Privacy: personal data

Explanation Poster

Scientific research often uses personal data of participants in their research. All processing of personal data is subjected to the General Data Protection Regulation (GDPR).

This poster is designed to help you address the different steps before, during, and after your research to comply with the GDPR.

Explanation per step can be found below.

A short clarification on terminology: If you collect personal information from person A, person A is called the data subject of your research. 

Before research

Identify Personal Data

If your research processes personal data, check the lawfulness and the GDPR.

Personal data is every kind of information that can be used to identify a living individual, f.e. name, email address, location. Be careful: this can also be a combination of in itself non-identifiable parameters but when combined, will lead you to a person, like age, sex, and profession.

Personal data also includes video and audio files!

The processing of personal data in research must be proportionate to the intended purpose of the research. This means that personal data must be limited to what is necessary in relation to the purposes for which they are processed (‘purpose limitation’). Do not collect more data than you need to answer your research question ('data minimization'). 


Not all information is personal data. For instance, anonymous information - information which does not relate to an identified or identifiable natural person; in other words, the data subject is no longer identifiable - is not protected by the data protection principles. E.g. the Dutchman with a long beard living in Amsterdam.

Another example is information that is publicly available by law and consequently lawfully processed. E.g., the Chamber of Commerce is legally obliged to maintain a public register of some specific information about companies, which includes full name and addresses of company directors.

Identify Risks

When working with personal data, there is always a risk of a data breach.
Always identify risks beforehand, since this will bring to light which measures you can take to secure the personal data. 

In some cases, there is a legal necessity to do a DPIA (data protection impact assessment). There are three criteria under which you will have to do a DPIA.

  • A systematical and extended judgement of personal aspects of a living person
  • Large-scale processing of special personal data
  • Systematic and large-scale monitoring of public space

In practice, this means that a formal privacy impact assessment won’t often be needed. When a DPIA is necessary, or when you are in doubt about the necessity, contact the Privacy Contact Person of your faculty.  

Address in Data Management Plan

For all research, it is advisable you write a data management plan. (Information about research data management in general you can find here. )

For personal data, you will have to describe the special measures you take in handling and processing personal data.

Describe:

  • What kind of data you will be using. Keep in mind purpose limitation and data minimization.
  • If, when, and why you are using personal data.
  • How you are going to anonymize the personal data. If this is not possible, how are you going to pseudonymize the data? (See below)
  • What you will put in your informed consent form. (See below)
  • Which procedures you will put in place to guarantee data subjects' rights. (See below)
  • How the data will be stored securely and safely.
  • Which researchers will have access to the data.
  • How this access is provided and how it can be retracted.
  • How long you will store the data and who is responsible for deleting it after this period.
  • How you will turn your dataset with personal data into a file that follows the FAIR principles. ('We will not' can be a valid answer.) (See below)
  • Which privacy statements you will use. You can see the UT privacy statement as a starting point.
  • How you will handle third-party agreements. (for more information on this subject, contact the DPO)
Communicate

Communication to the data subjects:

Data subjects have specific rights under the GDPR. You need to communicate to the data subjects how they can exercise these rights. This can be done by means of an informed consent procedure, see headings 'implement rights data subjects' and 'get informed consent' for more guidance.  

Communicating with your data subjects can be done through flyers, the information letter with the consent form, and privacy statements on websites and social media. For guidance on the content of an information letter go to the informed consent procedure. 

Communication to researchers working on your project:

In each project, you will have to communicate the privacy measures you've taken and procedures you've implemented, with your project members. The measures and procedures should be described in your Data Management Plan. You can turn this into a quick reference guide for your participants, describe them in your project manual, or in a project presentation. Just make sure everyone knows about them. 

Register

The UT is responsible for keeping a register of all processing of personal data. Every researcher is responsible for administrating his/her own research at this register. Report any new processing which uses personal data, through the following link: AVG register.
The Privacy Contact Person (PCP) of your faculty is able to support you.

When you think about your data management plan first, you will see that you can use most answers from the DMP in the questions for your registration. 

During research

Implement Rights of Data Subject

The GDPR amplifies the position of data subjects regarding the protection of their privacy. For instance, data subjects have more rights, such as the right to erasure, to data portability, to the restriction of processing, and to the objection to processing. In addition, data subjects have the right not to be subject to a decision based solely on automated processing, including profiling. These rights supplement existing rights of access, rectification, and removal. As a researcher, you will need to put processes in place to be sure you can respect those rights. 

In the practice of day to day research, this means you will need to guarantee the rights of data subjects. You will need to implement processes for a data subject on (for instance):

  • Inform them about which data we have collected about them.
  • Be able to give the data subject, the data we have collected about them
  • To stop collecting data as soon as they withdraw their consent.
  • To inform them which third parties their data will be shared with.
  • How to be deleted from the dataset.

Some rights can be hard to implement. Data subjects have the right to have their information deleted from the database, the right to have their information kept up to date, and the right to object to processing. Some practical tips:

  • There are two kinds of information you can store about a data subject. Firstly, information you are using during your research which you will base your conclusions on. Secondly, other information which is not directly used for research, for example, contact information. For the first kind, there is an exception for the right to erase of personal data in research. Since erasure of personal data may harm the reliability and reproducibility of your research, it could seriously impair good research. For the second kind, you will need to respect the right to restriction of processing, and you will have to remove this information when requested by the data subject.
  • Data subjects can withdraw their consent to process any further data of them during your research. After this, you have no legal ground anymore to gather information on this subject. However, you are allowed to use the data that was gathered before the subject withdrew their consent. 
  • Data subjects have the right to correct information about themselves. However, some parameters you do not want to have to change during your research. You can avoid this by using the correct headers in your data set. Example: Do not put in 'Age of the subject', since that will change every year. Put in 'Age at time of research'. This will not change. 
  • If you have any specific requests or difficulties, put them in the consent form. As long as you have this specific consent of the data subjects, you can process the data as you wish as long as it falls within the boundaries of purpose limitation and data minimization. 
Get Informed Consent

If you want to collect and process personal data from a living person, you need to get their informed consent. Informed consent consists of an information letter and a consent form. In the consent form, a data subject can give consent for the research activities and on specific statements concerning their privacy and use of their personal data. 

Important is to describe in the information letter:

  • The goal of your research.
  • The data you will be collecting in order to achieve this goal. (And only this goal).
  • What will happen to the data (processing, storage, archiving, and possibly deletion).
  • How the data subjects can exercise their rights. (See above)
  • What happens to the data once the research is finished (Anonymize, Open Data, Deletion).
  • What will happen to the data if you want to present the data at conferences or in a paper. (You are only allowed to present data if anonymized, or if you have the appropriate consent).
  • In clear and simple language.
  • Do not use one blanket statement for all privacy options. Give options for different aspects. 

Examples of informed consent forms are available at the website of UT ethics committees, e.g. BMS, EWI, ITC.

Anonymize

We advise anonymizing your data as quickly as possible. If this is not possible, you will need to pseudonymize. 

Anonymization means there is no subject in the dataset that can be traced back to a unique living person. You can do this by deleting all personal information and replacing it with an anonymized identifier (Subject 1,2,3, etc). However, this can not be done in all cases, for instance, when you collect 24-hour location data. Be alert on combining different parameters in your dataset. This can sometimes lead to a unique living person as well. 

After anonymization, the data cannot be traced back to a person. From this moment the GDPR no longer applies (be aware: not in retrospect!). 

If anonymization is not possible, pseudonymize the data. In that case, you can not directly identify a living person from the data file, but you will be able to retrace someone. This means you store all personal data in a separate file. In the data file, you code the data subjects from 1 to x. In the third file, you store the key by which you can retrace the personal data to the numbering 1-x. This key file will need to be stored securely and in a separate place from both data files. This key will have to be registered at the AVG register as well. 

If there is no need to relate the research data to the personal data anymore, delete both the key and the personal data file.

After research

Publish or Present

You can only publish or present your research data containing personal data if you have the data subjects' consent to do this. If you have no consent, make sure that the personal data is fully anonymized.

See also UT Research Support 'Publish and preserve your research'

Archive Data

At the end of your project, you probably must place your research data in a repository. If this is an open repository, make sure your data sets are anonymised. If it is not, make sure to restrict access.

If you cannot restrict access, you will need to archive the data at the UT. Ask your faculty about the appropriate data policy.

More information on Archiving research data.

Be FAIR

Grant providers NWO, STW, EU H2020, and ZonMW already ask you to work according to the so-called FAIR data principles.

FAIR means Findable, Accessible, Interoperable and Re-useable. Ask LISA (research support) for more information, but make sure you only make anonymized data openly accessible.

If you still have unanswered questions, contact your Privacy Contact Person (PCP) or the Data Protection Officer team (in Dutch: FG team).