Another visit to the Medical Research Ethics Committee? Never mind, “we will choose a different research question”

Another visit to the Medical Research Ethics Committee? Never mind, “we will choose a different research question”

FPN researchers are critical of bureaucracy concerning privacy and ethics

16-01-2024 · Background

They are fed up with it at the Faculty of Psychology and Neurosciences: a mountain of bureaucracy concerning ethical assessment and data protection impedes the progress of research, they say.

It is frustrating, it delays research and it costs “more than half a day a week that I am not spending on my proper job”. She sighs. It has really gotten to professor of Psychology Anne Roefs, and not just her: she is also speaking on behalf of colleagues at the Faculty of Psychology and Neurosciences. According to Roefs, her dean and the faculty research council are also very glad that she is talking about this.

‘It’ is the, in her mind, excessive bureaucracy which is now part of doing research. On the one hand, the compulsion to have research using medical acts (whereby, for example, blood is drawn) approved by the Medical Research Ethics Committee (MREC). “Not that I am against ethical assessment, of course not,” she emphasises, “but what troubles me is the tremendous proportions that it has taken on.” And on the other hand, the rigmarole that stems from the General Data Protection Regulation (GDPR), or the ‘privacy law’. When this came into effect in 2018, “we were told that our lives as researchers would change,” Roefs remembers. “We thought: it won’t be so bad.” But it was, partly because she believes UM “interprets the GDPR very strictly. The privacy team within our faculty, which by the way always helps us as well as possible, says that we are the best in the class”.

Doing harm

What that leads to? Roefs is one of the main researchers in a consortium of seven Dutch universities. “If I want to share data with someone within that group, I have to draw up a data transfer agreement. According to the letter of the law, this data is actually not really anonymous, because somewhere on a secure server there is a link between test subject numbers and names. If someone really wants to do harm, they will have to hack that server and break into my data – a very unlikely scenario.”

Such an agreement is not just a matter of filling in a form, she sighs: it requires consultation with one’s own privacy team, after which the receiving university also assesses the text. “Often, such a document goes back and forth because people don’t agree on some clause or other. All those steps cost time, which we are not using to work on the content. I wonder if there is any way to do this more efficiently.”

That is not the only problem. Roefs uses software that sends questionnaires to test subjects’ smartphones. “All providers of that software explain on their websites how they comply with the privacy requirements, but still I have to draw up a ‘data processor agreement',” a document that specifies how the privacy of test subjects is guaranteed. She estimates that it took six months, while other Dutch universities within the consortium had already assessed the app and were using it. She shakes her head: “Why does UM assess something that has already been approved elsewhere in the Netherlands, where the same law applies?”


According to Roefs, strictly following rules clashes with the idea of open science. There, data sets are made available through a server for other researchers after the research has been completed. In theory, at least. “Many people don’t do this because of the privacy laws in their respective countries. One of my PhD students wanted to use a data set from the US. The reaction he received was that they did not have time for all that bureaucracy at the moment. This is an obstacle for open science.”

Then there is the Medical Research Ethics Committee. She estimates that an application there takes “roughly a year”, a reason for her to no longer have her PhD students make the submissions themselves. “I now do that myself, before the PhD student starts, in order to prevent their starting with a delay. That means extra work, yes, and I have the luxury of having enough project funds to have someone help me with that. Sometimes, we even adapt the research plans: in that case, we choose a different interesting question, one that does not force us to approach the MREC.”

No apologies

She made her most recent application within the framework of a project for which she received a Vici subsidy from financier NWO in 2022. “This was extensively evaluated and approved by them, but the first feedback from the MREC was that the literature overview was not complete enough, and that I had not sufficiently substantiated the relevance of the research… Our dean felt that this was insulting. What is good enough for NWO, is doubted by the MREC. Ultimately, they agreed, but you won’t get apologies from them for wasting your time.”

In addition to the time it cost, the “mistrust” bothers her: “As if researchers don’t have a sense of ethics and need to be constantly checked on. Of course, I want to work in a responsible way and respect people’s privacy. But this can be guaranteed more efficiently. There seems to be a caricatural image of how things used to be. I don’t think I have ever worked unethically or dealt with data incorrectly. And yes, there have been cases in which researchers have done wrong, but I wonder if you could have prevented this with a complicated MREC procedure or a data transfer agreement.”

She has already raised this, she says: with her dean, with FPN’s subsidy adviser “and to the point of weariness with the faculty research council”. They all see the problem and do what they can, “but nothing changes. As a researcher, I feel like I am stuck: on the one hand, NWO expects me to complete good research on time; on the other hand, bureaucracy takes a great deal of time. This creates a lot of stress. I hope that this interview gets things moving, that people realise how frustrating it is for researchers to spend a substantial part of their time dealing with something that is not their work”.

Is the GDPR a bureaucratic obstacle? “That image is just not right”

Is the General Data Protection Regulation, better known as the GDPR, a source of bureaucratic misery that impedes researchers unnecessarily in their work? That image is “just not right,” says Raoul Winkens, UM’s Data Protection Officer: “What could be improved, is in particular the procedures within the university and the support of researchers.”

Does UM adhere (too) strictly to the GDPR, the most important law concerning privacy and personal data? It depends on how you look at it, Winkens answers. As an independent supervisor, he oversees the compliance with regulations when dealing with personal data within the university. “Those obligations also applied in previous laws, but they were not always properly upheld,” he says. Since the GDPR came into effect, organisations (including UM) started to pay more attention. “It is possible that employees feel that this is an increase of demands and burdens, but the legislation has existed for years and is not adhered to very strictly.”

According to the GDPR, researchers must be able to justify how they share and use their data. A data transfer agreement is not compulsory, but it can be helpful, says Winkens: agreements are then laid down in black and white. “You could view this as a bureaucratic measure, but I prefer to see it as guaranteeing quality. There is no one-size-fits-all solution.” In the case of pseudo-anonymous data, when there is a connection on a secure server between test subject numbers and names, it is fairly easy to identify the people involved, he states. “You often only need a few characteristics.”

Something different are the so-called data processing agreements. These are actually compulsory by law, when a researcher starts working with a third party that provides software or hardware. “You allow that third party to process personal data on behalf of UM. So, then you are responsible on behalf of the university for the agreements about what happens with that data.” The same applies when other universities already have an agreement with the same company. Winkens acknowledges that drawing up such agreements can be a time-consuming process. “There is usually a lot of squabbling about the liability in the case of fines. The compulsory data processing agreements do indeed create additional bureaucracy.”

Still, he doesn’t believe that the rules get in the way of open science – such as sharing datasets – as people in the Faculty of Psychology and Neurosciences have said. “It is often experienced in this way, but GDPR makes free movement of personal data possible if it is done in a responsible manner. That is an explicit objective of the law.”

“Of course, I understand the frustration that Anne Roefs describes,” says Winkens. “Many things could be more efficient, but that has nothing to do with GDPR itself. It has everything to do with the transposition into procedures within the university: those could be set up more efficiently.”

He also believes that there is a lack of knowledge about GDPR among researchers. “They often already comply with GDPR to a large extent without realising it. But it helps if you know what is required and approach the administrative and support staff who specialise in this at an early stage. It would therefore be a good thing if managers of faculties had sufficient staff with the proper knowledge and skills, as well as enough time.”

"Complaining about the Medical Ethics Committee is easy”

Ad Masclee understands that researchers feel that an application to the Medical Research Ethics Committee (MREC) “is a lot of work” and a lot of “fuss”. The chairman of the Maastricht MREC hopes however, that they can see the reason behind the assessment: “This is a legal obligation to guarantee the safety of test subjects.”

Every chairperson of a MREC – the Netherlands has 14 – will nevertheless know and acknowledge that there a field of tension, says Masclee: researchers want swift approval for their research, while the law provides for a period of eight weeks, which may be extended by another eight weeks. “That clock starts ticking as soon as the application arrives, and is stopped as soon as our reaction is sent off.”

According to the emeritus professor of Gastroenterology, the Maastricht MREC deals with all applications within the aforementioned period. Although he does admit that it could sometimes be carried out more quickly. “We don’t always have sufficient manpower.”

For reasons of privacy, he cannot comment on specific applications. He does feel, however, that it is “easy” to complain about the committee. “Researchers have to realise that legislation compels institutes to have a MREC and to follow the procedures. That means, for example, that even minor adaptations in an application need to be submitted and assessed separately. I understand that this can feel like the wheels of government grinding slowly, but it is in the interest of UM that research with test subjects is carried out safely and responsibly.”

Illustration: Simone Golob

Tags: Bureaucracy,Privacy,GDPR,FPN,MREC,Anne Roefs

Add Response

Click here for our privacy statement.

Since January 2022, Observant only publishes comments of people whose name is known to the editors.