The aim here is to give a brief description of the purpose (the goals) of your project –The overall reason of the project existence. For example, there may be a problem that the project is going to solve, or there may be a service or knowledge gap that may get addressed by the project.

After describing the purpose of the project, you should also provide a description of the activities that your project is going to conduct that involve the processing of personal data, like surveys, interviews, focus groups, GPS tracking, etc. With this explanation, it will be clear that these data processing activities are necessary to reach the purpose.

For example, the description of the project purpose could be “to understand women’s access to and safety in public mobility infrastructures“, and the three processing activities necessary to reach that goal could include 1) interviews, 2) focus groups and 3) GPS tracking of public mobility infrastructures (see example below).

It is important to clearly state the different data processing activities involved (i.e., 1: interviews and 2: surveys), because for each activity you will have to provide a description of the data subjects involved (step 2), types of data (step 3) and how data will be processed (step 4).

It is also important to keep this description brief, no more than a few paragraphs. The additional details that are often necessary to explain why the project’s activities are scientifically justified, should be provided by adding a link to the research project proposal (or other relevant documents).

While it is required to demonstrate that the project’s purposes are really necessary, the privacy scan is not meant to provide an assessment of the scientific merits of the project. For scientific projects, that assessment takes place in the ethical review, where the ERB have the necessary competences to assess the merits of the project’s scientific goals (necessity check) and to assess if the proposed data processing activities are scientifically (i.e., statistically) justified (proportionality check).

For non-scientific projects, necessity and proportionality can be substantiated with other support materials (if those are available), which in turn can be reviewed by other appropriate bodies, like the faculty council when the project is expected to have an impact on faculty employees – That is how the privacy scan for the Hybrid Working and Flexwhere project at Sustainable Development was handled.

With this description, the ‘necessity’ link between the project’s purposes and the planned activities that will use personal data should be clearly visible – It will be clear that the processing activities are necessary to reach the purpose. This is the first step in assessing the necessity and proportionality of the project’s activities involving the use of personal data, which is continued at later steps in the privacy review.

Pro-tip: Use the present tense in your privacy scan descriptions, and rely on dates if necessary to indicate when (future) events are expected to take place. The privacy scan, as a ‘living document’ describes the project’s compliance before and during the project’s life cycle. If you use the future tense when describing the planned activities, you will have to change it to the present tense after the project activities are started to avoid confusion, since the text will be describing now an ongoing activity, not a future one.

Previous: Introduction | Next: Description of Data Subjects