidance (although it is apparently working on it). However, there are some things that give an indication of how the GDPR will shape our research practice. However, the UK Data Service does provide useful principles relating to the processing of personal data. These include:
- Processing is lawful, fair and transparent
- The participant is informed of what will be done with the data and data processing should be done accordingly.
- Keep to the original purpose
- Data should be collected for specified, explicitly and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- Minimise data size
- Don’t collect information you don’t need!
At the moment, some of the main considerations we need to take in regard to the GDPR are:
- Who will receive or have access to the personal data (including information on any safeguards of the personal data is to be transferred outside the EU)
- The period of retention for holding the data or the criteria used to determine this
- The right of the participant to request access to their personal data and the correction (rectification) or removal (erasure) of such personal data
- A reminder that the participants have the right to lodge a complaint with the Supervisory Authority.
From the discussion at SOAS it emerged that our consent forms are going to be key for our compliance of the GDPR. We will need to have ‘granular’ consent for example detailing exactly what people are giving consent for such as videos, photos and interviews. If the purpose of our research changes we also need to renegotiate consent with our informants. Consent also needs to be broken down into 3 stages:
- Taking part
- Use of information
- Future use and reuse of the information by others (this is particularly important for the data sharing and archiving regulations if funded by a research council)
Perhaps more than any of the above, and what remains central to me is that as well as ethical committees, research management and governance, legal frameworks, organisational guidelines is our own moral reflexive research practice. This does not seem to be given much weight in the current discussions and it is here that I think three main contradictions and conflicts emerge between anthropological practice and the GDPR.
Sharing is hard
First, these new guidelines may turn fieldwork into something that we weren’t trained to do – share. We are used to thinking that field notes are our own. We may have to get used to writing field notes (or some kind of record of our fieldwork) that can be archived for others to read and use.
The difficulties in doing this are manifold. Writing field notes for someone else might change the whole notion of field notes. Field notes take many different forms and may not often reflect the experiential process the field work that has taken place. Field notes often have a dialectical relationship with our memory – can anyone else use them? The process of sharing field notes has the danger of shifting what is fundamentally considered to be anthropological ‘data’.
While it is not entirely clear (yet) whether field notes will have to be shared (this also depends on your Data Management Plan) some form of record of fieldwork will need to be archived for research funded by research councils. Therefore we need to rethink who we are writing for and what we are writing down. This provokes further reflection on how to orient ourselves as researchers and what we are doing in anthropological research. This would seem to be an ongoing relationship that occurs at many different levels and will affect how we train the next generation of ethnographic researchers.
Do no harm
The ASA guidelines state that we must always be anticipating harms to our research participants and we must constantly negotiate consent. For qualitative researchers involved in fieldwork, consent is not a one-off event and therefore the requirement to renegotiate consent if the scope of the project changes should not be novel. However, previously these harms have been all about proportion. For example we could ask: how much harm is there is someone knowing this information? Under the GDPR this is no longer the case.
Intellectual property rights are also a key concern for anthropologists. However, if all data needs to be anonymised we may no longer be able to identify and therefore acknowledge the intellectual property of our research participants. We are therefore not upholding our ethical requirements to minimise harm. This is a key legal and ethical duty that has not been resolved.
Anonymization – for whose benefit?
Anonymisation is perhaps the thorniest issue in reconciling the GDPR and the principles that underpin anthropological research. If we anonymize field notes our participants and the descendants of the participants may not be able to identify themselves or their kin. The GDPR also does not address what happens when participants refuse to be anonymised such as activists, collaborators or artists.
There has been long standing debate on why or whether anthropologists should anonymise data. A strong argument has been made that it is as much to do with protecting researchers as much as research participants. Anonymisation could be described as an engine of detachment, a cutting of the network that maintains an ethnographic fiction. As Nancy Shepherd-Hughes puts it ‘anonymization makes rogues of us all’. In order to assuage some of these fears we need to fully understand why people are engaging in our research. This may help us to disentangle some of the conflicts between ethics and the legality of conducting field work but it certainly doesn’t solve them.
There are those who argue that GDPR is an opportunity to give informants and the subjects of our research back power and therefore we should embrace it. There are others who argue that GDPR will take away rights from informants (for example to be named and recognised). Whatever side of the debate, what is clear is that there is no longer the time to debate the pros and cons. The GDPR is upon us and we must find a new way to negotiate these regulations.
European Research Council – Ethics for Ethnography
Association of Social Anthropologist – Ethics guidelines