Blad met gegevens, foto Vladislav Bulatov

Handling research data with care

How do you guarantee the careful handling of research data with personal data?

During each research in which Personal Data is procesessed, it is important that this data is carefully handled. This page describes how you ensure the careful handeling of such data.

To work safely with personal data, you must take sufficient technical and organizational security measures. Technical security measures include encryption (encoding) of the data itself, encrypting your storage location and the technical security of a system. For organizational security measures, you can think about giving as few people as possible access to the data, entering into confidentiality and processor agreements, and increasing employee awareness of how to handle the data. With an eye toward raising that awareness, we'd also like to point to the page on the RDM regulations that researchers must adhere to, including the Research Data Management Regulation of Tilburg University.

Access and security of personal data

Within Tilburg University, as few people as possible have access to the digital or physical data sets of research in which personal data are processed. This access is usually limited to the researcher(s) involved and his/her/their supervisor(s). In addition, digital and physical datasets containing personal data must be stored securely and should be only accessible to those for whom this is necessary in the context of the research. On the webpages about Research Data Management, you will find more information about storing and sharing research data during and after the research.

Access to personal data files and archives

Files personal dataAccess is permitted only for the researchers involved (including student researchers) and the supervisor (in order to secure backup).
ArchivesAccess to digital and physical datasets containing personal data is permitted only for researchers and (for the purpose of sustainable storage) the Head of Department and the administrator of the digital or physical datasets.

Security of personal data

Digital

Datasets containing personal data must be stored securely. This means the following:

  • Pseudonymized, which means that the key- or communication file is stored separately (more information can be found under the header ‘Pseudonymization and anonymization’).
  • On a Tilburg University-approved secure location for data storage.
  • Only in encrypted form on a storage medium (such as a laptop or USB-drive).
  • In case the processing of the data entails a high risk for the data subjects, the data set always needs to be stored with encryption.

In the absence of the researchers at the workplace, computers should be locked and the workspace closed.

PhysicalDocuments containing personal data should be stored securely in a locked cupboard or archive. In case of absence, the cabinets or archives should be locked and not accessible to unauthorized persons.
Anonymization and pseudonymization

Amongst others for the purpose of data minimization, it is advised to pseudonymize or, if possible, anonymize the research data as soon as possible. These terms are regularly used interchangeably, but there is an essential difference between the two. 

Pseudonymization

In pseudonymization, identifying data is separated from non-identifying data and replaced with artificial information.  However, the identifying data is not destroyed. Instead, a key file is created, which records which data have been replaced with the artificial information. With pseudonymization, the data can thus be reconnected with this key, making it possible to trace back to natural persons.

An example of pseudonymization is replacing the name, address, and place of residence of a data subject in a study with a unique respondent number. The other collected data (for example medical data) are then linked to this respondent number instead. This makes sure outsiders cannot see who the person is to whom the medical data belong. Only someone who has access to the key file, for instance the research, can trace the data back to individual persons. Sufficient (organizational and technical) measures must of course be taken so that unauthorized persons cannot access these files and link them. 

Even after pseudonymizing the data, the GDPR is applicable to the data (sets) involved.

Anonymization

In order to anonymize a data set, one must make sure the data is no longer traceable to an individually identifiable person in any way. For instance, no key file is made. This makes anonymization an irreversible process: once personal data have been anonymized, it is no longer possible to reconnect them to individuals later. 

To anonymize, you will at least have to permanently remove the name and address data (i.e., there should be no key where it is clear that Mr. X is respondent 1), but probably some data will also have to be aggregated, e.g., by establishing categories by 10 years (21-30, 31-40, etc.) for ages.

For anonymous data, the GDPR no longer applies. Keep in mind, however, that with anonymous data there is no longer any possibility of identification or tracing back to individuals. 

Incidentally, the (process of) anonymizing personal data is itself a processing of personal data; the GDPR applies to that process.

Use of programs for collecting, analyzing and sharing data

The collection of data during the research can take place in various ways: online, face-to-face, with a paper questionnaire, observations, video images, etc.

The GDPR has implications for these ways of data collection, the use of existing or new data, the tools used in the collection of data and possible security aspects arising from the GDPR during the research.

When using applications/programs from external suppliers, a processor agreement must often be entered into to make proper arrangements about responsibilities, security, etc. Therefore, preferably use applications approved by Tilburg University. If you wish to make use of a different application, please contact the Information Manager of your School.

Writing and publishing an article

When writing the article, the researcher must prevent the inclusion of traceable personal data in the article. Several guidelines for this are presented below.

A point of attention is the possibility that a combination of personal data can be traced back to individuals. Think, for example, of highlighting a manager of a large hospital in the Eindhoven region in the age category 45 to 55 years. In case consent is asked and been given, the publication of citations with name and other details about the cited person is of course possible.

Personal data in an article

The investigator should ensure that no personally identifiable information is included in the article by:

  • Anonymizing / pseudonymizing research results.
  • When quoting:
    • Anonymization;
    • Paraphrasing, in case a quote has been obtained via web scraping;
    • In case consent is asked and been given: publication with name and other details about the cited person is permitted.

Data sharing for review purposes

During the publication process it can happen that data needs to be shared with peer reviewers. Personal data should of course be protected as much as possible.

Data with traceable personal data

If personal data must be shared with peer reviewer

  • If possible Anonymize or Pseudonymize (without sending the key to the reviewer). 
  • If this is not possible:
    • Make agreements with the publishers about taking technical and organizational measures to protect personal data and conclude agreements on confidentiality and security obligations with so-called subcontractors (to which we include peer reviewers). However, the researcher is advised that when submitting the dataset: 
      • to send it encrypted via SURF Filesender
      • to point out that the dataset must be removed by the peer reviewer once it is no longer needed (i.e. after the peer review has been carried out).
  • If a raw dataset is required, provide a copy that is free of traceable personal data.
  • Contractually agree that the dataset will be destroyed after the review procedure.

Data without traceable personal data

If datasets are shared without personally identifiable information, the policy of Tilburg University regarding privacy and personal data protection (including the theme policy Research) does not apply.