1165 København K
Tlf: 35 32 28 98 (mon-thurs)
GDPR — The Royal Library has stopped lending out master’s theses in the wake of new regulations on data protection and privacy. They are awaiting a response from the Danish Data Protection Agency – and then probably a huge practical task – before all the theses are available again.
Law student Annette Hedegård Johnsen know what it is like to be hit by the topic of your own master’s thesis.
Before she wrote the last sentences on her master’s thesis on the EU data protection regulation, also known as GDPR, she wanted to borrow a previous master’s thesis on the same topic at the Royal Library. But she was told immediately afterwards that she could not borrow it. The reason? The new data protection regulation.
“I couldn’t help but smile when it happened. But it was also a shame, because it is good to be able to look at other good theses, so you can see their approaches to the formalities, and assess whether you are on the right track in terms of method. It was even something my supervisor directly encouraged me, and other master’s students, to do,” she says.
“They have had plenty of time to fix the problem
Master’s thesis student Annette Hedegård Johnsen
With the new data protection regulation, the requirements for processing personal data, – like name, address and Danish personal identification CPR number – have been strengthened. This means that students have the right to know what the purpose of the use of their master’s thesis is, and what their rights of authorship entail, including the option of withdrawing their consent.
In practice this means that a check box, which previous students may have had to put on the front page of their master’s thesis, may not necessarily be sufficient in justifying lending from libraries according to the new data protection regulation. Not even those which indicate that the thesis is not confidential.
This has put university libraries in a sensitive situation. But Annette Hedegård Johnsen believes that they themselves bear part of the responsibility.
“There has been an implementation period of two years before the general data protection regulation GDPR finally entered into force, so there has been plenty of time to fix the problem,” she says.
At the Royal Library, which also operates the Copenhagen university libraries in cooperation with UCPH, they still do not know what the solution will be.
Ole Holm, specialist consultant, and the library’s DPO (Data Protection Officer), explains that he submitted a request to the Danish Data Protection Agency a month ago, and that he is still awaiting a response. He repeated his request to the agency on Monday.
If we have to get consent from people who gave in their master’s thesis in the 1980s, it will become an insurmountable burden, to put it mildly. So the consequence is that students cannot benefit from the master’s theses.
Ole Holm, The Royal Library
The library specifically wants to know how to process personal data in theses, and in particular how to act retrospectively on the library’s many thousands of printed theses which have publication dates that go back several decades.
“Naturally, we hope that the Data Protection Agency gives us the opportunity to make these printed theses available to users, also in the future. And this without having to obtain the consent of the authors. If we have to get consent from people who gave in their master’s thesis in the 1980s, it will become an insurmountable burden, to put it mildly. The consequence might well be that the master’s theses can no longer be a part of the library’s collections “, he says.
He explains that the library has not sought answers to its questions previously, because they only became aware before the summer holidays that several of the printed theses in the public collections contained personal data, including several with addresses and even Danish CPR numbers.
Both the name, address and Danish CPR numbers are protected by the new law on personal data, but Holm emphasises that it is the 10-digit personal identification CPR number that has given them the headache in this context. As while the name and address can be found in other ways, for example via websites like Krak.dk, the CPR number is a more sensitive piece of information that in the worst case – and combined with other data – can be used for identity theft.
Holm therefore also expects that the Royal Library may, no matter what, have to blur any CPR numbers before they reopen for the lending of theses. An extensive practical mission, he admits.
“Depending on the Data Protection Agency’s estimate, a solution might be that we put the printed theses in closed storage, and then only check the information in the thesis when a student searches for it and orders it. Then the blurring can take place an ongoing basis, rather than having to spend a lot of resources on reviewing theses that are not lent out,” he says.
While the Royal Library awaits a reply from the Data Protection Agency, the students at the University of Copenhagen have had to resort to alternative methods to find inspiration in the old master’s theses.
Annette Hedegård Johnsen went hunting in a Facebook group for law students, where she managed to get her hands on one of the theses which she could not borrow in the library.
“I was very lucky, because I was approaching my deadline and I asked in the group in the middle of the summer period. But I found a great master’s thesis from another law student which was related to my own. And this has been a great help in the final phase,” she said to the University Post just one hour after she had handed in her own master’s thesis.