What are personal data and how do I process them carefully?

Pseudomyzization

Pseudonymization separates identifying data from non-identifying data and replaces them with artificial identifiers.

Example

An example of pseudonymization is replacing a respondent's data in a survey with a unique respondent number. The medical data, for instance, are then linked to this respondent number instead of the name and address information. As a result, outsiders cannot know who the person is to whom the medical data belongs. Only the person who can make the link with the respondent number, e.g., the researcher, is able to link the medical data.

However, sufficient organizational and technical measures must be taken to prevent unauthorized persons from linking these files.

In case of pseudonymization, the GDPR and therefore this guideline applies.

Anonymization

The GDPR does not apply to anonymous data. However, please take into account that, with anonymous data, there is no longer any possibility for identification or identification of persons. 

If data can still be traced back to a person, this does not constitute anonymization.

The processing of personal data includes, whether or not automated, such actions as collecting, recording, structuring, storing, changing, analyzing, retrieving, consulting, using, providing (forwarding), distributing, making available, combining, blocking,  or deleting data.

In other words, everything you do with personal data.

It concerns the processing of personal data in a paper file or archive,a  digital file, or in an application/system (e.g., in e-mail boxes, on computers or other data carriers such as flash drives). The policy applies to all staff, including student assistants, temporary employees, hired staff, interns, external PhD candidtes, staff who are no employed by Tilburg University, and students who contribute to the research.

It therefore concerns all processing of personal data carried out by researchers in the context of scientific research.

The GDPR refers to the people on whom data are colelcted as data subjects. In academic research, they are usally calledrespondents, test subjects or participants. The term "respondents" will be used as a synonym of "data subjects".

Special personal data are data relating to

• racial and ethnic origin
• political beliefs
• religious or philosophical beliefs
• membership of a trade union
• genetic data
• biometric data for identification
• data on health (medical data)
• data relating to sexual behaviour or sexual orientation.

These data may only be processed in accordance with section 2.3. Please not that if special personal data are processed, additional security requirements apply.

Proccessing special personal data

Special personal data may be processed in academic research if there is explicit permission. There is an exception specifically for academic research which only applies if:

1. asking permission proves impossible or requires a disproportionate effort
2. the processing is necessary for the purpose of the study and
3. the study serves a general interest.

Safeguards must also be in place to ensure that the privacy of the data subject is not disproportionately compromised. 

• How do I deal with individual datasets that contain personal data?