General questions on privacy and information security when working with AS Review

[joostelshoff]

Hi team AS Review and community,

Because the AS Review package looks very interesting and will have various possible applications in our research IT landscape, I was looking for information on the privacy (GDPR) and information security side of things, since this is an application requiring local installation on a workstation. I wasn't able to find information on this on the website, so I was wondering whether there are recommendations on the following:

• Use of AS Review installed locally on a university managed workstation
• Considerations on privacy and information security in this setting
• Good / best practices for running AS Review in a virtual working environment (VM, Docker or similar)
• Good / best practices for running AS Review in a virtual research environment such as SURF ResearchCloud

This information would help determine admissibility and solve potential risks.

Thanks in advance for taking the time to consider, read and possibly answer my query.

[VeenDuco]

Hello @joostelshoff,

I'm not a legal expert so please don't pin me on all GDPR related things, but I'll try to answer the best I can. Hopefully it is at least a bit helpful.

Use of AS Review installed locally on a university managed workstation, Considerations on privacy and information security in this setting
I guess it depends a bit. Do you mean a shared computer in which you log-on to a network drive of the university? Or do you mean a laptop from the university in which you do log-in, there is access to a network drive, but also a hard drive of the local device? I think, if I understand your question correctly, it will depend a bit on the settings. Most importantly, where is the data saved? It it on the university network drive, or on the local drive of the users? In the later case you have less control over where the users store it. For instance, if the data is stored on a cloud drive that might not have their servers located in the EU. A local installation is local in the sense that it is on your drive, whether it's a physically local drive on your computer or a local network drive on your workstation. How secure this is depends on the management of the university workstations. Can they remotely erase drives of lost laptops for instance?

Importantly, in all cases, ASReview does not have any server collecting data or interacting with the local installations. You can setup your own server if you would like, but you are in charge. Still no data goes towards ASReview.

Good / best practices for running AS Review in a virtual working environment (VM, Docker or similar)
Information on running ASReview in a Docker can be found here. Maybe someone else knows of some best practices? @jteijema maybe?

Good / best practices for running AS Review in a virtual research environment such as SURF ResearchCloud
I'm not sure of best practices, I guess it will depend for instance on if the workspace you use is shared or not. Depending on your goals you would like this or not. @Rensvandeschoot , do you have examples of use cases in the SURF ResearchCloud?

[Rensvandeschoot]

For running ASReview simulations in the cloud, see this repository: https://github.com/asreview/cloud-usage and this paper https://doi.org/10.1162/dint_a_00244

For using ASReview via SURF research cloud, see https://utrechtuniversity.github.io/researchcloud-items/primer/introduction.html