GDPR and privacy
Since 25 May 2018 the General Data Protection Regulation (GDPR, in Dutch ‘Algemene Verordening Gegevensbescherming’) is in force. This regulation also applies to the data collection that happens within the context of the Kunsten Monitor. The Research Centre for Education and the Labour Market (ROA) - responsible for the execution of the Kunsten Monitor – registered the research as personal registration at the Data Protection Authority. The ROA is part of Maastricht University and the guidelines as drawn up in the Policy processing personal data are therefore applicable to the research activities of the ROA. The personal data that is collected within the context of the Kunsten Monitor is therefore treated in accordance with GDPR-requirements.
Goal Kunsten Monitor
The Goal of the Kunsten-Monitor is to map out the transition from education to the labour market of graduates of hbo arts programmes. In this context their position on the labour market, the characteristics of their job, the connection of this job with the study they followed and their judgement about this study are considered. As no data are available about this from other sources, the Kunsten-Monitor conducts an annual survey among graduates of higher professional education (HBO) in the arts programmes.
The adresses of the approached graduates come from the participating Universities of Applied Sciences. These Universities are the commissioning party for the Kunsten Monitor. They use the results from the Kunsten Monitor to improve the quality of their education. Quality assurance is both a legal request as well as a justified interest of the Universities. Both are mentioned as bedrocks for the procession of personal data in the GDPR. The Universities of Applied Sciences provide the address files to DESAN Research Solutions, the institution in charge of the fieldwork of the Kunsten Monitor. Graduates’ name- and address details are stored in a separate file and never taken into account in the research data. A conjugation between the completed inquiries, the research data and respondents’ NAW-details (Name, address and city of residence) is only possible with the use of an anonymously encrypted code. Respondents’ NAW-details are not relevant for research purposes, yet a conjugation remains necessary since respondents have a right of inspection according to the GDPR. DESAN Research Solutions keeps the address details up to one month after communication of the research results to the Universities. After that they are destroyed.
The ROA edits and analyses the Kunsten Monitor research file. As explained, this file does not contain the graduates’ NAW-details provided by the Universities. Neither does the ROA itself dispose of the address files provided by the Universities. Any potential NAW-details or e-mail addresses obtained via the inquiries are deleted from the research file and stored elsewhere directly after the ROA received these data. De-linking these personal details from the research file is done by ROA’s data manager. Moreover, the data manager is the only ROA employee with access to these de-linked privacy sensitive inquiry-data. The research data from the Kunsten Monitor are stored on secured servers at the ROA, only accessible to ROA researchers. The research file is only available to third parties under very strict conditions via DANS. The data can only be used for scientific purposes and a research plan has to be proposed that falls within the research purposes of the Kunsten Monitor. Furthermore, data made available for third parties do not contain institute-specific variables.
The information based on the Kunsten Monitor that is published, consists of national figures as well as institute-specific reports. The national figures can never be deduced to specific individuals. An institute-specific report can only be inspected by the institute in question. Respondents are only recognisable in the institute-specific reports if they gave permission for this in the inquiry.
The data traffic between the ROA and DESAN Research Solutions only takes place via a Cryptshare server for protected data exchange.