All new WUR research projects will be assessed next year, says Frans Pingen, the data protection officer. Over the next few weeks, there will be a survey of ongoing projects and applications that involve large amounts of personal data or sensitive personal data. All projects with privacy-related information must be recorded in a registry by 25 May 2018 at the latest. That registry should show what risks WUR is incurring in the protection of personal data.
Wageningen researchers already have to store and update their projects in the My Projects system. As of next year, they will also be asked whether personal data will be processed for the purposes of their research. If so, they will have to answer a small number of questions in the application to determine how risky the project is in terms of privacy. If the risk is high, this will be followed by a Data Privacy Impact Assessment (DPIA), which may lead to measures being recommended to mitigate the risks.
Pingen hopes this will give him an overview of the projects with privacy risks. He will then need to make sure these risks are dealt with as soon as possible to avoid fines from the Personal Data Authority. ‘Sometimes an unnecessarily large number of people in the project have access to the personal data, sometimes the data are stored in an insecure place such as an external disk,’ he explains. ‘The use of personal data for purposes other than that for which they were collected is also forbidden.’
As well as the research projects, WUR will also be screening various applications and databases for privacy issues, to prevent hacks and data leaks. Pingen: ‘The supply of digital information keeps on increasing and as a result an awful lot of personal details are being stored, even when they are no longer needed. We need to take a critical look at this.’