Blad met gegevens, foto Vladislav Bulatov

Handling research data with care

How do you guarantee the careful handling of research data with personal data?

This section describes the elements of careful handling of data that are important during any investigation in which Personal Data is processed. It also describes the way in which Tilburg University ensures the careful handling of data.

This includes the handling of respondents' contact details, the rights of participants during the study, the use of programs for collecting, storing and analyzing data, sharing data, securing data and reporting the results.

Contact details of (potential) respondents

Files with contact details should only be accessible to necessary persons:

  • The principal investigators involved 
  • The manager. 

A Tilburg University researcher who collects and stores contact data in the context of scientific research must, according to the GDPR, store these data securely with limited access guaranteed.

The researcher is responsible for the separate storage of the contact data file. The contact data that can be linked to the dataset should be deleted by the researcher as soon as possible (within 6 months unless longer is necessary), as long as this does not conflict with the interests of the scientific research.

Modification of collected personal data

An investigator may decide during the investigation that additional personal data is necessary

If, during the study, there are changes in the personal data that are collected, the researcher should amend the data management plan by means of an amendment so that the processing register is updated.

Access and security of personal data

Within Tilburg University, as few people as possible have access to the digital or physical data sets of research in which personal data are processed. This access is usually limited to the researchers involved and their supervisor.

Access to personal data files and archives

Files personal data Access is permitted only for the researchers involved (including student researchers) and the supervisor (in connection with backup).
Archives Access to digital and physical datasets containing personal data is permitted only for researchers, the department chairman and the manager of the digital or physical datasets.

Digital and physical datasets containing personal data must be stored securely and are only accessible to those for whom this is necessary in the context of the research.

Access to personal data

Digital

Datasets containing personal data must be stored securely. That is to say:

  • Pseudonymized: The link or communication file is stored on the university network drive (M/Odrive).
  • On the secure environment of a Tilburg University server.
  • In a contracted cloud service such as Surf Drive.
  • Only in encrypted or encrypted form on a storage medium such as laptop or USB.

In the absence of the researchers at the workplace, computers should be locked and the workspace closed.
Physical Documents containing personal data should be stored securely in a locked cupboard or archive. In case of absence, the cabinets or archives should be locked and not accessible to unauthorized persons.
Use of programs for collecting, storing, analyzing and sharing data

The collection of data during the research can take place in various ways, online, face-to-face, with a paper questionnaire, observations, video images, etc.

The GDPR has implications for these ways of data collection, the use of existing or new data, the tools used in the collection of data and possible safety aspects arising from the GDPR during the research.

When using applications/programs from external suppliers, a processing agreement must be entered into to make proper arrangements about responsibilities, security, etc.

Collecting data

If external applications are used to collect personal data

  • See for additional guidelines: research data management regulation
  • Preferably use the applications approved by Tilburg University. It has been established that they meet all the requirements of the AVG and that a processing agreement has been concluded.
  • If the researcher wants to use an application that is not on the list of approved applications, he must enter into a processing agreement.
Saving data

Digital

  • See for additional guidelines: research data management regulation
  • All (raw) data should be stored pseudonymized on the servers of Tilburg University or on Surfdrive where the link or communication file is stored on the university network drive.

If a researcher wants to use another (cloud) service:

  •  Preferably use applications on the list approved by Tilburg University. These applications have been found to meet all AVG requirements and a processing agreement has been entered into.
  • If the researcher wants to use an application that is not on this list, he must enter into a processing agreement.

Physical

Documents containing personal data should be stored securely in a locked cupboard or archive. In case of absence, the cabinets or archives should be locked and not accessible to unauthorized persons.

If storage takes place at an external location or by an external manager, a processing agreement should be concluded.
Analyzing data

Uses applications such as SPSS to analyze data:

  • Preferably use applications on the list of applications approved by Tilburg University. These applications have been found to meet all AVG requirements and a processing agreement has been concluded.
  • If the researcher wants to use an application that is not on this list, he must enter into a processing agreement.
Sharing data
  • Sharing data with colleagues for a co-analysis or peer review of the analysis is only allowed if it is done in a secure way. For example by using encryption  (Secure File Transfer).
  • Sharing data via a cloud service or other programs outside the management of Tilburg University, is only permitted if a processing agreement has been concluded with the relevant party.
Anonymizing or pseudonymizing

If personal data are no longer necessary but cannot yet be deleted, for example on the basis of verifiability, the personal data must be anonymized or pseudonymized at the earliest possible stage.

 

Agreement and processing agreement

It is legally required that, when a researcher on behalf of Tilburg University exchanges personal data with, provides to or receives personal data from another organization, good contractual agreements are made about this. What kind of agreement should be concluded depends on the role of Tilburg University and the role of the other party (data controller, processor). 

If a research project collaborates with other (external) research institutes or parties, a research agreement should be concluded in which agreements are made about the division of responsibilities, etc. Model agreements are available for this purpose.

Situation Compulsary agreement
Tilburg University is processing manager and third party processor Processing agreement in accordance with established model.
Tilburg University is processor for other controllers

Processing agreement in accordance with established model.
Example: A commissioned research in which the client determines the purpose and means of the research and Tilburg University collects and analyzes the personal data.
Tilburg University is together with other processing responsible

Agreements in research agreement or in separate agreement on division of responsibilities. Think about it:

  • Who arranges the rights of Respondents (inspection, correction, etc.), who informs about the Processing (privacy statement) and possibly a redress arrangement.
  • What are the parties allowed to do with the data and does confidentiality apply, for example?

Example: Commissioned research in which the client together with Tilburg University determines the purpose and means for the research.
Deviation from model processing agreement

Due to risks, it is preferable to enter into the standard model agreement. However, it may be necessary to deviate.

If the researcher wants to deviate from the established model, he should coordinate this with the data representative of the School. The data representative can seek advice from the data protection working group coordinated by the data protection officer,

The processing agreement must be authorized by an authorized signatory, which is usually the dean, faculty director or board of directors.
Responsible for the conclusion and content of the agreement

The researcher should consult the data representative before concluding the contract. The data representative supports and may seek advice from the data protection officer or the legal affairs department. The processing agreement should be stored centrally.
Registration / audit trail

The processing agreement (including motivation in case of deviation) should be archived centrally.
Writing and publishing an article

When writing the article, the researcher must prevent the inclusion of traceable personal data in the article. Occasionally, the researcher may want to quote from the research. This is possible if it can be done anonymously. Quotations resulting from web scraping can be traceable (easy to search on the internet) and therefore not anonymous. Preferably these are paraphrased.

Point of attention is the possibility that a combination of personal data can be traced back to individuals. Think, for example, of highlighting a manager of a large hospital in the Eindhoven region in the age category 45 to 55 years.

Personal data in an article

The investigator should ensure that no personally identifiable information is included in the article by:

Data sharing for review purposes

During the publication process it can happen that data needs to be shared with peer reviewers. Personal data should of course be protected as much as possible.

Data with traceable personal data

If personal data must be shared with peer reviewer

  • If possible Anonymize or Pseudonymize (where key is not sent to the reviewer). 
  • If this is not possible:
    • Check if there is already a processing agreement with the publisher.
    • If there is not yet a processor agreement: Close processor agreement with the publisher of the magazine.
  • If a raw dataset is required. Deliver it free of traceable personal data.
  • Contractually agree that the dataset will be destroyed after the review procedure.

Data without traceable personal data

If datasets are shared without personally identifiable information, this policy does not apply. 

Respondents' rights during research

Respondents may also invoke a number of rights during the investigation.

Read: What are the corespondent's rights?