How do you guarantee the careful handling of research data with personal data?
During each research in which Personal Data is procesessed, it is important that this data is carefully handled. This page describes how you ensure the careful handeling of such data.
Amongst others, the following topics will be discussed: the handling of respondents’ contact details, the use of programs for collecting, storing and analyzing data, sharing data and securing data.
Contact details of (potential) respondents
Files with contact details should only be accessible to those that actually need access. Normally speaking, these are the following persons:
- The principal investigator(s) involved;
- The manager.
A Tilburg University researcher who collects and stores contact data in the context of scientific research must, according to the GDPR, store these data securely with limited access guaranteed.
The researcher is responsible for the separate storage of the contact data file. The contact data that can be linked to the dataset should be deleted by the researcher as soon as possible (within 6 months unless longer is necessary), as long as this does not conflict with the interests of the scientific research.
Modification of collected personal data
A researcher may decide during the research that additional personal data is necessary, or might come to the conclusion that less data is required.
If, during the research, there are changes in the personal data that are collected, the researcher should adjust the ERB/IRB application in accordance by means of an amendment, so that the data processing register is updated.
Access and security of personal data
Within Tilburg University, as few people as possible have access to the digital or physical data sets of research in which personal data are processed. This access is usually limited to the researcher(s) involved and the supervisor.
Access to personal data files and archives
Files personal data | Access is permitted only for the researchers involved (including student researchers) and the supervisor (in order to secure backup). |
Archives | Access to digital and physical datasets containing personal data is permitted only for researchers, the Head of Department and the administrator of the digital or physical datasets. |
Digital and physical datasets containing personal data must be stored securely and are only accessible to those for whom this is necessary in the context of the research.
Access to personal data
Digital |
Datasets containing personal data must be stored securely. This means the following:
In the absence of the researchers at the workplace, computers should be locked and the workspace closed. |
Physical | Documents containing personal data should be stored securely in a locked cupboard or archive. In case of absence, the cabinets or archives should be locked and not accessible to unauthorized persons. |
Use of programs for collecting, storing, analyzing and sharing data
The collection of data during the research can take place in various ways: online, face-to-face, with a paper questionnaire, observations, video images, etc.
The GDPR has implications for these ways of data collection, the use of existing or new data, the tools used in the collection of data and possible security aspects arising from the GDPR during the research.
When using applications/programs from external suppliers, a processor agreement must be entered into to make proper arrangements about responsibilities, security, etc.
Collecting data |
If external applications are used to collect personal data:
|
Saving data |
Digital
If a researcher wants to use another (cloud) service:
Physical All personal data should be stored securely in a locked cabinet or archive. If storage takes place at an external location or by an external administrator, a processor agreement should be concluded. |
Analyzing data |
If use is made of applications such as SPSS to analyze data:
|
Sharing data |
|
Anonymizing or pseudonymizing |
If personal data are no longer necessary but cannot yet be deleted, for example on the basis of verifiability, the personal data must be anonymized or pseudonymized at the earliest possible stage. |
Agreement and processing agreement
It is legally required that, when a researcher on behalf of Tilburg University exchanges personal data with, provides to or receives personal data from another organization, good contractual agreements are made about this. What kind of agreement should be concluded depends on the role of Tilburg University and the role of the other party (data controller, processor).
If a research project involves collaboration with other (external) research institutes or parties, a research agreement should be concluded in which agreements are made about the division of responsibilities, etc. Model agreements are available for this purpose.
Situation | Compulsory agreement |
Tilburg University is controller and third party processor | Processor agreement in accordance with established model. |
Tilburg University is processor for other controllers |
Processor agreement in accordance with established model. |
Tilburg University is together with other party the joint controller or both parties are independent controllers |
Agreements in research agreement or in separate agreement on division of responsibilities. Think about it:
Example: Commissioned research in which the client together with Tilburg University determines the purpose and means for the research, or a research project for which another controller shares data with TiU and TiU solely determines purpose and means of the research. |
Deviation from model processing agreement |
Due to risks, it is preferable to enter into the standard model agreement. However, it may be necessary to deviate. If the researcher wants to deviate from the established model, he should coordinate this with the data representative of the School. The data representative can seek advice from the Privacy and Security working group. The processor agreement must be authorized by an authorized signatory, which is usually the dean, faculty director or Executive Board. |
Responsible for the conclusion and content of the agreement |
The researcher should consult the data representative before concluding the contract. The data representative supports and may seek advice from the Central Privacy Office or the Legal Affairs department. |
Registration / audit trail |
The processor agreement (including motivation in case of deviation) should be archived centrally. |
Writing and publishing an article
When writing the article, the researcher must prevent the inclusion of traceable personal data in the article. Occasionally, the researcher may want to quote from the research. This is possible if it can be done anonymously. Quotations resulting from web scraping can be traceable (easy to search on the internet), in which case they are not anonymous. Preferably these are paraphrased.
Point of attention is the possibility that a combination of personal data can be traced back to individuals. Think, for example, of highlighting a manager of a large hospital in the Eindhoven region in the age category 45 to 55 years. In case consent is asked and been given, the publication of citations with name and other details about the cited person is of course possible.
Personal data in an article
The investigator should ensure that no personally identifiable information is included in the article by:
- Anonymizing / pseudonymizing research results:
- When quoting:
- Anonymization;
- Paraphrasing, in case a quote has been obtained via web scraping;
- In case consent is asked and been given: publication with name and other details about the cited person is permitted.
Data sharing for review purposes
During the publication process it can happen that data needs to be shared with peer reviewers. Personal data should of course be protected as much as possible.
Data with traceable personal data
If personal data must be shared with peer reviewer
- If possible Anonymize or Pseudonymize (without sending the key to the reviewer).
- If this is not possible:
- Agreements have been made with the publishers to take technical and organizational measures to protect personal data and to conclude agreements on confidentiality and security obligations with so-called subcontractors (to which we include peer reviewers). However, the researcher is advised that when submitting the dataset:
- to send it encrypted via SURF Filesender
- to point out that the dataset must be removed by the peer reviewer once it is no longer needed (i.e. after the peer review has been carried out).
- Agreements have been made with the publishers to take technical and organizational measures to protect personal data and to conclude agreements on confidentiality and security obligations with so-called subcontractors (to which we include peer reviewers). However, the researcher is advised that when submitting the dataset:
- If a raw dataset is required, provide a copy that is free of traceable personal data.
- Contractually agree that the dataset will be destroyed after the review procedure.
Data without traceable personal data
If datasets are shared without personally identifiable information, the policy of Tilburg University regarding privacy and personal data protection (including the theme policy Research) does not apply.
Respondents' rights during research
Respondents may also invoke a number of rights during the research.