Blad met gegevens, foto Vladislav Bulatov

Handling research data with care

Registration form Ethics, Data Management and GDPR

Before starting scientific research, researchers must fill in a registration form concerning ethics, data management and the General Data Protection Regulation (GDPR).

The schools use virtually the same application form to assess these three aspects. The assessment is done by the school committees.

By filling in the form, you record, among other things, how you store or manage data during the project and what happens with the data after the project is completed. At the same time, the requirements for accountability, Data Protection Impact Assessment (DPIA) and Data Processing Register are safeguarded. Ask the data representative of your school for this form.

If no personal data is processed during the survey, filling out only the data management section is sufficient. This meets the requirements of the regulation research data management. For more information about the data management plan section go to the website or contact the Research Data Office.

Data Protection Impact Assessment (DPIA)

In some cases, the processing of personal data involves a high risk for the data subject. In order to properly deal with this, a DPIA must be carried out based on the GDPR to ensure that the privacy risks of the respondents are properly safeguarded. A DPIA is usually not necessary for academic research. For more details on when a DPIA is required, please see the privacy and data protection policy (section 11.2).

For any academic research involving the processing of personal data, a pre-DPIA (questionnaire) must be completed to determine whether a DPIA is necessary. This short questionnaire is included (integrated) in the DMP and is combined as far as possible with the questionnaire for the ethical review.

Purpose of the DPIA

The aim of the DPIA is to identify the risks of data processing in a timely manner. What personal data are processed, what does Tilburg University do with them, what are the consequences and how do we deal with them?

If a DPIA is necessary, the research must contact the Data Representative (who then consults the Data Protection Officer). The questionnaire for carrying out a pre-DPIA is included in the DMP.

Data Processing Register

All processing of personal data must be recorded in the University's Data Processing Register on the basis of the GDPR, as a part of accountability.
The information included in the combined form for ethics, data management and privacy provides the input for the Data Processing Register for academic research. Researchers of TSB can use the G.E.D. Started-tool to fill out the form, other researchers should use the current form for now. Please ask your data representative about this form.

Privacy Statement

Based on the right to information, Tilburg University has published a Privacy statement on its website, informing readers about the use of personal data.
In case data is gathered directly from respondents and these respondents are informed via the informed consent form, it is not required to publish an additional privacy statement.

In other cases the research should be described in the University’s privacy statement. The Ethics Review Board may decide to mark an investigation as confidential, as a result of which the information about the study in question may not be disclosed in the privacy statement.
Informing in this way is necessary because not all research (e.g., public databases, reuse of existing databases or web scraping) can be carried out with informed consent, and it is precisely with respect to these types of data that Tilburg University should be transparent about how it deals with personal data

Step-by-step plan

Data Management Plan (DMP) - Processing Register For each academic research project, the researcher must draw up a DMP setting out which (personal) data will be processed. This DMP will be included in the university's Data Processing Register insofar as it contains personal data. For the format of the DMP we refer to the Tilburg University's Research Data Management Regulations.
Pre - DPIA For each academic study, a pre-DPIA (questionnaire) must be completed to determine whether it is necessary to perform a DPIA. This questionnaire is integrated into the DMP and if possible combined with the questionnaire for the ethics committee.
Data Protection Impact Assesment (DPIA) In some situations it is necessary to perform a DPIA. Whether this is necessary follows from the Pre-DPIA questionnaire. The researcher is responsible for carrying out the DPIA if it is necessary. A procedure is available. He/She is supported by the Data Representative of the School.

Checking the DPIA

The Data Protection Officer checks the DPIA.

Review of DMP and review by ethics committee

In each School further agreements have been made about the review  and storage of the DMP by an academic and/or ethical committee.

A researcher may not simply process all personal data. Some relevant information is listed below.

Data minimization The researcher may only collect personal data that is necessary for the purpose of academic research, but will ensure that sufficient data is collected to answer the research question.
 BSN The citizen service number (Burgerservicenummer,BSN) may never be processed for academic research.
Identity card

A copy of proof of identity may only be viewed. It may only be kept if it is necessary for academic research and the photo and BSN are blurred. On the photocopy of an identity card, it must be stated that the copy was issued for research purposes.

Tip: Preferably write down only the necessary data instead of retaining a photocopy of an ID.

Preparation assistance

The Data Representatives of the Schools support the completion of the DPIA. In addition, the Research Data Office can provide support for researchers and faculties with regard to questions concerning research data management.