I am a PhD researcher at a European university (located in Italy), and I am hoping to use Network Canvas in my upcoming fieldwork with middle school students of immigrant origin. In reviewing my research design, my university’s Data Protection Office raised concerns about the GDPR compliance of Network Canvas tools. Namely, they would like to know “whether and how [Network Canvas’] privacy policy/data protection addendum comply with the GDPR.”
Although I have been able to find a few projects using Network Canvas that received EU funding after the GDPR went into effect, I was not able to find a specific statement on the Network Canvas website about GDPR compliance (in particular, the treatment of “personal data” as defined by the GDPR). The other two software tools I will use in data collection, NVivo and Posit (RStudio), both have specific GDPR compliance statements on their websites, but I was unable to locate this for Network Canvas. I would therefore like to ask the Network Canvas team if such a statement exists and, if not, how I might best address my DPO’s concerns about GDPR compliance.
First of all, welcome to the community and thank you so much for your interest in the software.
GDPR concerns come up fairly regularly. You might actually be able to find some more info by searching the community. I will take the time to put together a documentation article on this subject and will post a link here for anyone who finds it in the future.
The short answer is:
The software is entirely deployed and controlled by the researcher. We do not host any participant data and do not act as a Data Controller or Data Processor under GDPR. This is why we don’t have a GDPR statement.
Researchers are solely responsible for ensuring GDPR compliance when collecting and managing participant data using these tools, and the software supports compliance.
The choice of interview software has a big impact on this (are you talking about using the desktop interview app (Interviewer) or Fresco?).
Interviewer stores data completely locally on whatever device was used to conduct the interview. Nothing is transmitted except by you, making you solely responsible for compliance with GDPR.
Fresco is a cloud app consisting of the frontend, the database, and the asset storage. You can choose the location of each of these parts separately.
You are still responsible for GDPR compliance, since each deployment of the app is ‘owned’ by you and not by us. We do not have access to any of your data, nor is any data transmitted, processed, or stored outside of your installation (with the exception of asset storage - see below).
Following the basic deployment guide will result in all of these elements being in located North America. To simplify GDPR compliance, you will likely want to have these elements within the EU.
You can achieve this by either (1) self-hosting on your university infrastructure or a personally owned VPS and deploying using the advanced deployment guide, or (2) using the paid tier of Vercel/Netlify and Neon. In either case you will also need to use the paid tier of UploadThing in order to set the region if you need to store protocol assets that constitute PII (network rosters etc).
Note on assets: We use a service called UploadThing to handle protocol asset data (images, video and network rosters). This service uses Amazon’s S3 storage, which hosts data in different regions. If you will be storing PII in the form of assets (for example a network roster) this data will be transmitted across jurisdictions if your S3 storage is in a different location to your frontend. If you use the paid tier of UploadThing you can choose the S3 region that is used. This is not a concern if you are not storing PII in your protocol assets.
Hopefully this helps you to explain the situation. I will post the documentation link as soon as I have a chance to write it up.
