Omnibus prik

Danish Data Protection Agency criticises AU data protection in a number of projects - AU has to improve, says deputy director

Following an inspection at Aarhus University, the Danish Data Protection Agency has criticised the university’s processing of personal data in a number of research-related cases. AU has acknowledged the mistakes and must be better at taking care of personal data according to the deputy director.

Photo: The Danish Data Protection Agency

Following two inspections, the Danish Data Protection Agency has concluded that several research projects at Aarhus University have not processed personal data in accordance with the regulations. The agency has criticised AU about this.

The deputy director of AU Research, Jakob Rathlev, acknowledges that mistakes have been made at AU.

"We were criticised for not being careful enough with the personal data we use in these projects. We acknowledge this, and we are determined to get even better at taking care of personal data in the future, despite the extra effort involved," says Jakob Rathlev.

In the first inspection, the Danish Data Protection Agency selected three research projects that were started in 2016 and 2017. The projects were about grief, lung function in Danish twins and the risk of contracting cancer for women who have previously undergone treatment for cervical cancer. All three projects were criticised for failing to process personal data in accordance with data protection regulation. The inspection began in 2020.

During the second inspection, which began in August 2023, the Danish Data Protection Agency visited Aarhus University to review a permit to disclose biological information from a research project. The Danish Data Protection Agency subsequently decided to expand its inspection to include more research projects. The agency criticised AU for not securing a basis for transferring information in connection with the disclosure of personal data from a research project and expressed "serious criticism" of the fact that, in several cases, the university had not obtained permission from the Danish Data Protection Agency to disclose personal data.

LONG-TERM RESEARCH PROJECTS

The research projects will run for several years and are based on personal data. This is an area where regulation has been tightened in recent years, explains Jakob Rathlev.

"The introduction of the GDPR and other initiatives mean that the requirements have become much stricter over the past decade. And clearly all this entails more bureaucracy. Our rich opportunities to use personal data in our research come at a price, and that price is bureaucracy," says Jakob Rathlev.

Jakob Rathlev believes Denmark is one of the best places in the world for these research projects because of its easily accessible registers.

"We have extensive registers filled with personal data on income, education, and even health. The registers are easy for researchers to access, and this access to such an abundance of data is unique globally. It’s a huge privilege, but that privilege comes with certain responsibilities. And this means we have to make sure that we do things correctly,” says Jakob Rathlev.

PREVIOUS CRITICISM  

AU has recently been involved in another case regarding the processing of personal data. In a series of articles, the Danish Broadcasting Corporation (DR) described how the AU research project iPSYCH mapped the genes of 140,000 citizens without asking for their consent. The project began in 2012, and at that time, the researchers were allowed to obtain heel prick samples from newborns in Denmark. The rules have since been tightened, and according to DR, the National Committee on Health Research Ethics has confirmed that the project would not be approved today. Several patient organisations and special interest organisations have criticised AU for failing to obtain consent after the new rules came into force. In a comment to DR, the research director on the project, Professor Preben Bo Mortensen, rejected the criticism. He is "convinced" that the project is legal. Furthermore, there was no criticism from the Danish Data Protection Agency in this case.

In October, iPSYCH announced in a news item on its website that the Research Ethics Committees for the Central Denmark Region had assessed the criticism presented by DR and that the committee had rejected the criticism. 

“The research ethics basis for the iPSYCH research project is the overall approval of the project first granted to the project by the Research Ethics Committees for the Central Denmark Region in 2012. This is the conclusion of the Research Ethics Committees for the Central Denmark Region after having dealt with a number of questions from DR," writes iPSYCH.