How do you guarantee the careful handling of research data with personal data?
This section describes the elements of careful handling of data that are important during any investigation in which Personal Data is processed. It also describes the way in which Tilburg University ensures the careful handling of data.
This includes the handling of respondents' contact details, the rights of participants during the study, the use of programs for collecting, storing and analyzing data, sharing data, securing data and reporting the results.
Contact details of (potential) respondents
Files with contact details should only be accessible to necessary persons:
- The principal investigators involved
- The manager.
A Tilburg University researcher who collects and stores contact data in the context of scientific research must, according to the GDPR, store these data securely with limited access guaranteed.
The researcher is responsible for the separate storage of the contact data file. The contact data that can be linked to the dataset should be deleted by the researcher as soon as possible (within 6 months unless longer is necessary), as long as this does not conflict with the interests of the scientific research.
Modification of collected personal data
An investigator may decide during the investigation that additional personal data is necessary
If, during the study, there are changes in the personal data that are collected, the researcher should amend the data management plan by means of an amendment so that the processing register is updated.
Access and security of personal data
Within Tilburg University, as few people as possible have access to the digital or physical data sets of research in which personal data are processed. This access is usually limited to the researchers involved and their supervisor.
Access to personal data files and archives
Files personal data | Access is permitted only for the researchers involved (including student researchers) and the supervisor (in connection with backup). |
Archives | Access to digital and physical datasets containing personal data is permitted only for researchers, the department chairman and the manager of the digital or physical datasets. |
Digital and physical datasets containing personal data must be stored securely and are only accessible to those for whom this is necessary in the context of the research.
Access to personal data
Digital |
Datasets containing personal data must be stored securely. That is to say:
In the absence of the researchers at the workplace, computers should be locked and the workspace closed. |
Physical | Documents containing personal data should be stored securely in a locked cupboard or archive. In case of absence, the cabinets or archives should be locked and not accessible to unauthorized persons. |
Use of programs for collecting, storing, analyzing and sharing data
The collection of data during the research can take place in various ways, online, face-to-face, with a paper questionnaire, observations, video images, etc.
The GDPR has implications for these ways of data collection, the use of existing or new data, the tools used in the collection of data and possible safety aspects arising from the GDPR during the research.
When using applications/programs from external suppliers, a processing agreement must be entered into to make proper arrangements about responsibilities, security, etc.
Collecting data |
If external applications are used to collect personal data
|
Saving data |
Digital
If a researcher wants to use another (cloud) service:
Physical Documents containing personal data should be stored securely in a locked cupboard or archive. In case of absence, the cabinets or archives should be locked and not accessible to unauthorized persons. If storage takes place at an external location or by an external manager, a processing agreement should be concluded. |
Analyzing data |
Uses applications such as SPSS to analyze data:
|
Sharing data |
|
Anonymizing or pseudonymizing |
If personal data are no longer necessary but cannot yet be deleted, for example on the basis of verifiability, the personal data must be anonymized or pseudonymized at the earliest possible stage. |
Agreement and processing agreement
It is legally required that, when a researcher on behalf of Tilburg University exchanges personal data with, provides to or receives personal data from another organization, good contractual agreements are made about this. What kind of agreement should be concluded depends on the role of Tilburg University and the role of the other party (data controller, processor).
If a research project collaborates with other (external) research institutes or parties, a research agreement should be concluded in which agreements are made about the division of responsibilities, etc. Model agreements are available for this purpose.
Situation | Compulsary agreement |
Tilburg University is processing manager and third party processor | Processing agreement in accordance with established model. |
Tilburg University is processor for other controllers |
Processing agreement in accordance with established model. |
Tilburg University is together with other processing responsible |
Agreements in research agreement or in separate agreement on division of responsibilities. Think about it:
Example: Commissioned research in which the client together with Tilburg University determines the purpose and means for the research. |
Deviation from model processing agreement |
Due to risks, it is preferable to enter into the standard model agreement. However, it may be necessary to deviate. If the researcher wants to deviate from the established model, he should coordinate this with the data representative of the School. The data representative can seek advice from the data protection working group coordinated by the data protection officer, The processing agreement must be authorized by an authorized signatory, which is usually the dean, faculty director or board of directors. |
Responsible for the conclusion and content of the agreement |
The researcher should consult the data representative before concluding the contract. The data representative supports and may seek advice from the data protection officer or the legal affairs department. The processing agreement should be stored centrally. |
Registration / audit trail |
The processing agreement (including motivation in case of deviation) should be archived centrally. |
Writing and publishing an article
When writing the article, the researcher must prevent the inclusion of traceable personal data in the article. Occasionally, the researcher may want to quote from the research. This is possible if it can be done anonymously. Quotations resulting from web scraping can be traceable (easy to search on the internet) and therefore not anonymous. Preferably these are paraphrased.
Point of attention is the possibility that a combination of personal data can be traced back to individuals. Think, for example, of highlighting a manager of a large hospital in the Eindhoven region in the age category 45 to 55 years.
Personal data in an article
The investigator should ensure that no personally identifiable information is included in the article by:
- anonymizing / pseudonymizing research results.
- When quoting.
- When anonymizing;
- By paraphrasing, in case a quote has been obtained via web scraping.
Data sharing for review purposes
During the publication process it can happen that data needs to be shared with peer reviewers. Personal data should of course be protected as much as possible.
Data with traceable personal data
If personal data must be shared with peer reviewer
- If possible Anonymize or Pseudonymize (where key is not sent to the reviewer).
- If this is not possible:
- Check if there is already a processing agreement with the publisher.
- If there is not yet a processor agreement: Close processor agreement with the publisher of the magazine.
- If a raw dataset is required. Deliver it free of traceable personal data.
- Contractually agree that the dataset will be destroyed after the review procedure.
Data without traceable personal data
If datasets are shared without personally identifiable information, this policy does not apply.
Respondents' rights during research
Respondents may also invoke a number of rights during the investigation.