Blad met gegevens, foto Vladislav Bulatov

Handling research data with care

How do you guarantee the careful handling of research data with personal data?

During each research in which Personal Data is procesessed, it is important that this data is carefully handled. This page describes how you ensure the careful handeling of such data.

Amongst others, the following topics will be discussed: the handling of respondents’ contact details, the use of programs for collecting, storing and analyzing data, sharing data and securing data.

Contact details of (potential) respondents

Files with contact details should only be accessible to those that actually need access. Normally speaking, these are the following persons:

  • The principal investigator(s) involved; 
  • The manager. 

A Tilburg University researcher who collects and stores contact data in the context of scientific research must, according to the GDPR, store these data securely with limited access guaranteed.

The researcher is responsible for the separate storage of the contact data file. The contact data that can be linked to the dataset should be deleted by the researcher as soon as possible (within 6 months unless longer is necessary), as long as this does not conflict with the interests of the scientific research.

Modification of collected personal data

A researcher may decide during the research that additional personal data is necessary, or might come to the conclusion that less data is required.

If, during the research, there are changes in the personal data that are collected, the researcher should adjust the ERB/IRB application in accordance by means of an amendment, so that the data processing register is updated.

Access and security of personal data

Within Tilburg University, as few people as possible have access to the digital or physical data sets of research in which personal data are processed. This access is usually limited to the researcher(s) involved and the supervisor.

Access to personal data files and archives

Files personal data Access is permitted only for the researchers involved (including student researchers) and the supervisor (in order to secure backup).
Archives Access to digital and physical datasets containing personal data is permitted only for researchers, the Head of Department and the administrator of the digital or physical datasets.

Digital and physical datasets containing personal data must be stored securely and are only accessible to those for whom this is necessary in the context of the research.

Access to personal data

Digital

Datasets containing personal data must be stored securely. This means the following:

  • Pseudonymized, which means that the key- or communication file is stored separately.
  • On a Tilburg University-approved secure location for data storage, see 'Data Storage During Research' for more information.
  • Only in encrypted form on a storage medium (such as a laptop or USB-drive).
  • In case the processing of the data entails a high risk for the data subjects, the data set always needs to be stored with encryption.

In the absence of the researchers at the workplace, computers should be locked and the workspace closed.
Physical Documents containing personal data should be stored securely in a locked cupboard or archive. In case of absence, the cabinets or archives should be locked and not accessible to unauthorized persons.
Use of programs for collecting, storing, analyzing and sharing data

The collection of data during the research can take place in various ways: online, face-to-face, with a paper questionnaire, observations, video images, etc.

The GDPR has implications for these ways of data collection, the use of existing or new data, the tools used in the collection of data and possible security aspects arising from the GDPR during the research.

When using applications/programs from external suppliers, a processor agreement must be entered into to make proper arrangements about responsibilities, security, etc.

Collecting data

If external applications are used to collect personal data:

  • Preferably use the applications approved by Tilburg University. These meet all the requirements of the GDPR, a including the processor agreement.
  • If the researcher wants to use a different application, he must take the initiative to start the process of entering into a processor agreement.
Saving data

Digital

If a researcher wants to use another (cloud) service:

  •  Preferably use previously contracted applications. These applications have been found to meet all GDPR requirements and a processor agreement has been entered into.
  • If the researcher wants to use a different application, he must take the initiative to start the process of entering into a processor agreement.

Physical

All personal data should be stored securely in a locked cabinet or archive.

If storage takes place at an external location or by an external administrator, a processor agreement should be concluded.
Analyzing data

If use is made of applications such as SPSS to analyze data:

  • Preferably use previously contracted applications. These applications have been found to meet all GDPR requirements and a processor agreement has been concluded.
  • If the researcher wants to use a different application, he must take the initiative to start the process of entering into a processor agreement.
Sharing data
  • Sharing data with colleagues for a co-analysis or peer review of the analysis is only allowed if it is done in a secure way. For example by using encryption  (Secure File Transfer).
  • For the use of cloud services, we refer to the information as presented under ‘Saving data’ above.
  • Sharing data via a cloud service or other programs outside the management of Tilburg University, is only permitted if a processing agreement has been concluded with the relevant party.
Anonymizing or pseudonymizing

If personal data are no longer necessary but cannot yet be deleted, for example on the basis of verifiability, the personal data must be anonymized or pseudonymized at the earliest possible stage.

 

Agreement and processing agreement

It is legally required that, when a researcher on behalf of Tilburg University exchanges personal data with, provides to or receives personal data from another organization, good contractual agreements are made about this. What kind of agreement should be concluded depends on the role of Tilburg University and the role of the other party (data controller, processor). 

If a research project involves collaboration with other (external) research institutes or parties, a research agreement should be concluded in which agreements are made about the division of responsibilities, etc. Model agreements are available for this purpose.

Situation Compulsory agreement
Tilburg University is controller and third party processor Processor agreement in accordance with established model.
Tilburg University is processor for other controllers

Processor agreement in accordance with established model.
Example: A commissioned research in which the client determines the purpose and means of the research and Tilburg University collects and analyzes the personal data.
Tilburg University is together with other party the joint controller or both parties are independent controllers

Agreements in research agreement or in separate agreement on division of responsibilities. Think about it:

  • Who arranges the rights of data subjects (inspection, correction, etc.), who informs about the processing activities (privacy statement) and possibly a redress arrangement.
  • What are the parties allowed to do with the data and does confidentiality apply, for example?

Example: Commissioned research in which the client together with Tilburg University determines the purpose and means for the research, or a research project for which another controller shares data with TiU and TiU solely determines purpose and means of the research.
Deviation from model processing agreement

Due to risks, it is preferable to enter into the standard model agreement. However, it may be necessary to deviate.

If the researcher wants to deviate from the established model, he should coordinate this with the data representative of the School. The data representative can seek advice from the Privacy and Security working group.

The processor agreement must be authorized by an authorized signatory, which is usually the dean, faculty director or Executive Board.
Responsible for the conclusion and content of the agreement

The researcher should consult the data representative before concluding the contract. The data representative supports and may seek advice from the Central Privacy Office or the Legal Affairs department.
Registration / audit trail

The processor agreement (including motivation in case of deviation) should be archived centrally.
Writing and publishing an article

When writing the article, the researcher must prevent the inclusion of traceable personal data in the article. Occasionally, the researcher may want to quote from the research. This is possible if it can be done anonymously. Quotations resulting from web scraping can be traceable (easy to search on the internet), in which case they are not anonymous. Preferably these are paraphrased.

Point of attention is the possibility that a combination of personal data can be traced back to individuals. Think, for example, of highlighting a manager of a large hospital in the Eindhoven region in the age category 45 to 55 years. In case consent is asked and been given, the publication of citations with name and other details about the cited person is of course possible.

Personal data in an article

The investigator should ensure that no personally identifiable information is included in the article by:

  • Anonymizing / pseudonymizing research results:
  • When quoting:
    • Anonymization;
    • Paraphrasing, in case a quote has been obtained via web scraping;
    • In case consent is asked and been given: publication with name and other details about the cited person is permitted.

Data sharing for review purposes

During the publication process it can happen that data needs to be shared with peer reviewers. Personal data should of course be protected as much as possible.

Data with traceable personal data

If personal data must be shared with peer reviewer

  • If possible Anonymize or Pseudonymize (without sending the key to the reviewer). 
  • If this is not possible:
    • Agreements have been made with the publishers to take technical and organizational measures to protect personal data and to conclude agreements on confidentiality and security obligations with so-called subcontractors (to which we include peer reviewers). However, the researcher is advised that when submitting the dataset:
      • to send it encrypted via SURF Filesender
      • to point out that the dataset must be removed by the peer reviewer once it is no longer needed (i.e. after the peer review has been carried out).
  • If a raw dataset is required, provide a copy that is free of traceable personal data.
  • Contractually agree that the dataset will be destroyed after the review procedure.

Data without traceable personal data

If datasets are shared without personally identifiable information, the policy of Tilburg University regarding privacy and personal data protection (including the theme policy Research) does not apply. 

Respondents' rights during research

Respondents may also invoke a number of rights during the research. 

Read: What are the respondent's rights?