Great seminar by @akmunk on the GDPR. He refers to TANT-Lab, but he is saying the same things that we are saying in Edgeryders: embrace it, overshoot its requirements. TANT-Lab (and Edgeryders) tradition is to be transparent about methods.
Some new things I am learning:
- You need not only to establish who is responsible for the data, but also who is allowed to treat the data.
- Reuse of datasets is now not automatically allowed; if you collect data for project A and want to use them for project B, you need to think through the data protection/user rights implications of that.
- Anonymised data are not subject to the GDPR. But anonymising is harder than it seems. The text of a Facebook comment can reveal the identity of its author via a simple Google search.
- It’s super-important to distinguish between direct and indirect collection. In anthropology, direct collection is interviews: they need consent. Indirect collection is Twitter mining: it does not need consent. But it does need information to the Twitter users, unless the data are for for research and it is “unreasonably burdensome” to inform every single user. A nice discussion on what a “reasonable effort” is follows. For example, in projects where data is collected from Facebook groups Anders writes to group admins and asks them for their opinion, and then posts on the group informing members about the study.
- It’s also super-important to be able to say whether the data are self-published. If they are, no consent is needed. This covers blog posts etc.
- Data security requirements always apply. But in practice you can be sued for the consequences of data breach. The consequences of Edgeryders suffering a data breach on email addresses are, in practice, unlikely to cause any major damage.
- Facebook profiles are not callable through APIs. Maybe we should not consider this as a public data source. If we do not, we need informed consent. However, a court in Denmark has sentenced that iff you have over 400 friends, you cannot reasonably expect your posts to stay private, even if you restrict them to “friends only”.
- Facebook’s closed and secret groups are also not callable through APIs. Again, you can use API permission as a criterion for data being public. This would arguably exceed the GDPR’s requirements.
Edgeryders is a bit different from TANT-Lab in that we actually DO ask for consent. Our story is:
Edgeryders is a collective blog. We are publishing text, and collecting otherwise only one piece of personal data: email addresses. We do not enforce a real name policy.
To protect people from accidentally revealing stuff about themselves that they do not want to be public, we make them go through a consent funnel before we allow them to post.
With all this, how to make a data policy for Edgeryders?
I would say points 1 and 2 above are the core of the data policy. We also add:
- Information on data storage and encryption methods. @matthias, can you please remind me how we use encryption, and for what?
- A person responsible for data (Matt).
- One or more people authorised to treat the data in research projects.
- A process to detect data breaches. I think with open source projects such as Discourse this will be: pay attention to signalled vulnerabilities. Do we have a way to detect we have been hacked?
- A process to prevent data breaches. I guess this will be: promptly install security patches on our stack.
Notice that the GDPR applies to Edgeryders even if we do not do research.