Privacy: personal data

Guideline privacy rules: protection of personal data in scientific research

These privacy rules are intended to be a guide in handling personal data in scientific research. It is not an exhaustive overview, but provides insight into the major concerns around privacy. Definitions of concepts used can be found at the end of this page.

Context

Please be aware that:

  • Personal data is always confidential;
  • anyone who works with personal data is responsible for protecting them.

The handling of personal data of data subjects

  • Report any new processing which uses personal data to the Data Protection Officers (DPO) team. This can be registered via the following link: Report processing. The Privacy Contact Person (PCP) of your faculty is able to support you.
  • The processing of personal data in research must be proportionate to the intended purpose of the research. This means that personal data must be limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’).
  • Data subjects have the right of access to their personal data, the right to rectification and the right to erasure (‘right to be forgotten’). The data subject also has the right to receive the personal data concerning him/her.
  • Researchers processing personal data must be familiar with and comply with the VSNU code of conduct.
  • Researchers who process medical personal data must also be familiar and compliant with the Federa codes of conduct: ‘Good conduct’ and ‘Good use’.
  • Researchers must draw up a Data Management Plan, which, inter alia, clearly describes how the handling of data will protect the privacy of data subjects. More information and a template can be found on the Research Data Website.
  • Anonymize data identifying data subjects if possible, otherwise pseudonymize the data.
  • If you have access to personal data belonging to others, keep the data confidential. Do not share the data with others who do not have or need access, even if they themselves are bound to confidentiality.
  • Do not provide personal data to third parties, unless there is a legitimate basis or the data subject has given explicit consent.
  • When you send personal data, always use encryption.
  • Do you start processing with a high risk to the rights and freedoms of natural persons? Then carry out a Data Protection Impact Assessment. The PCP of your faculty can support you in this assessment.
  • When a third part is involved in the processing of your data (this can be limited to data storage) you need a binding contract with them. The PCP of your faculty is able to assist you.

What to do if something goes wrong

  • If you notice a possible security incident, report it directly to CERT-UT.
  • Treat a possible security incident with confidentiality.
  • Any complaint or report concerning personal data is a security incident. If the confidentiality of personal data is affected, the incident is also a data breach. The DPO team will inform the Executive Board, and the Executive Board decides whether notification to the Dutch DPA is necessary.

Other questions

  • The first contact for your questions about privacy is the Privacy Contact Person of your faculty.
  • In addition, you can contact the DPO team.

Definitions

GDPR

General Data Protection Regulation. European legislation on the protection of personal data and the free movement of such data. This regulation will be enforced from 25 May 2018.

Personal data

Any information relating to an identified or identifiable natural person (‘data subject’), for instance a name, an identification number, location data, an IP address or physical and social characteristics. The processing of these data must comply with specific principles.

Special categories of personal data

Personal data revealing sensitive information, for example ethnicity, political views, religious or philosophical beliefs and data concerning health. Processing of these data is prohibited, unless specific conditions are met.

Anonymize

The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject. Only when the processing takes place anonymously from the beginning, the GDPR does not apply.

Pseudonymize

The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures.

Processing

Any operation which is performed on personal data, whether or not by automated means, such as collection, recording, consultation and destruction.

Legitimate basis of processing

The processing of personal data shall be lawful if at least one of the following applies (art. 6 GDPR):

  • Consent of the data subject to the processing;
  • necessary for the performance of a contract;
  • compliant with a legal obligation;
  • protects vital interests;
  • performance of a task in the public interest/on official authority;
  • purposes of the legitimate interests pursued by the controller or by a third party.