What are personal data and how do I process them carefully?
This guideline only applies if personal data are processed of academic research.
Definition
Personal data is any information that can identify a natural person or that can be traced back to that person now or in the future.
This definition of personal data is based on the General Data Protection Regulation (GDPR) and is very broadly formulated.
This can be either directly traceable personal data (such as name, email) or indirectly traceable personal data (for example, a car registration number or a combination of initials, postcode and house number).
What is the difference between pseudonymization and anonymization?
Pseudomyzization
Pseudonymization separates identifying data from non-identifying data and replaces them with artificial identifiers.
Example
An example of pseudonymization is replacing a respondent's data in a survey with a unique respondent number. The medical data, for instance, are then linked to this respondent number instead of the name and address information. As a result, outsiders cannot know who the person is to whom the medical data belongs. Only the person who can make the link with the respondent number, e.g., the researcher, is able to link the medical data.
However, sufficient organizational and technical measures must be taken to prevent unauthorized persons from linking these files.
In case of pseudonymization, the GDPR and therefore this guideline applies.
Anonymization
The GDPR does not apply to anonymous data. However, please take into account that, with anonymous data, there is no longer any possibility for identification or identification of persons.
If data can still be traced back to a person, this does not constitute anonymization.
Careful processing of personal data
Respondents are used in much academic research. Tilburg University attaches great importance to the careful processing of personal data in the context of academic research, because misuse of data can cause considerable damage to respondents, employees, students, and Tilburg University itself.
What is meant by the processing of personal data?
The processing of personal data includes, whether or not automated, such actions as collecting, recording, structuring, storing, changing, analyzing, retrieving, consulting, using, providing (forwarding), distributing, making available, combining, blocking, or deleting data.
In other words, everything you do with personal data.
It concerns the processing of personal data in a paper file or archive,a digital file, or in an application/system (e.g., in e-mail boxes, on computers or other data carriers such as flash drives). The policy applies to all staff, including student assistants, temporary employees, hired staff, interns, external PhD candidtes, staff who are no employed by Tilburg University, and students who contribute to the research.
It therefore concerns all processing of personal data carried out by researchers in the context of scientific research.
What is meant by data subject?
The GDPR refers to the people on whom data are colelcted as data subjects. In academic research, they are usally calledrespondents, test subjects or participants. The term "respondents" will be used as a synonym of "data subjects".
What are special personal data and how do they need to be processed?
Special personal data are data relating to
- racial and ethnic origin
- political beliefs
- religious or philosophical beliefs
- membership of a trade union
- genetic data
- biometric data for identification
- data on health (medical data)
- data relating to sexual behaviour or sexual orientation.
These data may only be processed in accordance with section 2.3. Please not that if special personal data are processed, additional security requirements apply.
Proccessing special personal data
Special personal data may be processed in academic research if there is explicit permission. There is an exception specifically for academic research which only applies if:
- asking permission proves impossible or requires a disproportionate effort
- the processing is necessary for the purpose of the study and
- the study serves a general interest.
Safeguards must also be in place to ensure that the privacy of the data subject is not disproportionately compromised.