What to do when being responsible for data protection in your lab, yet advice is ignored?
Clash Royale CLAN TAG#URR8PPP
I work in a lab where we conduct research on data acquire from human subjects. As we investigate the effects of different diseases and the related treatments, the data is highly sensitive in regards to data protection.
Most of the lab members work with Windows 10 and I am supposed to set up additional Windows 10 PCs. I have serious concerns about this as Windows 10 is known for sharing much data with Microsoft, e.g. every file which is related to a software crash may or may not be send to Microsoft and thereby unintentionally sharing sensitive health related information with Microsoft.
When mentioning these issues, they are usually waved aside with arguments like "nobody else cares about that" or "this would slow down our work". In general is there very little interest in data protection and the associated risks.
I know the risk of a data leak actually having a effect is rather small, yet I'd like to know how to back myself up in this situation. Should things for whatever reason go sour, I'd like to be on the safe side.
I am in a PhD position actually hired for doing research. Yet due to my background in computer science, I am 'officially' responsible for everything related in our lab to electronic data processing.
data lab-management
add a comment |
I work in a lab where we conduct research on data acquire from human subjects. As we investigate the effects of different diseases and the related treatments, the data is highly sensitive in regards to data protection.
Most of the lab members work with Windows 10 and I am supposed to set up additional Windows 10 PCs. I have serious concerns about this as Windows 10 is known for sharing much data with Microsoft, e.g. every file which is related to a software crash may or may not be send to Microsoft and thereby unintentionally sharing sensitive health related information with Microsoft.
When mentioning these issues, they are usually waved aside with arguments like "nobody else cares about that" or "this would slow down our work". In general is there very little interest in data protection and the associated risks.
I know the risk of a data leak actually having a effect is rather small, yet I'd like to know how to back myself up in this situation. Should things for whatever reason go sour, I'd like to be on the safe side.
I am in a PhD position actually hired for doing research. Yet due to my background in computer science, I am 'officially' responsible for everything related in our lab to electronic data processing.
data lab-management
Comments are not for extended discussion; this conversation has been moved to chat.
– eykanal♦
Mar 5 at 3:35
add a comment |
I work in a lab where we conduct research on data acquire from human subjects. As we investigate the effects of different diseases and the related treatments, the data is highly sensitive in regards to data protection.
Most of the lab members work with Windows 10 and I am supposed to set up additional Windows 10 PCs. I have serious concerns about this as Windows 10 is known for sharing much data with Microsoft, e.g. every file which is related to a software crash may or may not be send to Microsoft and thereby unintentionally sharing sensitive health related information with Microsoft.
When mentioning these issues, they are usually waved aside with arguments like "nobody else cares about that" or "this would slow down our work". In general is there very little interest in data protection and the associated risks.
I know the risk of a data leak actually having a effect is rather small, yet I'd like to know how to back myself up in this situation. Should things for whatever reason go sour, I'd like to be on the safe side.
I am in a PhD position actually hired for doing research. Yet due to my background in computer science, I am 'officially' responsible for everything related in our lab to electronic data processing.
data lab-management
I work in a lab where we conduct research on data acquire from human subjects. As we investigate the effects of different diseases and the related treatments, the data is highly sensitive in regards to data protection.
Most of the lab members work with Windows 10 and I am supposed to set up additional Windows 10 PCs. I have serious concerns about this as Windows 10 is known for sharing much data with Microsoft, e.g. every file which is related to a software crash may or may not be send to Microsoft and thereby unintentionally sharing sensitive health related information with Microsoft.
When mentioning these issues, they are usually waved aside with arguments like "nobody else cares about that" or "this would slow down our work". In general is there very little interest in data protection and the associated risks.
I know the risk of a data leak actually having a effect is rather small, yet I'd like to know how to back myself up in this situation. Should things for whatever reason go sour, I'd like to be on the safe side.
I am in a PhD position actually hired for doing research. Yet due to my background in computer science, I am 'officially' responsible for everything related in our lab to electronic data processing.
data lab-management
data lab-management
edited Mar 4 at 15:03
V2Blast
17818
17818
asked Mar 1 at 10:02
VoodooCodeVoodooCode
338126
338126
Comments are not for extended discussion; this conversation has been moved to chat.
– eykanal♦
Mar 5 at 3:35
add a comment |
Comments are not for extended discussion; this conversation has been moved to chat.
– eykanal♦
Mar 5 at 3:35
Comments are not for extended discussion; this conversation has been moved to chat.
– eykanal♦
Mar 5 at 3:35
Comments are not for extended discussion; this conversation has been moved to chat.
– eykanal♦
Mar 5 at 3:35
add a comment |
11 Answers
11
active
oldest
votes
Edit: I think I should add a little more background. I am in a PhD position actually hired for doing research. Yet due to my background in computer science, I am 'officially' responsible for everything related in our lab to electronic data processing.
First, I think there is a serious management issue in your lab: leaving the responsibility of data protection to a PhD student is completely unprofessional. As a PhD student you could certainly have a technical advisory role, but it must be a permanent member of the institution who has the official responsibility. If a problem arises, whoever put you in charge of this will certainly have to explain why they thought it was appropriate. The good news for you is that it's very unlikely you would be considered legally responsible anyway (usual disclaimer: IANAL).
Second, skills in computer science [edited] might be useful but are certainly not sufficient when it comes to the legal and ethical concerns of data protection, especially with sensitive data on human subjects. Even with the best intention, you simply don't have the legal background. Whose job it is then? There are several options, probably not in your lab but at the level of your university/institution:
- The IT department: that's the ones you ask about software vulnerabilities and recommendations regarding data protection.
- The ethics committee: you can ask them for guidelines about the appropriate level of protection required for specific human subjects data. Btw normally whoever in your lab who works with this kind of data should get ethics approval before they start their project.
- The data protection office or if not present the legal office: they can inform you and your colleagues about their legal duties regarding the human subjects data.
These departments in your institution have the professional skills and legal responsibility. You protect yourself by asking their advice and following it: if they say that Windows 10 is fine, you are off the hook. If they say it's not safe, your only job is to convey their recommendation to your colleagues, mentioning where it comes from.
2
In the UK, at least, it's very common for CS degrees to have at least a short lecture course called something like "Professional practice and ethics", which covers things such as data protection legislation. (This is, I believe, a requirement for accreditation by the British Computer Society.) So having a CS degree is actually somewhat relevant, here. But I agree that it's not enough and that anybody, such as the asker, who is dealing with this kind of stuff in the real world, needs specific training.
– David Richerby
Mar 1 at 15:55
5
@David Indeed, a short lecture can help raising awareness but it doesn't make students qualified experts.
– Erwan
Mar 1 at 16:03
1
@EricTowers OP says they are a PhD student.
– Erwan
Mar 2 at 21:29
1
@EricTowers OP said "I am in a PhD position": afaik this implies that OP has an academic PhD advisor and is registered as a PhD student. I'd gladly agree that "PhD student" is a misleading term because a PhD position is more similar to a professional job than to studying, but it's the usual term and that's not the point :)
– Erwan
Mar 3 at 19:06
2
@Erwan : I have never seen that phrase used that way. I have seen it used; in all those usages, it meant "a job position requiring a Ph.D.", which is incompatible with being a student studying to obtain a Ph.D.
– Eric Towers
Mar 3 at 23:46
|
show 8 more comments
There is a trove of documents from Microsoft with advice on GDPR compliance, such as "Windows and the GDPR: Information for IT Administrators and Decision Makers" and has a pretty thorough explanation of what data moves where.
According to the document itself, it takes 17 minutes to read. I think you'll feel better after you've done so.
There's a lot of paranoia about Microsoft, some of it possibly justified, but the hard fact is that MS cannot afford to ignore the GDPR or, in the U.S., HIPAA.
I did read the answer in Information Security SE, and did not find it helpful; the quotation from MS has to do with disclosure of data as required by law or legal process.
49
@BobBrown I'm curious where you are getting this "SE discourages the posting of links" idea from? I've only seen that in cases where an answer is just a link or list with little explanation.
– Brian Z
Mar 1 at 15:20
3
@BrianZ Well, my answer was pretty close to just a link. My belief is that the culture of all of Stack Exchange is, "Answers, not links to answers." Perhaps I am wrong
– Bob Brown
Mar 1 at 17:31
8
@BrianZ Links are generally discouraged since links can be relocated and thus broken on older answers. Saying "this site provides good information on such and such topic" is not helpful if the link is broken in the future (e.g. Microsoft moves the webpage to "private/gdpr-guidance"). It is always preferably to include a summary of what the link contains using a link as a reference to the information source.
– mascoj
Mar 1 at 18:29
14
No, links are fine; the problem is when the link is essentially the whole answer. You've mentioned specific document, so you should link to it. That link will eventually break, but you've given the full title, which should make it easy for somebody to find the new link. Your answer includes plenty enough information that its not a link-only answer. (And, if it didn't, just saying that links are discouraged wouldn't have made the answer better.)
– David Richerby
Mar 1 at 21:30
2
@BobBrown Thanks a lot for the link, I will definitely read through it!
– VoodooCode
Mar 2 at 15:07
|
show 2 more comments
Your university should have some sort of data privacy compliance office. You absolutely need to talk to them. Well-meaning advice from strangers on the internet is great for giving you an idea of what the issues are but there is potential legal liability for the university here and you must talk to the people whose job it is to manage these issues.
add a comment |
Make sure your advice is actually based on solid facts, and consider which are the most likely ways the data could leak out. Find out exactly what Windows 10 could report to Microsoft, and whether that is a real issue in your case.
Find out the actual regulations and laws about this in your country and maybe also university rules, if they exist. Being able to point to specific regulation is useful for such arguments.
In a typical academic settings, you probably don't have the means to really lock down stuff. I would focus on the most dangerous and common ways the computers could be compromised, Microsoft is far, far at the end of those worries in my opinion. I would mostly worry about the following cases:
- people taking the data home or on their private computers
- computers being compromised by malware
- computers, hard drives or USB drives being stolen or lost
You're focusing on a very remote and unlikely threat, that makes it much easier to dismiss your arguments. Focus on realistic and plausible threats, and be prepared to still fight an uphill battle.
3
I agree. Our school is super paranoid about eg cloud services, yet the most typical security problem is students carrying around data on USB sticks and losing many of them. Also, some might carry around data and occasionally using public computers or computers of others, accidentally leaving data files around.
– Greg
Mar 1 at 12:14
1
This. OP to me sounds a bit like a Linux fanboy who is just spouting vague FUD about Windows. "Windows is known for sharing much data with Microsoft" - this is not a useful statement. What data does it share, when, and how? What controls exist to limit or restrict that reporting and how can they be enforced? I'd probably go so far as to say that OP has not demonstrated that they are qualified to offer an opinion on data security. If they are responsible for it, the best thing to do would be to recognize that skill gap and either fill it or find someone better suited.
– J...
Mar 4 at 12:07
add a comment |
The way I read your question is that you are not responsible for data protection but responsible for setting up Windows PCs. In that case I would share your concerns in an email to your group leader so that you have a (virtual) paper trail, and ask them whether they'd like you to set up the Windows PCs nevertheless or whether they'd like you to look for another solution.
Of course, if your actual responsibility is data protection and they are ignoring the very thing they've hired you for, you should probably start looking for another place to work.
add a comment |
What to do when being responsible for data protection in your lab, yet advice is ignored?
If you are really responsible, and if you live in a jurisdiction where data protection has "teeth" (i.e., EU/GDPR), then you have the power to shut down whatever uncompliant behaviour there is. You can basically do whatever (shut down PCs, turn off routers, etc.) - obviously this is the last ressort, not the first reaction, and before you do that, there are some other things you need to do: for example, inform your colleagues; write down guidelines; get the backing of your stakeholders, do informational/teaching sessions etc.
If you do not do all of that (or your colleagues deny any conformance), starting with the easy stuff, but eventually escalating, then you should really drop that role of "being responsible".
The GDPR actually defines specific roles related to data protection. Depending on where you live, your country might have other such definitions (or maybe none at all, but then you would probably not be asking this question). So if you happen to fulfill the role of Data Protection Officer, then you have the power and responsibility to act.
If all of this is not true, and you are simply a normal worker bee, then your actual responsibility is to a) do whatever your DPO says and requires and b) flag violations of law to your DPO or other stakeholders - if your DPO does not care, you might go further up the ladder, but frankly, whether to do that is your personal choice; if you make any transgressions visible to the persons actually in charge (keep a paper trail, maybe put your own supervisor in Cc etc.), then you personally should be fine.
EDIT: I was confused from the question's title which contains the word "responsible". In OP's specific case, only my last paragraph applies. I'll let the rest stand in case someone needs this who is actually "R" responsible (in the sense of RACI). OP, your best bet is to work on not being viewed responsible for something which you have no influence over. Talk with your superiour, and get their advice how to do that without burning bridges ("Hey coach, it seems like everybody thinks I'm our data security guy, but they have to get their stuff together themselves, I cannot babysit them..." etc.).
2
If the asker is in a jurisdiction where data protection has teeth, then their university will already have a data protection office. The asker should be working with that office, not bringing in external lawyers, which would be a gigantic escalation that would be viewed very badly.
– David Richerby
Mar 1 at 21:21
Yeah, @DavidRicherby, that quib about the lawyer was kind of tongue in cheek. I've removed that half sentence. As for whether he has a DPO available for him, or whether he is the DPO I don't know, but I've taken OP's statement "I'm responsible" at face value. I am now seeing his Edit that he's just an PhD with no official role and will add a bit with that info in mind, but will let the answer stand otherwise.
– AnoE
Mar 4 at 7:22
add a comment |
You have stated in the comments that you are in Europe, and are thus subject to the GDPR.
Since you are collecting sensitive information, there should be a formal process for the collection and management of that information, including what information is collected, for what purposes, how long it's kept, how it's protected, etc. All of this is required to be shared with anyone whose data you collect, before you do so.
There should also be a person who is actually officially responsible for this (the DPO), which should be listed in that statement.
Refer to that person. They are the person who is actually responsible, not you.
If you do not have those policies and procedures in place, then you should alert your manager to this fact and to the consequences it may have. Put it in writing, so your a** is covered.
If you think your institution is in breach of its obligations and won't do anything to address them, there's of course the option of reporting it to the relevant authorities, with all the consequences this may have for all parties involved (including you, of course — one cannot ignore how whistleblowers often end up).
add a comment |
To answer your question, explicitly asking "What to do when your advice is ignored", I highly suggest the CYA-acronym: Cover Your Ass.
As you are (I suppose) not in a management-role you most likely have limited means to actually enforce the advice you provide, but to prevent the blame rolling down you should take means to document your activities. Maybe the most important measure here is to leave a paper trail.
For example you could write an email to your supervisor:
Dear XY,
After some research on the matter I advice our Lab not to use Windows 10 because of concerns regarding Windows telemetry data. (...) Instead I advice to use XYZ by ABC.
With best regards, ...
This will not only serve as a proof for you, but might also make your manager consider this proposal more. If he/she realizes, that he now is responsible if things go down the drain - he might be less inclined to just ignore you.
add a comment |
Talk to the advisor. If he won't back you up, step out of the position.
It is very common that university lab groups don't really follow proper policies in safety, data security, confidentiality, software copyrights, etc. Industry is not perfect either but usually a lot more compliant than university lab groups.
I was safety "officer" for my lab group. Checking on standards, inspecting the eyewash periodically, etc. Found clear things we were doing wrong but advisor was not interested in backing me up (thought I was being too strict...but I came from an industry background and had seen people get hurt and was used to more attention.) We ended up having a fire in an area that I had already identified as deficient but with people who didn't want to fix stuff. I told the PI after that, that it was his lab and he needed to be responsible and I refused to be associated with lab safety given his attitude. (He said fine and someone else went and checked the eyewashes.)
Maybe you don't need to be as confrontational, but I would give very serious consideration to just refusing to perform the collateral duty when people don't take it seriously and the PI doesn't back you up.
I don't know about data protection but from what I have seen in safety, I suspect it is same problem. Safety has had extensive studies and writeups and academic labs have ~10 times the incidents of industrial research labs. I personally knew two people with grievous time lost incidents from solvent fires in uni lab (faces burned off and months in hospital) and never saw this in a large company CRD. Professors will occasionally blame the students but bottom line is PIs are not held accountable the way managers are in a company. Students are valued less than employees are, etc. And it's not going to change and hasn't for decades. So really you are better off just disassociating yourself. And keeping your own gear safe and compliant.
1
On the one hand I really like this answer as it describes nicely how people are 'put' into positions without actually providing them with the means to handle the related tasks. On the other hand, the suggestion is, as mentioned, rather confrontational and I'd like to avoid that if possible.
– VoodooCode
Mar 2 at 15:01
Discharging responsibilities voluntarily is a good idea - if you can do it. Very often, advisors/bosses don't accept this and you're stuck with said responsibilities whether you like it or not...
– einpoklum
Mar 3 at 11:25
add a comment |
Should things for whatever reason go sour, I'd like to be on the safe side.
The question is what you want to protect against - a lawsuit directed at you, or being let go?
My suspicion (but I'm not a lawyer, obviously) is that there is very little danger of the former and close to no real protection against the latter.
The uncomfortable reality is that many people (in academia and outside) are not so much hiring an employee rather than buying insurance when filling roles such as for a data protection responsible (same with certain certifications in industry). They know (or at least strongly suspect) that what they do is not legal, don't want to change, and look for somebody who they can point to when things go south.
If any real legal trouble ever arises from the data protection issue, I fully suspect that it will be targeted at the university rather than individuals working there - and even if it is targeted at specific persons, it will be the managers in charge, not a lab technician with no authority to change the behavior of other employees. However, there is a very good chance that internally you will still be made the scapegoat (up to and including being let go), if for no other reason than that sh*t tends to roll downhill. In my experience with university management structures, no amount of paper trail can really protect you from this.
Of course you still should try as hard as you can to inform your lab on any relevant issues that you see, but given that you have no authority over them it will have to take the form of advise rather than strict rules. Being on good terms with the team (and having great soft skills) is probably your best bet of actually making a difference. It may also pay to be pragmatic here, and address big threats that don't require too much sacrifice from your team - the InfoSec Stack Exchange may be a very good resource to get information on what these might be (I suspect the usage of Windows is not one of these cases).
Note: there are jobs were you end up personally responsible for certain kinds of problems (functional safety in automotive is an example that comes to mind). However, these are typically characterized in that you need explicit qualifications to even be legally allowed to carry out this job. A company cannot just appoint a random engineer to now be legally responsible for safety certification. Part of the mandatory training for such jobs is also explicit information on what you end up responsible for, and what the expected course of action in case of non-compliance is.
add a comment |
If you're highly concerned about telemetry and information leakage, and you have the necessary rights to perform administrative tasks on the equipment your lab uses, I'd suggest a telemetry-blocking app, though I urge you to test and scrutinize it before any sort of deployment. Personally, I'm a fan of BlackBird, but be wary of its functionality-canceling effects (Location awareness, LAN etc.). Again, study and test such software beforehand.
But I want to mention another aspect of data protection, not in the sense of privacy, but of data integrity.
I would not in a million years be caught using Windows for data-sensitive work because I and many others have been the victims of Windows and its apps' (e.g. OneDrive) tendency to delete user files without notice (permanently, bypassing the Recycle Bin). See the 1809 update for a more recent example; there are plenty others.
This is a really good idea, additionally I like the example of OneDrive 'loosing' data, but the implementation and maintenance of the suggestion looks like its a tremendous task in itself.
– VoodooCode
Mar 2 at 15:04
add a comment |
protected by eykanal♦ Mar 5 at 3:34
Thank you for your interest in this question.
Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).
Would you like to answer one of these unanswered questions instead?
11 Answers
11
active
oldest
votes
11 Answers
11
active
oldest
votes
active
oldest
votes
active
oldest
votes
Edit: I think I should add a little more background. I am in a PhD position actually hired for doing research. Yet due to my background in computer science, I am 'officially' responsible for everything related in our lab to electronic data processing.
First, I think there is a serious management issue in your lab: leaving the responsibility of data protection to a PhD student is completely unprofessional. As a PhD student you could certainly have a technical advisory role, but it must be a permanent member of the institution who has the official responsibility. If a problem arises, whoever put you in charge of this will certainly have to explain why they thought it was appropriate. The good news for you is that it's very unlikely you would be considered legally responsible anyway (usual disclaimer: IANAL).
Second, skills in computer science [edited] might be useful but are certainly not sufficient when it comes to the legal and ethical concerns of data protection, especially with sensitive data on human subjects. Even with the best intention, you simply don't have the legal background. Whose job it is then? There are several options, probably not in your lab but at the level of your university/institution:
- The IT department: that's the ones you ask about software vulnerabilities and recommendations regarding data protection.
- The ethics committee: you can ask them for guidelines about the appropriate level of protection required for specific human subjects data. Btw normally whoever in your lab who works with this kind of data should get ethics approval before they start their project.
- The data protection office or if not present the legal office: they can inform you and your colleagues about their legal duties regarding the human subjects data.
These departments in your institution have the professional skills and legal responsibility. You protect yourself by asking their advice and following it: if they say that Windows 10 is fine, you are off the hook. If they say it's not safe, your only job is to convey their recommendation to your colleagues, mentioning where it comes from.
2
In the UK, at least, it's very common for CS degrees to have at least a short lecture course called something like "Professional practice and ethics", which covers things such as data protection legislation. (This is, I believe, a requirement for accreditation by the British Computer Society.) So having a CS degree is actually somewhat relevant, here. But I agree that it's not enough and that anybody, such as the asker, who is dealing with this kind of stuff in the real world, needs specific training.
– David Richerby
Mar 1 at 15:55
5
@David Indeed, a short lecture can help raising awareness but it doesn't make students qualified experts.
– Erwan
Mar 1 at 16:03
1
@EricTowers OP says they are a PhD student.
– Erwan
Mar 2 at 21:29
1
@EricTowers OP said "I am in a PhD position": afaik this implies that OP has an academic PhD advisor and is registered as a PhD student. I'd gladly agree that "PhD student" is a misleading term because a PhD position is more similar to a professional job than to studying, but it's the usual term and that's not the point :)
– Erwan
Mar 3 at 19:06
2
@Erwan : I have never seen that phrase used that way. I have seen it used; in all those usages, it meant "a job position requiring a Ph.D.", which is incompatible with being a student studying to obtain a Ph.D.
– Eric Towers
Mar 3 at 23:46
|
show 8 more comments
Edit: I think I should add a little more background. I am in a PhD position actually hired for doing research. Yet due to my background in computer science, I am 'officially' responsible for everything related in our lab to electronic data processing.
First, I think there is a serious management issue in your lab: leaving the responsibility of data protection to a PhD student is completely unprofessional. As a PhD student you could certainly have a technical advisory role, but it must be a permanent member of the institution who has the official responsibility. If a problem arises, whoever put you in charge of this will certainly have to explain why they thought it was appropriate. The good news for you is that it's very unlikely you would be considered legally responsible anyway (usual disclaimer: IANAL).
Second, skills in computer science [edited] might be useful but are certainly not sufficient when it comes to the legal and ethical concerns of data protection, especially with sensitive data on human subjects. Even with the best intention, you simply don't have the legal background. Whose job it is then? There are several options, probably not in your lab but at the level of your university/institution:
- The IT department: that's the ones you ask about software vulnerabilities and recommendations regarding data protection.
- The ethics committee: you can ask them for guidelines about the appropriate level of protection required for specific human subjects data. Btw normally whoever in your lab who works with this kind of data should get ethics approval before they start their project.
- The data protection office or if not present the legal office: they can inform you and your colleagues about their legal duties regarding the human subjects data.
These departments in your institution have the professional skills and legal responsibility. You protect yourself by asking their advice and following it: if they say that Windows 10 is fine, you are off the hook. If they say it's not safe, your only job is to convey their recommendation to your colleagues, mentioning where it comes from.
2
In the UK, at least, it's very common for CS degrees to have at least a short lecture course called something like "Professional practice and ethics", which covers things such as data protection legislation. (This is, I believe, a requirement for accreditation by the British Computer Society.) So having a CS degree is actually somewhat relevant, here. But I agree that it's not enough and that anybody, such as the asker, who is dealing with this kind of stuff in the real world, needs specific training.
– David Richerby
Mar 1 at 15:55
5
@David Indeed, a short lecture can help raising awareness but it doesn't make students qualified experts.
– Erwan
Mar 1 at 16:03
1
@EricTowers OP says they are a PhD student.
– Erwan
Mar 2 at 21:29
1
@EricTowers OP said "I am in a PhD position": afaik this implies that OP has an academic PhD advisor and is registered as a PhD student. I'd gladly agree that "PhD student" is a misleading term because a PhD position is more similar to a professional job than to studying, but it's the usual term and that's not the point :)
– Erwan
Mar 3 at 19:06
2
@Erwan : I have never seen that phrase used that way. I have seen it used; in all those usages, it meant "a job position requiring a Ph.D.", which is incompatible with being a student studying to obtain a Ph.D.
– Eric Towers
Mar 3 at 23:46
|
show 8 more comments
Edit: I think I should add a little more background. I am in a PhD position actually hired for doing research. Yet due to my background in computer science, I am 'officially' responsible for everything related in our lab to electronic data processing.
First, I think there is a serious management issue in your lab: leaving the responsibility of data protection to a PhD student is completely unprofessional. As a PhD student you could certainly have a technical advisory role, but it must be a permanent member of the institution who has the official responsibility. If a problem arises, whoever put you in charge of this will certainly have to explain why they thought it was appropriate. The good news for you is that it's very unlikely you would be considered legally responsible anyway (usual disclaimer: IANAL).
Second, skills in computer science [edited] might be useful but are certainly not sufficient when it comes to the legal and ethical concerns of data protection, especially with sensitive data on human subjects. Even with the best intention, you simply don't have the legal background. Whose job it is then? There are several options, probably not in your lab but at the level of your university/institution:
- The IT department: that's the ones you ask about software vulnerabilities and recommendations regarding data protection.
- The ethics committee: you can ask them for guidelines about the appropriate level of protection required for specific human subjects data. Btw normally whoever in your lab who works with this kind of data should get ethics approval before they start their project.
- The data protection office or if not present the legal office: they can inform you and your colleagues about their legal duties regarding the human subjects data.
These departments in your institution have the professional skills and legal responsibility. You protect yourself by asking their advice and following it: if they say that Windows 10 is fine, you are off the hook. If they say it's not safe, your only job is to convey their recommendation to your colleagues, mentioning where it comes from.
Edit: I think I should add a little more background. I am in a PhD position actually hired for doing research. Yet due to my background in computer science, I am 'officially' responsible for everything related in our lab to electronic data processing.
First, I think there is a serious management issue in your lab: leaving the responsibility of data protection to a PhD student is completely unprofessional. As a PhD student you could certainly have a technical advisory role, but it must be a permanent member of the institution who has the official responsibility. If a problem arises, whoever put you in charge of this will certainly have to explain why they thought it was appropriate. The good news for you is that it's very unlikely you would be considered legally responsible anyway (usual disclaimer: IANAL).
Second, skills in computer science [edited] might be useful but are certainly not sufficient when it comes to the legal and ethical concerns of data protection, especially with sensitive data on human subjects. Even with the best intention, you simply don't have the legal background. Whose job it is then? There are several options, probably not in your lab but at the level of your university/institution:
- The IT department: that's the ones you ask about software vulnerabilities and recommendations regarding data protection.
- The ethics committee: you can ask them for guidelines about the appropriate level of protection required for specific human subjects data. Btw normally whoever in your lab who works with this kind of data should get ethics approval before they start their project.
- The data protection office or if not present the legal office: they can inform you and your colleagues about their legal duties regarding the human subjects data.
These departments in your institution have the professional skills and legal responsibility. You protect yourself by asking their advice and following it: if they say that Windows 10 is fine, you are off the hook. If they say it's not safe, your only job is to convey their recommendation to your colleagues, mentioning where it comes from.
edited Mar 3 at 0:03
answered Mar 1 at 12:57
ErwanErwan
3,4531017
3,4531017
2
In the UK, at least, it's very common for CS degrees to have at least a short lecture course called something like "Professional practice and ethics", which covers things such as data protection legislation. (This is, I believe, a requirement for accreditation by the British Computer Society.) So having a CS degree is actually somewhat relevant, here. But I agree that it's not enough and that anybody, such as the asker, who is dealing with this kind of stuff in the real world, needs specific training.
– David Richerby
Mar 1 at 15:55
5
@David Indeed, a short lecture can help raising awareness but it doesn't make students qualified experts.
– Erwan
Mar 1 at 16:03
1
@EricTowers OP says they are a PhD student.
– Erwan
Mar 2 at 21:29
1
@EricTowers OP said "I am in a PhD position": afaik this implies that OP has an academic PhD advisor and is registered as a PhD student. I'd gladly agree that "PhD student" is a misleading term because a PhD position is more similar to a professional job than to studying, but it's the usual term and that's not the point :)
– Erwan
Mar 3 at 19:06
2
@Erwan : I have never seen that phrase used that way. I have seen it used; in all those usages, it meant "a job position requiring a Ph.D.", which is incompatible with being a student studying to obtain a Ph.D.
– Eric Towers
Mar 3 at 23:46
|
show 8 more comments
2
In the UK, at least, it's very common for CS degrees to have at least a short lecture course called something like "Professional practice and ethics", which covers things such as data protection legislation. (This is, I believe, a requirement for accreditation by the British Computer Society.) So having a CS degree is actually somewhat relevant, here. But I agree that it's not enough and that anybody, such as the asker, who is dealing with this kind of stuff in the real world, needs specific training.
– David Richerby
Mar 1 at 15:55
5
@David Indeed, a short lecture can help raising awareness but it doesn't make students qualified experts.
– Erwan
Mar 1 at 16:03
1
@EricTowers OP says they are a PhD student.
– Erwan
Mar 2 at 21:29
1
@EricTowers OP said "I am in a PhD position": afaik this implies that OP has an academic PhD advisor and is registered as a PhD student. I'd gladly agree that "PhD student" is a misleading term because a PhD position is more similar to a professional job than to studying, but it's the usual term and that's not the point :)
– Erwan
Mar 3 at 19:06
2
@Erwan : I have never seen that phrase used that way. I have seen it used; in all those usages, it meant "a job position requiring a Ph.D.", which is incompatible with being a student studying to obtain a Ph.D.
– Eric Towers
Mar 3 at 23:46
2
2
In the UK, at least, it's very common for CS degrees to have at least a short lecture course called something like "Professional practice and ethics", which covers things such as data protection legislation. (This is, I believe, a requirement for accreditation by the British Computer Society.) So having a CS degree is actually somewhat relevant, here. But I agree that it's not enough and that anybody, such as the asker, who is dealing with this kind of stuff in the real world, needs specific training.
– David Richerby
Mar 1 at 15:55
In the UK, at least, it's very common for CS degrees to have at least a short lecture course called something like "Professional practice and ethics", which covers things such as data protection legislation. (This is, I believe, a requirement for accreditation by the British Computer Society.) So having a CS degree is actually somewhat relevant, here. But I agree that it's not enough and that anybody, such as the asker, who is dealing with this kind of stuff in the real world, needs specific training.
– David Richerby
Mar 1 at 15:55
5
5
@David Indeed, a short lecture can help raising awareness but it doesn't make students qualified experts.
– Erwan
Mar 1 at 16:03
@David Indeed, a short lecture can help raising awareness but it doesn't make students qualified experts.
– Erwan
Mar 1 at 16:03
1
1
@EricTowers OP says they are a PhD student.
– Erwan
Mar 2 at 21:29
@EricTowers OP says they are a PhD student.
– Erwan
Mar 2 at 21:29
1
1
@EricTowers OP said "I am in a PhD position": afaik this implies that OP has an academic PhD advisor and is registered as a PhD student. I'd gladly agree that "PhD student" is a misleading term because a PhD position is more similar to a professional job than to studying, but it's the usual term and that's not the point :)
– Erwan
Mar 3 at 19:06
@EricTowers OP said "I am in a PhD position": afaik this implies that OP has an academic PhD advisor and is registered as a PhD student. I'd gladly agree that "PhD student" is a misleading term because a PhD position is more similar to a professional job than to studying, but it's the usual term and that's not the point :)
– Erwan
Mar 3 at 19:06
2
2
@Erwan : I have never seen that phrase used that way. I have seen it used; in all those usages, it meant "a job position requiring a Ph.D.", which is incompatible with being a student studying to obtain a Ph.D.
– Eric Towers
Mar 3 at 23:46
@Erwan : I have never seen that phrase used that way. I have seen it used; in all those usages, it meant "a job position requiring a Ph.D.", which is incompatible with being a student studying to obtain a Ph.D.
– Eric Towers
Mar 3 at 23:46
|
show 8 more comments
There is a trove of documents from Microsoft with advice on GDPR compliance, such as "Windows and the GDPR: Information for IT Administrators and Decision Makers" and has a pretty thorough explanation of what data moves where.
According to the document itself, it takes 17 minutes to read. I think you'll feel better after you've done so.
There's a lot of paranoia about Microsoft, some of it possibly justified, but the hard fact is that MS cannot afford to ignore the GDPR or, in the U.S., HIPAA.
I did read the answer in Information Security SE, and did not find it helpful; the quotation from MS has to do with disclosure of data as required by law or legal process.
49
@BobBrown I'm curious where you are getting this "SE discourages the posting of links" idea from? I've only seen that in cases where an answer is just a link or list with little explanation.
– Brian Z
Mar 1 at 15:20
3
@BrianZ Well, my answer was pretty close to just a link. My belief is that the culture of all of Stack Exchange is, "Answers, not links to answers." Perhaps I am wrong
– Bob Brown
Mar 1 at 17:31
8
@BrianZ Links are generally discouraged since links can be relocated and thus broken on older answers. Saying "this site provides good information on such and such topic" is not helpful if the link is broken in the future (e.g. Microsoft moves the webpage to "private/gdpr-guidance"). It is always preferably to include a summary of what the link contains using a link as a reference to the information source.
– mascoj
Mar 1 at 18:29
14
No, links are fine; the problem is when the link is essentially the whole answer. You've mentioned specific document, so you should link to it. That link will eventually break, but you've given the full title, which should make it easy for somebody to find the new link. Your answer includes plenty enough information that its not a link-only answer. (And, if it didn't, just saying that links are discouraged wouldn't have made the answer better.)
– David Richerby
Mar 1 at 21:30
2
@BobBrown Thanks a lot for the link, I will definitely read through it!
– VoodooCode
Mar 2 at 15:07
|
show 2 more comments
There is a trove of documents from Microsoft with advice on GDPR compliance, such as "Windows and the GDPR: Information for IT Administrators and Decision Makers" and has a pretty thorough explanation of what data moves where.
According to the document itself, it takes 17 minutes to read. I think you'll feel better after you've done so.
There's a lot of paranoia about Microsoft, some of it possibly justified, but the hard fact is that MS cannot afford to ignore the GDPR or, in the U.S., HIPAA.
I did read the answer in Information Security SE, and did not find it helpful; the quotation from MS has to do with disclosure of data as required by law or legal process.
49
@BobBrown I'm curious where you are getting this "SE discourages the posting of links" idea from? I've only seen that in cases where an answer is just a link or list with little explanation.
– Brian Z
Mar 1 at 15:20
3
@BrianZ Well, my answer was pretty close to just a link. My belief is that the culture of all of Stack Exchange is, "Answers, not links to answers." Perhaps I am wrong
– Bob Brown
Mar 1 at 17:31
8
@BrianZ Links are generally discouraged since links can be relocated and thus broken on older answers. Saying "this site provides good information on such and such topic" is not helpful if the link is broken in the future (e.g. Microsoft moves the webpage to "private/gdpr-guidance"). It is always preferably to include a summary of what the link contains using a link as a reference to the information source.
– mascoj
Mar 1 at 18:29
14
No, links are fine; the problem is when the link is essentially the whole answer. You've mentioned specific document, so you should link to it. That link will eventually break, but you've given the full title, which should make it easy for somebody to find the new link. Your answer includes plenty enough information that its not a link-only answer. (And, if it didn't, just saying that links are discouraged wouldn't have made the answer better.)
– David Richerby
Mar 1 at 21:30
2
@BobBrown Thanks a lot for the link, I will definitely read through it!
– VoodooCode
Mar 2 at 15:07
|
show 2 more comments
There is a trove of documents from Microsoft with advice on GDPR compliance, such as "Windows and the GDPR: Information for IT Administrators and Decision Makers" and has a pretty thorough explanation of what data moves where.
According to the document itself, it takes 17 minutes to read. I think you'll feel better after you've done so.
There's a lot of paranoia about Microsoft, some of it possibly justified, but the hard fact is that MS cannot afford to ignore the GDPR or, in the U.S., HIPAA.
I did read the answer in Information Security SE, and did not find it helpful; the quotation from MS has to do with disclosure of data as required by law or legal process.
There is a trove of documents from Microsoft with advice on GDPR compliance, such as "Windows and the GDPR: Information for IT Administrators and Decision Makers" and has a pretty thorough explanation of what data moves where.
According to the document itself, it takes 17 minutes to read. I think you'll feel better after you've done so.
There's a lot of paranoia about Microsoft, some of it possibly justified, but the hard fact is that MS cannot afford to ignore the GDPR or, in the U.S., HIPAA.
I did read the answer in Information Security SE, and did not find it helpful; the quotation from MS has to do with disclosure of data as required by law or legal process.
edited Mar 3 at 21:30
Wrzlprmft♦
34.5k11109185
34.5k11109185
answered Mar 1 at 11:57
Bob BrownBob Brown
19.8k95883
19.8k95883
49
@BobBrown I'm curious where you are getting this "SE discourages the posting of links" idea from? I've only seen that in cases where an answer is just a link or list with little explanation.
– Brian Z
Mar 1 at 15:20
3
@BrianZ Well, my answer was pretty close to just a link. My belief is that the culture of all of Stack Exchange is, "Answers, not links to answers." Perhaps I am wrong
– Bob Brown
Mar 1 at 17:31
8
@BrianZ Links are generally discouraged since links can be relocated and thus broken on older answers. Saying "this site provides good information on such and such topic" is not helpful if the link is broken in the future (e.g. Microsoft moves the webpage to "private/gdpr-guidance"). It is always preferably to include a summary of what the link contains using a link as a reference to the information source.
– mascoj
Mar 1 at 18:29
14
No, links are fine; the problem is when the link is essentially the whole answer. You've mentioned specific document, so you should link to it. That link will eventually break, but you've given the full title, which should make it easy for somebody to find the new link. Your answer includes plenty enough information that its not a link-only answer. (And, if it didn't, just saying that links are discouraged wouldn't have made the answer better.)
– David Richerby
Mar 1 at 21:30
2
@BobBrown Thanks a lot for the link, I will definitely read through it!
– VoodooCode
Mar 2 at 15:07
|
show 2 more comments
49
@BobBrown I'm curious where you are getting this "SE discourages the posting of links" idea from? I've only seen that in cases where an answer is just a link or list with little explanation.
– Brian Z
Mar 1 at 15:20
3
@BrianZ Well, my answer was pretty close to just a link. My belief is that the culture of all of Stack Exchange is, "Answers, not links to answers." Perhaps I am wrong
– Bob Brown
Mar 1 at 17:31
8
@BrianZ Links are generally discouraged since links can be relocated and thus broken on older answers. Saying "this site provides good information on such and such topic" is not helpful if the link is broken in the future (e.g. Microsoft moves the webpage to "private/gdpr-guidance"). It is always preferably to include a summary of what the link contains using a link as a reference to the information source.
– mascoj
Mar 1 at 18:29
14
No, links are fine; the problem is when the link is essentially the whole answer. You've mentioned specific document, so you should link to it. That link will eventually break, but you've given the full title, which should make it easy for somebody to find the new link. Your answer includes plenty enough information that its not a link-only answer. (And, if it didn't, just saying that links are discouraged wouldn't have made the answer better.)
– David Richerby
Mar 1 at 21:30
2
@BobBrown Thanks a lot for the link, I will definitely read through it!
– VoodooCode
Mar 2 at 15:07
49
49
@BobBrown I'm curious where you are getting this "SE discourages the posting of links" idea from? I've only seen that in cases where an answer is just a link or list with little explanation.
– Brian Z
Mar 1 at 15:20
@BobBrown I'm curious where you are getting this "SE discourages the posting of links" idea from? I've only seen that in cases where an answer is just a link or list with little explanation.
– Brian Z
Mar 1 at 15:20
3
3
@BrianZ Well, my answer was pretty close to just a link. My belief is that the culture of all of Stack Exchange is, "Answers, not links to answers." Perhaps I am wrong
– Bob Brown
Mar 1 at 17:31
@BrianZ Well, my answer was pretty close to just a link. My belief is that the culture of all of Stack Exchange is, "Answers, not links to answers." Perhaps I am wrong
– Bob Brown
Mar 1 at 17:31
8
8
@BrianZ Links are generally discouraged since links can be relocated and thus broken on older answers. Saying "this site provides good information on such and such topic" is not helpful if the link is broken in the future (e.g. Microsoft moves the webpage to "private/gdpr-guidance"). It is always preferably to include a summary of what the link contains using a link as a reference to the information source.
– mascoj
Mar 1 at 18:29
@BrianZ Links are generally discouraged since links can be relocated and thus broken on older answers. Saying "this site provides good information on such and such topic" is not helpful if the link is broken in the future (e.g. Microsoft moves the webpage to "private/gdpr-guidance"). It is always preferably to include a summary of what the link contains using a link as a reference to the information source.
– mascoj
Mar 1 at 18:29
14
14
No, links are fine; the problem is when the link is essentially the whole answer. You've mentioned specific document, so you should link to it. That link will eventually break, but you've given the full title, which should make it easy for somebody to find the new link. Your answer includes plenty enough information that its not a link-only answer. (And, if it didn't, just saying that links are discouraged wouldn't have made the answer better.)
– David Richerby
Mar 1 at 21:30
No, links are fine; the problem is when the link is essentially the whole answer. You've mentioned specific document, so you should link to it. That link will eventually break, but you've given the full title, which should make it easy for somebody to find the new link. Your answer includes plenty enough information that its not a link-only answer. (And, if it didn't, just saying that links are discouraged wouldn't have made the answer better.)
– David Richerby
Mar 1 at 21:30
2
2
@BobBrown Thanks a lot for the link, I will definitely read through it!
– VoodooCode
Mar 2 at 15:07
@BobBrown Thanks a lot for the link, I will definitely read through it!
– VoodooCode
Mar 2 at 15:07
|
show 2 more comments
Your university should have some sort of data privacy compliance office. You absolutely need to talk to them. Well-meaning advice from strangers on the internet is great for giving you an idea of what the issues are but there is potential legal liability for the university here and you must talk to the people whose job it is to manage these issues.
add a comment |
Your university should have some sort of data privacy compliance office. You absolutely need to talk to them. Well-meaning advice from strangers on the internet is great for giving you an idea of what the issues are but there is potential legal liability for the university here and you must talk to the people whose job it is to manage these issues.
add a comment |
Your university should have some sort of data privacy compliance office. You absolutely need to talk to them. Well-meaning advice from strangers on the internet is great for giving you an idea of what the issues are but there is potential legal liability for the university here and you must talk to the people whose job it is to manage these issues.
Your university should have some sort of data privacy compliance office. You absolutely need to talk to them. Well-meaning advice from strangers on the internet is great for giving you an idea of what the issues are but there is potential legal liability for the university here and you must talk to the people whose job it is to manage these issues.
answered Mar 1 at 13:24
David RicherbyDavid Richerby
30.3k662126
30.3k662126
add a comment |
add a comment |
Make sure your advice is actually based on solid facts, and consider which are the most likely ways the data could leak out. Find out exactly what Windows 10 could report to Microsoft, and whether that is a real issue in your case.
Find out the actual regulations and laws about this in your country and maybe also university rules, if they exist. Being able to point to specific regulation is useful for such arguments.
In a typical academic settings, you probably don't have the means to really lock down stuff. I would focus on the most dangerous and common ways the computers could be compromised, Microsoft is far, far at the end of those worries in my opinion. I would mostly worry about the following cases:
- people taking the data home or on their private computers
- computers being compromised by malware
- computers, hard drives or USB drives being stolen or lost
You're focusing on a very remote and unlikely threat, that makes it much easier to dismiss your arguments. Focus on realistic and plausible threats, and be prepared to still fight an uphill battle.
3
I agree. Our school is super paranoid about eg cloud services, yet the most typical security problem is students carrying around data on USB sticks and losing many of them. Also, some might carry around data and occasionally using public computers or computers of others, accidentally leaving data files around.
– Greg
Mar 1 at 12:14
1
This. OP to me sounds a bit like a Linux fanboy who is just spouting vague FUD about Windows. "Windows is known for sharing much data with Microsoft" - this is not a useful statement. What data does it share, when, and how? What controls exist to limit or restrict that reporting and how can they be enforced? I'd probably go so far as to say that OP has not demonstrated that they are qualified to offer an opinion on data security. If they are responsible for it, the best thing to do would be to recognize that skill gap and either fill it or find someone better suited.
– J...
Mar 4 at 12:07
add a comment |
Make sure your advice is actually based on solid facts, and consider which are the most likely ways the data could leak out. Find out exactly what Windows 10 could report to Microsoft, and whether that is a real issue in your case.
Find out the actual regulations and laws about this in your country and maybe also university rules, if they exist. Being able to point to specific regulation is useful for such arguments.
In a typical academic settings, you probably don't have the means to really lock down stuff. I would focus on the most dangerous and common ways the computers could be compromised, Microsoft is far, far at the end of those worries in my opinion. I would mostly worry about the following cases:
- people taking the data home or on their private computers
- computers being compromised by malware
- computers, hard drives or USB drives being stolen or lost
You're focusing on a very remote and unlikely threat, that makes it much easier to dismiss your arguments. Focus on realistic and plausible threats, and be prepared to still fight an uphill battle.
3
I agree. Our school is super paranoid about eg cloud services, yet the most typical security problem is students carrying around data on USB sticks and losing many of them. Also, some might carry around data and occasionally using public computers or computers of others, accidentally leaving data files around.
– Greg
Mar 1 at 12:14
1
This. OP to me sounds a bit like a Linux fanboy who is just spouting vague FUD about Windows. "Windows is known for sharing much data with Microsoft" - this is not a useful statement. What data does it share, when, and how? What controls exist to limit or restrict that reporting and how can they be enforced? I'd probably go so far as to say that OP has not demonstrated that they are qualified to offer an opinion on data security. If they are responsible for it, the best thing to do would be to recognize that skill gap and either fill it or find someone better suited.
– J...
Mar 4 at 12:07
add a comment |
Make sure your advice is actually based on solid facts, and consider which are the most likely ways the data could leak out. Find out exactly what Windows 10 could report to Microsoft, and whether that is a real issue in your case.
Find out the actual regulations and laws about this in your country and maybe also university rules, if they exist. Being able to point to specific regulation is useful for such arguments.
In a typical academic settings, you probably don't have the means to really lock down stuff. I would focus on the most dangerous and common ways the computers could be compromised, Microsoft is far, far at the end of those worries in my opinion. I would mostly worry about the following cases:
- people taking the data home or on their private computers
- computers being compromised by malware
- computers, hard drives or USB drives being stolen or lost
You're focusing on a very remote and unlikely threat, that makes it much easier to dismiss your arguments. Focus on realistic and plausible threats, and be prepared to still fight an uphill battle.
Make sure your advice is actually based on solid facts, and consider which are the most likely ways the data could leak out. Find out exactly what Windows 10 could report to Microsoft, and whether that is a real issue in your case.
Find out the actual regulations and laws about this in your country and maybe also university rules, if they exist. Being able to point to specific regulation is useful for such arguments.
In a typical academic settings, you probably don't have the means to really lock down stuff. I would focus on the most dangerous and common ways the computers could be compromised, Microsoft is far, far at the end of those worries in my opinion. I would mostly worry about the following cases:
- people taking the data home or on their private computers
- computers being compromised by malware
- computers, hard drives or USB drives being stolen or lost
You're focusing on a very remote and unlikely threat, that makes it much easier to dismiss your arguments. Focus on realistic and plausible threats, and be prepared to still fight an uphill battle.
edited Mar 1 at 12:21
answered Mar 1 at 11:27
Mad ScientistMad Scientist
565411
565411
3
I agree. Our school is super paranoid about eg cloud services, yet the most typical security problem is students carrying around data on USB sticks and losing many of them. Also, some might carry around data and occasionally using public computers or computers of others, accidentally leaving data files around.
– Greg
Mar 1 at 12:14
1
This. OP to me sounds a bit like a Linux fanboy who is just spouting vague FUD about Windows. "Windows is known for sharing much data with Microsoft" - this is not a useful statement. What data does it share, when, and how? What controls exist to limit or restrict that reporting and how can they be enforced? I'd probably go so far as to say that OP has not demonstrated that they are qualified to offer an opinion on data security. If they are responsible for it, the best thing to do would be to recognize that skill gap and either fill it or find someone better suited.
– J...
Mar 4 at 12:07
add a comment |
3
I agree. Our school is super paranoid about eg cloud services, yet the most typical security problem is students carrying around data on USB sticks and losing many of them. Also, some might carry around data and occasionally using public computers or computers of others, accidentally leaving data files around.
– Greg
Mar 1 at 12:14
1
This. OP to me sounds a bit like a Linux fanboy who is just spouting vague FUD about Windows. "Windows is known for sharing much data with Microsoft" - this is not a useful statement. What data does it share, when, and how? What controls exist to limit or restrict that reporting and how can they be enforced? I'd probably go so far as to say that OP has not demonstrated that they are qualified to offer an opinion on data security. If they are responsible for it, the best thing to do would be to recognize that skill gap and either fill it or find someone better suited.
– J...
Mar 4 at 12:07
3
3
I agree. Our school is super paranoid about eg cloud services, yet the most typical security problem is students carrying around data on USB sticks and losing many of them. Also, some might carry around data and occasionally using public computers or computers of others, accidentally leaving data files around.
– Greg
Mar 1 at 12:14
I agree. Our school is super paranoid about eg cloud services, yet the most typical security problem is students carrying around data on USB sticks and losing many of them. Also, some might carry around data and occasionally using public computers or computers of others, accidentally leaving data files around.
– Greg
Mar 1 at 12:14
1
1
This. OP to me sounds a bit like a Linux fanboy who is just spouting vague FUD about Windows. "Windows is known for sharing much data with Microsoft" - this is not a useful statement. What data does it share, when, and how? What controls exist to limit or restrict that reporting and how can they be enforced? I'd probably go so far as to say that OP has not demonstrated that they are qualified to offer an opinion on data security. If they are responsible for it, the best thing to do would be to recognize that skill gap and either fill it or find someone better suited.
– J...
Mar 4 at 12:07
This. OP to me sounds a bit like a Linux fanboy who is just spouting vague FUD about Windows. "Windows is known for sharing much data with Microsoft" - this is not a useful statement. What data does it share, when, and how? What controls exist to limit or restrict that reporting and how can they be enforced? I'd probably go so far as to say that OP has not demonstrated that they are qualified to offer an opinion on data security. If they are responsible for it, the best thing to do would be to recognize that skill gap and either fill it or find someone better suited.
– J...
Mar 4 at 12:07
add a comment |
The way I read your question is that you are not responsible for data protection but responsible for setting up Windows PCs. In that case I would share your concerns in an email to your group leader so that you have a (virtual) paper trail, and ask them whether they'd like you to set up the Windows PCs nevertheless or whether they'd like you to look for another solution.
Of course, if your actual responsibility is data protection and they are ignoring the very thing they've hired you for, you should probably start looking for another place to work.
add a comment |
The way I read your question is that you are not responsible for data protection but responsible for setting up Windows PCs. In that case I would share your concerns in an email to your group leader so that you have a (virtual) paper trail, and ask them whether they'd like you to set up the Windows PCs nevertheless or whether they'd like you to look for another solution.
Of course, if your actual responsibility is data protection and they are ignoring the very thing they've hired you for, you should probably start looking for another place to work.
add a comment |
The way I read your question is that you are not responsible for data protection but responsible for setting up Windows PCs. In that case I would share your concerns in an email to your group leader so that you have a (virtual) paper trail, and ask them whether they'd like you to set up the Windows PCs nevertheless or whether they'd like you to look for another solution.
Of course, if your actual responsibility is data protection and they are ignoring the very thing they've hired you for, you should probably start looking for another place to work.
The way I read your question is that you are not responsible for data protection but responsible for setting up Windows PCs. In that case I would share your concerns in an email to your group leader so that you have a (virtual) paper trail, and ask them whether they'd like you to set up the Windows PCs nevertheless or whether they'd like you to look for another solution.
Of course, if your actual responsibility is data protection and they are ignoring the very thing they've hired you for, you should probably start looking for another place to work.
answered Mar 1 at 10:34
DesignerpotDesignerpot
3,025516
3,025516
add a comment |
add a comment |
What to do when being responsible for data protection in your lab, yet advice is ignored?
If you are really responsible, and if you live in a jurisdiction where data protection has "teeth" (i.e., EU/GDPR), then you have the power to shut down whatever uncompliant behaviour there is. You can basically do whatever (shut down PCs, turn off routers, etc.) - obviously this is the last ressort, not the first reaction, and before you do that, there are some other things you need to do: for example, inform your colleagues; write down guidelines; get the backing of your stakeholders, do informational/teaching sessions etc.
If you do not do all of that (or your colleagues deny any conformance), starting with the easy stuff, but eventually escalating, then you should really drop that role of "being responsible".
The GDPR actually defines specific roles related to data protection. Depending on where you live, your country might have other such definitions (or maybe none at all, but then you would probably not be asking this question). So if you happen to fulfill the role of Data Protection Officer, then you have the power and responsibility to act.
If all of this is not true, and you are simply a normal worker bee, then your actual responsibility is to a) do whatever your DPO says and requires and b) flag violations of law to your DPO or other stakeholders - if your DPO does not care, you might go further up the ladder, but frankly, whether to do that is your personal choice; if you make any transgressions visible to the persons actually in charge (keep a paper trail, maybe put your own supervisor in Cc etc.), then you personally should be fine.
EDIT: I was confused from the question's title which contains the word "responsible". In OP's specific case, only my last paragraph applies. I'll let the rest stand in case someone needs this who is actually "R" responsible (in the sense of RACI). OP, your best bet is to work on not being viewed responsible for something which you have no influence over. Talk with your superiour, and get their advice how to do that without burning bridges ("Hey coach, it seems like everybody thinks I'm our data security guy, but they have to get their stuff together themselves, I cannot babysit them..." etc.).
2
If the asker is in a jurisdiction where data protection has teeth, then their university will already have a data protection office. The asker should be working with that office, not bringing in external lawyers, which would be a gigantic escalation that would be viewed very badly.
– David Richerby
Mar 1 at 21:21
Yeah, @DavidRicherby, that quib about the lawyer was kind of tongue in cheek. I've removed that half sentence. As for whether he has a DPO available for him, or whether he is the DPO I don't know, but I've taken OP's statement "I'm responsible" at face value. I am now seeing his Edit that he's just an PhD with no official role and will add a bit with that info in mind, but will let the answer stand otherwise.
– AnoE
Mar 4 at 7:22
add a comment |
What to do when being responsible for data protection in your lab, yet advice is ignored?
If you are really responsible, and if you live in a jurisdiction where data protection has "teeth" (i.e., EU/GDPR), then you have the power to shut down whatever uncompliant behaviour there is. You can basically do whatever (shut down PCs, turn off routers, etc.) - obviously this is the last ressort, not the first reaction, and before you do that, there are some other things you need to do: for example, inform your colleagues; write down guidelines; get the backing of your stakeholders, do informational/teaching sessions etc.
If you do not do all of that (or your colleagues deny any conformance), starting with the easy stuff, but eventually escalating, then you should really drop that role of "being responsible".
The GDPR actually defines specific roles related to data protection. Depending on where you live, your country might have other such definitions (or maybe none at all, but then you would probably not be asking this question). So if you happen to fulfill the role of Data Protection Officer, then you have the power and responsibility to act.
If all of this is not true, and you are simply a normal worker bee, then your actual responsibility is to a) do whatever your DPO says and requires and b) flag violations of law to your DPO or other stakeholders - if your DPO does not care, you might go further up the ladder, but frankly, whether to do that is your personal choice; if you make any transgressions visible to the persons actually in charge (keep a paper trail, maybe put your own supervisor in Cc etc.), then you personally should be fine.
EDIT: I was confused from the question's title which contains the word "responsible". In OP's specific case, only my last paragraph applies. I'll let the rest stand in case someone needs this who is actually "R" responsible (in the sense of RACI). OP, your best bet is to work on not being viewed responsible for something which you have no influence over. Talk with your superiour, and get their advice how to do that without burning bridges ("Hey coach, it seems like everybody thinks I'm our data security guy, but they have to get their stuff together themselves, I cannot babysit them..." etc.).
2
If the asker is in a jurisdiction where data protection has teeth, then their university will already have a data protection office. The asker should be working with that office, not bringing in external lawyers, which would be a gigantic escalation that would be viewed very badly.
– David Richerby
Mar 1 at 21:21
Yeah, @DavidRicherby, that quib about the lawyer was kind of tongue in cheek. I've removed that half sentence. As for whether he has a DPO available for him, or whether he is the DPO I don't know, but I've taken OP's statement "I'm responsible" at face value. I am now seeing his Edit that he's just an PhD with no official role and will add a bit with that info in mind, but will let the answer stand otherwise.
– AnoE
Mar 4 at 7:22
add a comment |
What to do when being responsible for data protection in your lab, yet advice is ignored?
If you are really responsible, and if you live in a jurisdiction where data protection has "teeth" (i.e., EU/GDPR), then you have the power to shut down whatever uncompliant behaviour there is. You can basically do whatever (shut down PCs, turn off routers, etc.) - obviously this is the last ressort, not the first reaction, and before you do that, there are some other things you need to do: for example, inform your colleagues; write down guidelines; get the backing of your stakeholders, do informational/teaching sessions etc.
If you do not do all of that (or your colleagues deny any conformance), starting with the easy stuff, but eventually escalating, then you should really drop that role of "being responsible".
The GDPR actually defines specific roles related to data protection. Depending on where you live, your country might have other such definitions (or maybe none at all, but then you would probably not be asking this question). So if you happen to fulfill the role of Data Protection Officer, then you have the power and responsibility to act.
If all of this is not true, and you are simply a normal worker bee, then your actual responsibility is to a) do whatever your DPO says and requires and b) flag violations of law to your DPO or other stakeholders - if your DPO does not care, you might go further up the ladder, but frankly, whether to do that is your personal choice; if you make any transgressions visible to the persons actually in charge (keep a paper trail, maybe put your own supervisor in Cc etc.), then you personally should be fine.
EDIT: I was confused from the question's title which contains the word "responsible". In OP's specific case, only my last paragraph applies. I'll let the rest stand in case someone needs this who is actually "R" responsible (in the sense of RACI). OP, your best bet is to work on not being viewed responsible for something which you have no influence over. Talk with your superiour, and get their advice how to do that without burning bridges ("Hey coach, it seems like everybody thinks I'm our data security guy, but they have to get their stuff together themselves, I cannot babysit them..." etc.).
What to do when being responsible for data protection in your lab, yet advice is ignored?
If you are really responsible, and if you live in a jurisdiction where data protection has "teeth" (i.e., EU/GDPR), then you have the power to shut down whatever uncompliant behaviour there is. You can basically do whatever (shut down PCs, turn off routers, etc.) - obviously this is the last ressort, not the first reaction, and before you do that, there are some other things you need to do: for example, inform your colleagues; write down guidelines; get the backing of your stakeholders, do informational/teaching sessions etc.
If you do not do all of that (or your colleagues deny any conformance), starting with the easy stuff, but eventually escalating, then you should really drop that role of "being responsible".
The GDPR actually defines specific roles related to data protection. Depending on where you live, your country might have other such definitions (or maybe none at all, but then you would probably not be asking this question). So if you happen to fulfill the role of Data Protection Officer, then you have the power and responsibility to act.
If all of this is not true, and you are simply a normal worker bee, then your actual responsibility is to a) do whatever your DPO says and requires and b) flag violations of law to your DPO or other stakeholders - if your DPO does not care, you might go further up the ladder, but frankly, whether to do that is your personal choice; if you make any transgressions visible to the persons actually in charge (keep a paper trail, maybe put your own supervisor in Cc etc.), then you personally should be fine.
EDIT: I was confused from the question's title which contains the word "responsible". In OP's specific case, only my last paragraph applies. I'll let the rest stand in case someone needs this who is actually "R" responsible (in the sense of RACI). OP, your best bet is to work on not being viewed responsible for something which you have no influence over. Talk with your superiour, and get their advice how to do that without burning bridges ("Hey coach, it seems like everybody thinks I'm our data security guy, but they have to get their stuff together themselves, I cannot babysit them..." etc.).
edited Mar 5 at 7:14
answered Mar 1 at 16:48
AnoEAnoE
3,1481313
3,1481313
2
If the asker is in a jurisdiction where data protection has teeth, then their university will already have a data protection office. The asker should be working with that office, not bringing in external lawyers, which would be a gigantic escalation that would be viewed very badly.
– David Richerby
Mar 1 at 21:21
Yeah, @DavidRicherby, that quib about the lawyer was kind of tongue in cheek. I've removed that half sentence. As for whether he has a DPO available for him, or whether he is the DPO I don't know, but I've taken OP's statement "I'm responsible" at face value. I am now seeing his Edit that he's just an PhD with no official role and will add a bit with that info in mind, but will let the answer stand otherwise.
– AnoE
Mar 4 at 7:22
add a comment |
2
If the asker is in a jurisdiction where data protection has teeth, then their university will already have a data protection office. The asker should be working with that office, not bringing in external lawyers, which would be a gigantic escalation that would be viewed very badly.
– David Richerby
Mar 1 at 21:21
Yeah, @DavidRicherby, that quib about the lawyer was kind of tongue in cheek. I've removed that half sentence. As for whether he has a DPO available for him, or whether he is the DPO I don't know, but I've taken OP's statement "I'm responsible" at face value. I am now seeing his Edit that he's just an PhD with no official role and will add a bit with that info in mind, but will let the answer stand otherwise.
– AnoE
Mar 4 at 7:22
2
2
If the asker is in a jurisdiction where data protection has teeth, then their university will already have a data protection office. The asker should be working with that office, not bringing in external lawyers, which would be a gigantic escalation that would be viewed very badly.
– David Richerby
Mar 1 at 21:21
If the asker is in a jurisdiction where data protection has teeth, then their university will already have a data protection office. The asker should be working with that office, not bringing in external lawyers, which would be a gigantic escalation that would be viewed very badly.
– David Richerby
Mar 1 at 21:21
Yeah, @DavidRicherby, that quib about the lawyer was kind of tongue in cheek. I've removed that half sentence. As for whether he has a DPO available for him, or whether he is the DPO I don't know, but I've taken OP's statement "I'm responsible" at face value. I am now seeing his Edit that he's just an PhD with no official role and will add a bit with that info in mind, but will let the answer stand otherwise.
– AnoE
Mar 4 at 7:22
Yeah, @DavidRicherby, that quib about the lawyer was kind of tongue in cheek. I've removed that half sentence. As for whether he has a DPO available for him, or whether he is the DPO I don't know, but I've taken OP's statement "I'm responsible" at face value. I am now seeing his Edit that he's just an PhD with no official role and will add a bit with that info in mind, but will let the answer stand otherwise.
– AnoE
Mar 4 at 7:22
add a comment |
You have stated in the comments that you are in Europe, and are thus subject to the GDPR.
Since you are collecting sensitive information, there should be a formal process for the collection and management of that information, including what information is collected, for what purposes, how long it's kept, how it's protected, etc. All of this is required to be shared with anyone whose data you collect, before you do so.
There should also be a person who is actually officially responsible for this (the DPO), which should be listed in that statement.
Refer to that person. They are the person who is actually responsible, not you.
If you do not have those policies and procedures in place, then you should alert your manager to this fact and to the consequences it may have. Put it in writing, so your a** is covered.
If you think your institution is in breach of its obligations and won't do anything to address them, there's of course the option of reporting it to the relevant authorities, with all the consequences this may have for all parties involved (including you, of course — one cannot ignore how whistleblowers often end up).
add a comment |
You have stated in the comments that you are in Europe, and are thus subject to the GDPR.
Since you are collecting sensitive information, there should be a formal process for the collection and management of that information, including what information is collected, for what purposes, how long it's kept, how it's protected, etc. All of this is required to be shared with anyone whose data you collect, before you do so.
There should also be a person who is actually officially responsible for this (the DPO), which should be listed in that statement.
Refer to that person. They are the person who is actually responsible, not you.
If you do not have those policies and procedures in place, then you should alert your manager to this fact and to the consequences it may have. Put it in writing, so your a** is covered.
If you think your institution is in breach of its obligations and won't do anything to address them, there's of course the option of reporting it to the relevant authorities, with all the consequences this may have for all parties involved (including you, of course — one cannot ignore how whistleblowers often end up).
add a comment |
You have stated in the comments that you are in Europe, and are thus subject to the GDPR.
Since you are collecting sensitive information, there should be a formal process for the collection and management of that information, including what information is collected, for what purposes, how long it's kept, how it's protected, etc. All of this is required to be shared with anyone whose data you collect, before you do so.
There should also be a person who is actually officially responsible for this (the DPO), which should be listed in that statement.
Refer to that person. They are the person who is actually responsible, not you.
If you do not have those policies and procedures in place, then you should alert your manager to this fact and to the consequences it may have. Put it in writing, so your a** is covered.
If you think your institution is in breach of its obligations and won't do anything to address them, there's of course the option of reporting it to the relevant authorities, with all the consequences this may have for all parties involved (including you, of course — one cannot ignore how whistleblowers often end up).
You have stated in the comments that you are in Europe, and are thus subject to the GDPR.
Since you are collecting sensitive information, there should be a formal process for the collection and management of that information, including what information is collected, for what purposes, how long it's kept, how it's protected, etc. All of this is required to be shared with anyone whose data you collect, before you do so.
There should also be a person who is actually officially responsible for this (the DPO), which should be listed in that statement.
Refer to that person. They are the person who is actually responsible, not you.
If you do not have those policies and procedures in place, then you should alert your manager to this fact and to the consequences it may have. Put it in writing, so your a** is covered.
If you think your institution is in breach of its obligations and won't do anything to address them, there's of course the option of reporting it to the relevant authorities, with all the consequences this may have for all parties involved (including you, of course — one cannot ignore how whistleblowers often end up).
answered Mar 1 at 14:20
jcaronjcaron
1835
1835
add a comment |
add a comment |
To answer your question, explicitly asking "What to do when your advice is ignored", I highly suggest the CYA-acronym: Cover Your Ass.
As you are (I suppose) not in a management-role you most likely have limited means to actually enforce the advice you provide, but to prevent the blame rolling down you should take means to document your activities. Maybe the most important measure here is to leave a paper trail.
For example you could write an email to your supervisor:
Dear XY,
After some research on the matter I advice our Lab not to use Windows 10 because of concerns regarding Windows telemetry data. (...) Instead I advice to use XYZ by ABC.
With best regards, ...
This will not only serve as a proof for you, but might also make your manager consider this proposal more. If he/she realizes, that he now is responsible if things go down the drain - he might be less inclined to just ignore you.
add a comment |
To answer your question, explicitly asking "What to do when your advice is ignored", I highly suggest the CYA-acronym: Cover Your Ass.
As you are (I suppose) not in a management-role you most likely have limited means to actually enforce the advice you provide, but to prevent the blame rolling down you should take means to document your activities. Maybe the most important measure here is to leave a paper trail.
For example you could write an email to your supervisor:
Dear XY,
After some research on the matter I advice our Lab not to use Windows 10 because of concerns regarding Windows telemetry data. (...) Instead I advice to use XYZ by ABC.
With best regards, ...
This will not only serve as a proof for you, but might also make your manager consider this proposal more. If he/she realizes, that he now is responsible if things go down the drain - he might be less inclined to just ignore you.
add a comment |
To answer your question, explicitly asking "What to do when your advice is ignored", I highly suggest the CYA-acronym: Cover Your Ass.
As you are (I suppose) not in a management-role you most likely have limited means to actually enforce the advice you provide, but to prevent the blame rolling down you should take means to document your activities. Maybe the most important measure here is to leave a paper trail.
For example you could write an email to your supervisor:
Dear XY,
After some research on the matter I advice our Lab not to use Windows 10 because of concerns regarding Windows telemetry data. (...) Instead I advice to use XYZ by ABC.
With best regards, ...
This will not only serve as a proof for you, but might also make your manager consider this proposal more. If he/she realizes, that he now is responsible if things go down the drain - he might be less inclined to just ignore you.
To answer your question, explicitly asking "What to do when your advice is ignored", I highly suggest the CYA-acronym: Cover Your Ass.
As you are (I suppose) not in a management-role you most likely have limited means to actually enforce the advice you provide, but to prevent the blame rolling down you should take means to document your activities. Maybe the most important measure here is to leave a paper trail.
For example you could write an email to your supervisor:
Dear XY,
After some research on the matter I advice our Lab not to use Windows 10 because of concerns regarding Windows telemetry data. (...) Instead I advice to use XYZ by ABC.
With best regards, ...
This will not only serve as a proof for you, but might also make your manager consider this proposal more. If he/she realizes, that he now is responsible if things go down the drain - he might be less inclined to just ignore you.
answered Mar 1 at 15:18
B. RaabeB. Raabe
1612
1612
add a comment |
add a comment |
Talk to the advisor. If he won't back you up, step out of the position.
It is very common that university lab groups don't really follow proper policies in safety, data security, confidentiality, software copyrights, etc. Industry is not perfect either but usually a lot more compliant than university lab groups.
I was safety "officer" for my lab group. Checking on standards, inspecting the eyewash periodically, etc. Found clear things we were doing wrong but advisor was not interested in backing me up (thought I was being too strict...but I came from an industry background and had seen people get hurt and was used to more attention.) We ended up having a fire in an area that I had already identified as deficient but with people who didn't want to fix stuff. I told the PI after that, that it was his lab and he needed to be responsible and I refused to be associated with lab safety given his attitude. (He said fine and someone else went and checked the eyewashes.)
Maybe you don't need to be as confrontational, but I would give very serious consideration to just refusing to perform the collateral duty when people don't take it seriously and the PI doesn't back you up.
I don't know about data protection but from what I have seen in safety, I suspect it is same problem. Safety has had extensive studies and writeups and academic labs have ~10 times the incidents of industrial research labs. I personally knew two people with grievous time lost incidents from solvent fires in uni lab (faces burned off and months in hospital) and never saw this in a large company CRD. Professors will occasionally blame the students but bottom line is PIs are not held accountable the way managers are in a company. Students are valued less than employees are, etc. And it's not going to change and hasn't for decades. So really you are better off just disassociating yourself. And keeping your own gear safe and compliant.
1
On the one hand I really like this answer as it describes nicely how people are 'put' into positions without actually providing them with the means to handle the related tasks. On the other hand, the suggestion is, as mentioned, rather confrontational and I'd like to avoid that if possible.
– VoodooCode
Mar 2 at 15:01
Discharging responsibilities voluntarily is a good idea - if you can do it. Very often, advisors/bosses don't accept this and you're stuck with said responsibilities whether you like it or not...
– einpoklum
Mar 3 at 11:25
add a comment |
Talk to the advisor. If he won't back you up, step out of the position.
It is very common that university lab groups don't really follow proper policies in safety, data security, confidentiality, software copyrights, etc. Industry is not perfect either but usually a lot more compliant than university lab groups.
I was safety "officer" for my lab group. Checking on standards, inspecting the eyewash periodically, etc. Found clear things we were doing wrong but advisor was not interested in backing me up (thought I was being too strict...but I came from an industry background and had seen people get hurt and was used to more attention.) We ended up having a fire in an area that I had already identified as deficient but with people who didn't want to fix stuff. I told the PI after that, that it was his lab and he needed to be responsible and I refused to be associated with lab safety given his attitude. (He said fine and someone else went and checked the eyewashes.)
Maybe you don't need to be as confrontational, but I would give very serious consideration to just refusing to perform the collateral duty when people don't take it seriously and the PI doesn't back you up.
I don't know about data protection but from what I have seen in safety, I suspect it is same problem. Safety has had extensive studies and writeups and academic labs have ~10 times the incidents of industrial research labs. I personally knew two people with grievous time lost incidents from solvent fires in uni lab (faces burned off and months in hospital) and never saw this in a large company CRD. Professors will occasionally blame the students but bottom line is PIs are not held accountable the way managers are in a company. Students are valued less than employees are, etc. And it's not going to change and hasn't for decades. So really you are better off just disassociating yourself. And keeping your own gear safe and compliant.
1
On the one hand I really like this answer as it describes nicely how people are 'put' into positions without actually providing them with the means to handle the related tasks. On the other hand, the suggestion is, as mentioned, rather confrontational and I'd like to avoid that if possible.
– VoodooCode
Mar 2 at 15:01
Discharging responsibilities voluntarily is a good idea - if you can do it. Very often, advisors/bosses don't accept this and you're stuck with said responsibilities whether you like it or not...
– einpoklum
Mar 3 at 11:25
add a comment |
Talk to the advisor. If he won't back you up, step out of the position.
It is very common that university lab groups don't really follow proper policies in safety, data security, confidentiality, software copyrights, etc. Industry is not perfect either but usually a lot more compliant than university lab groups.
I was safety "officer" for my lab group. Checking on standards, inspecting the eyewash periodically, etc. Found clear things we were doing wrong but advisor was not interested in backing me up (thought I was being too strict...but I came from an industry background and had seen people get hurt and was used to more attention.) We ended up having a fire in an area that I had already identified as deficient but with people who didn't want to fix stuff. I told the PI after that, that it was his lab and he needed to be responsible and I refused to be associated with lab safety given his attitude. (He said fine and someone else went and checked the eyewashes.)
Maybe you don't need to be as confrontational, but I would give very serious consideration to just refusing to perform the collateral duty when people don't take it seriously and the PI doesn't back you up.
I don't know about data protection but from what I have seen in safety, I suspect it is same problem. Safety has had extensive studies and writeups and academic labs have ~10 times the incidents of industrial research labs. I personally knew two people with grievous time lost incidents from solvent fires in uni lab (faces burned off and months in hospital) and never saw this in a large company CRD. Professors will occasionally blame the students but bottom line is PIs are not held accountable the way managers are in a company. Students are valued less than employees are, etc. And it's not going to change and hasn't for decades. So really you are better off just disassociating yourself. And keeping your own gear safe and compliant.
Talk to the advisor. If he won't back you up, step out of the position.
It is very common that university lab groups don't really follow proper policies in safety, data security, confidentiality, software copyrights, etc. Industry is not perfect either but usually a lot more compliant than university lab groups.
I was safety "officer" for my lab group. Checking on standards, inspecting the eyewash periodically, etc. Found clear things we were doing wrong but advisor was not interested in backing me up (thought I was being too strict...but I came from an industry background and had seen people get hurt and was used to more attention.) We ended up having a fire in an area that I had already identified as deficient but with people who didn't want to fix stuff. I told the PI after that, that it was his lab and he needed to be responsible and I refused to be associated with lab safety given his attitude. (He said fine and someone else went and checked the eyewashes.)
Maybe you don't need to be as confrontational, but I would give very serious consideration to just refusing to perform the collateral duty when people don't take it seriously and the PI doesn't back you up.
I don't know about data protection but from what I have seen in safety, I suspect it is same problem. Safety has had extensive studies and writeups and academic labs have ~10 times the incidents of industrial research labs. I personally knew two people with grievous time lost incidents from solvent fires in uni lab (faces burned off and months in hospital) and never saw this in a large company CRD. Professors will occasionally blame the students but bottom line is PIs are not held accountable the way managers are in a company. Students are valued less than employees are, etc. And it's not going to change and hasn't for decades. So really you are better off just disassociating yourself. And keeping your own gear safe and compliant.
answered Mar 1 at 21:43
guestguest
2594
2594
1
On the one hand I really like this answer as it describes nicely how people are 'put' into positions without actually providing them with the means to handle the related tasks. On the other hand, the suggestion is, as mentioned, rather confrontational and I'd like to avoid that if possible.
– VoodooCode
Mar 2 at 15:01
Discharging responsibilities voluntarily is a good idea - if you can do it. Very often, advisors/bosses don't accept this and you're stuck with said responsibilities whether you like it or not...
– einpoklum
Mar 3 at 11:25
add a comment |
1
On the one hand I really like this answer as it describes nicely how people are 'put' into positions without actually providing them with the means to handle the related tasks. On the other hand, the suggestion is, as mentioned, rather confrontational and I'd like to avoid that if possible.
– VoodooCode
Mar 2 at 15:01
Discharging responsibilities voluntarily is a good idea - if you can do it. Very often, advisors/bosses don't accept this and you're stuck with said responsibilities whether you like it or not...
– einpoklum
Mar 3 at 11:25
1
1
On the one hand I really like this answer as it describes nicely how people are 'put' into positions without actually providing them with the means to handle the related tasks. On the other hand, the suggestion is, as mentioned, rather confrontational and I'd like to avoid that if possible.
– VoodooCode
Mar 2 at 15:01
On the one hand I really like this answer as it describes nicely how people are 'put' into positions without actually providing them with the means to handle the related tasks. On the other hand, the suggestion is, as mentioned, rather confrontational and I'd like to avoid that if possible.
– VoodooCode
Mar 2 at 15:01
Discharging responsibilities voluntarily is a good idea - if you can do it. Very often, advisors/bosses don't accept this and you're stuck with said responsibilities whether you like it or not...
– einpoklum
Mar 3 at 11:25
Discharging responsibilities voluntarily is a good idea - if you can do it. Very often, advisors/bosses don't accept this and you're stuck with said responsibilities whether you like it or not...
– einpoklum
Mar 3 at 11:25
add a comment |
Should things for whatever reason go sour, I'd like to be on the safe side.
The question is what you want to protect against - a lawsuit directed at you, or being let go?
My suspicion (but I'm not a lawyer, obviously) is that there is very little danger of the former and close to no real protection against the latter.
The uncomfortable reality is that many people (in academia and outside) are not so much hiring an employee rather than buying insurance when filling roles such as for a data protection responsible (same with certain certifications in industry). They know (or at least strongly suspect) that what they do is not legal, don't want to change, and look for somebody who they can point to when things go south.
If any real legal trouble ever arises from the data protection issue, I fully suspect that it will be targeted at the university rather than individuals working there - and even if it is targeted at specific persons, it will be the managers in charge, not a lab technician with no authority to change the behavior of other employees. However, there is a very good chance that internally you will still be made the scapegoat (up to and including being let go), if for no other reason than that sh*t tends to roll downhill. In my experience with university management structures, no amount of paper trail can really protect you from this.
Of course you still should try as hard as you can to inform your lab on any relevant issues that you see, but given that you have no authority over them it will have to take the form of advise rather than strict rules. Being on good terms with the team (and having great soft skills) is probably your best bet of actually making a difference. It may also pay to be pragmatic here, and address big threats that don't require too much sacrifice from your team - the InfoSec Stack Exchange may be a very good resource to get information on what these might be (I suspect the usage of Windows is not one of these cases).
Note: there are jobs were you end up personally responsible for certain kinds of problems (functional safety in automotive is an example that comes to mind). However, these are typically characterized in that you need explicit qualifications to even be legally allowed to carry out this job. A company cannot just appoint a random engineer to now be legally responsible for safety certification. Part of the mandatory training for such jobs is also explicit information on what you end up responsible for, and what the expected course of action in case of non-compliance is.
add a comment |
Should things for whatever reason go sour, I'd like to be on the safe side.
The question is what you want to protect against - a lawsuit directed at you, or being let go?
My suspicion (but I'm not a lawyer, obviously) is that there is very little danger of the former and close to no real protection against the latter.
The uncomfortable reality is that many people (in academia and outside) are not so much hiring an employee rather than buying insurance when filling roles such as for a data protection responsible (same with certain certifications in industry). They know (or at least strongly suspect) that what they do is not legal, don't want to change, and look for somebody who they can point to when things go south.
If any real legal trouble ever arises from the data protection issue, I fully suspect that it will be targeted at the university rather than individuals working there - and even if it is targeted at specific persons, it will be the managers in charge, not a lab technician with no authority to change the behavior of other employees. However, there is a very good chance that internally you will still be made the scapegoat (up to and including being let go), if for no other reason than that sh*t tends to roll downhill. In my experience with university management structures, no amount of paper trail can really protect you from this.
Of course you still should try as hard as you can to inform your lab on any relevant issues that you see, but given that you have no authority over them it will have to take the form of advise rather than strict rules. Being on good terms with the team (and having great soft skills) is probably your best bet of actually making a difference. It may also pay to be pragmatic here, and address big threats that don't require too much sacrifice from your team - the InfoSec Stack Exchange may be a very good resource to get information on what these might be (I suspect the usage of Windows is not one of these cases).
Note: there are jobs were you end up personally responsible for certain kinds of problems (functional safety in automotive is an example that comes to mind). However, these are typically characterized in that you need explicit qualifications to even be legally allowed to carry out this job. A company cannot just appoint a random engineer to now be legally responsible for safety certification. Part of the mandatory training for such jobs is also explicit information on what you end up responsible for, and what the expected course of action in case of non-compliance is.
add a comment |
Should things for whatever reason go sour, I'd like to be on the safe side.
The question is what you want to protect against - a lawsuit directed at you, or being let go?
My suspicion (but I'm not a lawyer, obviously) is that there is very little danger of the former and close to no real protection against the latter.
The uncomfortable reality is that many people (in academia and outside) are not so much hiring an employee rather than buying insurance when filling roles such as for a data protection responsible (same with certain certifications in industry). They know (or at least strongly suspect) that what they do is not legal, don't want to change, and look for somebody who they can point to when things go south.
If any real legal trouble ever arises from the data protection issue, I fully suspect that it will be targeted at the university rather than individuals working there - and even if it is targeted at specific persons, it will be the managers in charge, not a lab technician with no authority to change the behavior of other employees. However, there is a very good chance that internally you will still be made the scapegoat (up to and including being let go), if for no other reason than that sh*t tends to roll downhill. In my experience with university management structures, no amount of paper trail can really protect you from this.
Of course you still should try as hard as you can to inform your lab on any relevant issues that you see, but given that you have no authority over them it will have to take the form of advise rather than strict rules. Being on good terms with the team (and having great soft skills) is probably your best bet of actually making a difference. It may also pay to be pragmatic here, and address big threats that don't require too much sacrifice from your team - the InfoSec Stack Exchange may be a very good resource to get information on what these might be (I suspect the usage of Windows is not one of these cases).
Note: there are jobs were you end up personally responsible for certain kinds of problems (functional safety in automotive is an example that comes to mind). However, these are typically characterized in that you need explicit qualifications to even be legally allowed to carry out this job. A company cannot just appoint a random engineer to now be legally responsible for safety certification. Part of the mandatory training for such jobs is also explicit information on what you end up responsible for, and what the expected course of action in case of non-compliance is.
Should things for whatever reason go sour, I'd like to be on the safe side.
The question is what you want to protect against - a lawsuit directed at you, or being let go?
My suspicion (but I'm not a lawyer, obviously) is that there is very little danger of the former and close to no real protection against the latter.
The uncomfortable reality is that many people (in academia and outside) are not so much hiring an employee rather than buying insurance when filling roles such as for a data protection responsible (same with certain certifications in industry). They know (or at least strongly suspect) that what they do is not legal, don't want to change, and look for somebody who they can point to when things go south.
If any real legal trouble ever arises from the data protection issue, I fully suspect that it will be targeted at the university rather than individuals working there - and even if it is targeted at specific persons, it will be the managers in charge, not a lab technician with no authority to change the behavior of other employees. However, there is a very good chance that internally you will still be made the scapegoat (up to and including being let go), if for no other reason than that sh*t tends to roll downhill. In my experience with university management structures, no amount of paper trail can really protect you from this.
Of course you still should try as hard as you can to inform your lab on any relevant issues that you see, but given that you have no authority over them it will have to take the form of advise rather than strict rules. Being on good terms with the team (and having great soft skills) is probably your best bet of actually making a difference. It may also pay to be pragmatic here, and address big threats that don't require too much sacrifice from your team - the InfoSec Stack Exchange may be a very good resource to get information on what these might be (I suspect the usage of Windows is not one of these cases).
Note: there are jobs were you end up personally responsible for certain kinds of problems (functional safety in automotive is an example that comes to mind). However, these are typically characterized in that you need explicit qualifications to even be legally allowed to carry out this job. A company cannot just appoint a random engineer to now be legally responsible for safety certification. Part of the mandatory training for such jobs is also explicit information on what you end up responsible for, and what the expected course of action in case of non-compliance is.
edited Mar 1 at 13:25
David Richerby
30.3k662126
30.3k662126
answered Mar 1 at 11:37
xLeitixxLeitix
103k37247390
103k37247390
add a comment |
add a comment |
If you're highly concerned about telemetry and information leakage, and you have the necessary rights to perform administrative tasks on the equipment your lab uses, I'd suggest a telemetry-blocking app, though I urge you to test and scrutinize it before any sort of deployment. Personally, I'm a fan of BlackBird, but be wary of its functionality-canceling effects (Location awareness, LAN etc.). Again, study and test such software beforehand.
But I want to mention another aspect of data protection, not in the sense of privacy, but of data integrity.
I would not in a million years be caught using Windows for data-sensitive work because I and many others have been the victims of Windows and its apps' (e.g. OneDrive) tendency to delete user files without notice (permanently, bypassing the Recycle Bin). See the 1809 update for a more recent example; there are plenty others.
This is a really good idea, additionally I like the example of OneDrive 'loosing' data, but the implementation and maintenance of the suggestion looks like its a tremendous task in itself.
– VoodooCode
Mar 2 at 15:04
add a comment |
If you're highly concerned about telemetry and information leakage, and you have the necessary rights to perform administrative tasks on the equipment your lab uses, I'd suggest a telemetry-blocking app, though I urge you to test and scrutinize it before any sort of deployment. Personally, I'm a fan of BlackBird, but be wary of its functionality-canceling effects (Location awareness, LAN etc.). Again, study and test such software beforehand.
But I want to mention another aspect of data protection, not in the sense of privacy, but of data integrity.
I would not in a million years be caught using Windows for data-sensitive work because I and many others have been the victims of Windows and its apps' (e.g. OneDrive) tendency to delete user files without notice (permanently, bypassing the Recycle Bin). See the 1809 update for a more recent example; there are plenty others.
This is a really good idea, additionally I like the example of OneDrive 'loosing' data, but the implementation and maintenance of the suggestion looks like its a tremendous task in itself.
– VoodooCode
Mar 2 at 15:04
add a comment |
If you're highly concerned about telemetry and information leakage, and you have the necessary rights to perform administrative tasks on the equipment your lab uses, I'd suggest a telemetry-blocking app, though I urge you to test and scrutinize it before any sort of deployment. Personally, I'm a fan of BlackBird, but be wary of its functionality-canceling effects (Location awareness, LAN etc.). Again, study and test such software beforehand.
But I want to mention another aspect of data protection, not in the sense of privacy, but of data integrity.
I would not in a million years be caught using Windows for data-sensitive work because I and many others have been the victims of Windows and its apps' (e.g. OneDrive) tendency to delete user files without notice (permanently, bypassing the Recycle Bin). See the 1809 update for a more recent example; there are plenty others.
If you're highly concerned about telemetry and information leakage, and you have the necessary rights to perform administrative tasks on the equipment your lab uses, I'd suggest a telemetry-blocking app, though I urge you to test and scrutinize it before any sort of deployment. Personally, I'm a fan of BlackBird, but be wary of its functionality-canceling effects (Location awareness, LAN etc.). Again, study and test such software beforehand.
But I want to mention another aspect of data protection, not in the sense of privacy, but of data integrity.
I would not in a million years be caught using Windows for data-sensitive work because I and many others have been the victims of Windows and its apps' (e.g. OneDrive) tendency to delete user files without notice (permanently, bypassing the Recycle Bin). See the 1809 update for a more recent example; there are plenty others.
answered Mar 1 at 22:56
ppw0ppw0
111
111
This is a really good idea, additionally I like the example of OneDrive 'loosing' data, but the implementation and maintenance of the suggestion looks like its a tremendous task in itself.
– VoodooCode
Mar 2 at 15:04
add a comment |
This is a really good idea, additionally I like the example of OneDrive 'loosing' data, but the implementation and maintenance of the suggestion looks like its a tremendous task in itself.
– VoodooCode
Mar 2 at 15:04
This is a really good idea, additionally I like the example of OneDrive 'loosing' data, but the implementation and maintenance of the suggestion looks like its a tremendous task in itself.
– VoodooCode
Mar 2 at 15:04
This is a really good idea, additionally I like the example of OneDrive 'loosing' data, but the implementation and maintenance of the suggestion looks like its a tremendous task in itself.
– VoodooCode
Mar 2 at 15:04
add a comment |
protected by eykanal♦ Mar 5 at 3:34
Thank you for your interest in this question.
Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).
Would you like to answer one of these unanswered questions instead?
Comments are not for extended discussion; this conversation has been moved to chat.
– eykanal♦
Mar 5 at 3:35