Go back

‘Over-zealous’ data protection approach ‘could harm research’

 Image: Grace Gay for Research Professional News

Arma 2024: Session hears of risk of reputational damage over non-compliance

“Over-zealous” institutional approaches to data protection could be jeopardising research, the Association of Research Managers and Administrators annual conference has heard.

Speaking in Brighton on 18 June, Beth Collins, senior research contracts manager at Cranfield University, cautioned that research contracts should not overstate the implications of the Data Protection Act for researchers.

“Such is the fear of non-compliance [with the act] that, I would argue, there’s a real risk of institutions undermining research by implementing over-zealous processes,” she said.

Collins said that while claims under the act were possible—such as those from people who believe their data has been breached—there were other key elements to the act.

“The likelihood of claims by individuals is significant, although I should perhaps say ‘attempted’ claims, given the need to not only prove that a data breach has occurred but also that harm has ensued as a result,” Collins said.

Tom Morgan, a lawyer at Cameron McKenna Nabarro Olswang LLP, said that while it was true that harm had to be established in successful claims, the “whole point of the data protection regime” is to afford responsibility for data in a way that data subjects feel is appropriate.

The session heard that effective policies around the creation of research contracts could help universities and other institutes to better understand the reasons behind legislation such as the Data Protection Act, the Export Control Act and the National Security and Investment Act.

“The main role that contracts can play…is getting people to really think about what they are doing, and asking lots of really annoying questions,” Morgan said.

While a failure to get on top of legislative requirements could in extreme cases lead to legal action or fines, a more immediate concern might be the reputational damage suffered by an institution as a result of non-compliance.

Speaking about the national security and investment act, Morgan said that, from a regulatory perspective, institutions were unlikely to breach the legislation as a result of their research contracts.

“But…the real danger is that we end up giving a licence to some technology to someone and that technology falls into the wrong hands," he added. "That’s the whole aim of the NSI [act]…The actual harm we are trying to prevent is technology …being used against the UK’s national security interests.”

If this happened, “who is going to want to work with you on any sensitive technology areas?” he concluded.