When working with personal data, various considerations with regard to data protection, privacy regulations and ethical and scientifically responsible behavior should play a role in the data management phase. This page provides an overview of the conditions researchers should be aware of for various tasks, like levels of sensitivity and general regulations for gathering, processing, and storing data.
UT privacy website: codes of conduct to be familiar with and comply with
- Researchers processing personal data must be familiar with and comply with the VSNU code of conduct.
- Researchers who process medical personal data must also be familiar and compliant with the Federa codes of conduct: ‘Good conduct’ and ‘Good use’.
Personal Identifiable data
Personal identifiable data is any information that can be used to directly or indirectly identify the person, such as name, photo, email address, social security number, bank details, posts on social networking websites, date and place of birth, mother's maiden name, or biometric records; and any other information that is linked or linkable to an individual, such as a computer IP address, medical, educational, financial, and employment information. A lot of data can be viewed as personal information, depending on the context. Researchers must handle such personal data appropriately, in compliance with EU legislation.
Actually, we distinguish 'personal', 'sensitive', 'special categories', and 'BSN' & 'data relating to criminal convictions and offences'.
Special categories (Sensitive) personal identifiable data
Sensitive personal identifiable data are racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. GDPR refers to sensitive personal data as “special categories of personal data” and this data has an extra layer of legal protection. Processing of these data is prohibited, however for research there are exceptions: it is allowed if there is explicit consent of the subjects or if it is necessary for scientific research. Hence, you still need a legitimate aim and a legal ground for the processing.
What is the definition of 'processing' under the GDPR?
'Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Legal grounds for lawful processing
Processing of personal data is only lawful if at least one of the six legal grounds as mentioned in the GDPR applies. Check the legal grounds on the UT privacy website.
principles of data processing
If you have a legal ground you can lawfully process personal data. The GDPR has some important principles you need to take into account. Check the principles of data processing on the UT privacy website.
Informed Consent under the GDPR (EU PRIVACY LAW)
One important condition for working with personal data is the permission of the person in question. This informed consent must satisfy certain requirements.
You must be able to show that you have received people’s valid permission to process their personal data. It is important that they grant this permission voluntarily; otherwise you are not permitted to process their information, or they are entitled to withdraw their permission.
This informed consent must satisfy certain requirements:
- Simply obtaining permission is not enough. The information on the basis of which the permission has been given must also be documented. In this way, you can show that you informed the people well and that they gave their permission specifically for this situation.
- You must be able to show a clear link between the permission obtained and the personal data you are processing. Permission must be obtained separately for each different purpose.
For more information on informed consent procedures see the BMS Ethical Committee website.
Checklist: informed consent for researchers
Explain as clearly as possible:
- the reason why you are collecting the personal data
- that you will not use the personal data for any other purpose
- When test subjects are under 16, you should also obtain (additional) permission from the subjects’ parents/guardians.