Of course I take part, it’s a good initiative helping kids dealing with common issues at schools. But then comes the bit that surprised me:
I am rightly asked for consent for my 13 year old son to be invited to answer potentially personal questions. What surprised me was that I am not really asked to consent, but to DENY consent. The email doesn’t seem to take into account that, if consent is the basis for the research, it has to be given as an opt-in not an opt-out.
Anyway, the maybe just a small procedural oversight - not a big deal. But it made me curious. Having been involved in research for many years, I had to dig deeper. Surely the consent form will clear things up:
Now I know a bit more about what data and why. They don’t collect names in the research survey, only on a separate consent form. So, the responses will be anonymous to the researchers, that’s a good start.
Still a few niggling questions remain. For example, Does the online survey collect the name of my computer (IP address) to identify me? Will a 3rd party have access to my data? Where is the data held? Is it secure? What rights do I have to withdraw, access or delete my data? How can I withdraw, access or delete my data if I want to?
Anyway, maybe more info is in the online survey consent? Nope. Ah, clearly it will be explained in the detailed privacy notice that’s required under the transparency principle. I just haven’t seen it yet. Is it in the email, the organisations website, the online survey? Nope - No privacy notice, if there is one, I couldn’t find it.
What I did find is that FACEBOOK is the main sponsor of the research. Wait, what? Facebook! The same Facebook that handed over all of our data to Cambridge Analytica only in 2018?Now, I really want to see a privacy notice. The key document that can put my mind to ease and cover all my questions. Including the one about the 3rd party online survey bit. The survey is done using one of so many online survey platform providers, some don’t even allow children to be surveyed. This one seems to be in the US, where the data laws are less strict. Are they collecting my sons IP address and data to sell it on? Probably not, but is probably enough? Again, nope!
So far (and I stopped looking), there are now quite a few compliancy issues:
- If consent is used as lawful ground for the research it has to be an opt-in not an opt out
- An IP address is also personal identifiable data and its treatment must be mentioned
- The research organisation must provide a privacy notice (transparency)
- Information about any data transfer (in this case the use of a survey provider in the US)
- Information about any involved 3rd party, how data policies are enforced and if data is shared
- Information about the research organisations data management & security procedures including who is responsible for enforcing them
- Provide info about my own rights and how I can exercise them (including relevant contact details)
I still, despite all its short comings, want to take part. I do, not because I can be SURE our data is safe but because I HOPE it is.
But I also think a public organisation doing research with children should be better prepared, more than one year into GDPR – in a year that has seen quite a number of significant fines and public embarrassments. Hope does quite cut it anymore. I also think it’s a pity if important research does not get the response it deserves because people are not sure what happens to their data. Something that could be so easy to fix.