Dutch privacy laws play an important role in doing (applied) scientific research. When working with data from existing individuals, adequate privacy protection is crucial. However, it is not always obvious when personal data is involved in research.
This page explains when (sensitive) personal data are involved, even if, at first glance, they cannot be traced directly to an individual.
This page also briefly discusses what current privacy legislation entails and how it applies to research. Concrete guides and tools for properly protecting privacy in research are located in this LibraryGuide on the Privacy and Security page under the [Preparation & planning] tab .
Personal data are any information about a living person that can be traced directly or indirectly to that person. This is defined in the General Data Protection Regulation (GDPR). Examples of personal data are name, date of birth, contact data such as e-mail address or phone number, and location data such as address or IP address. However, data that emerge from a questionnaire or interview, for example, are also personal data. These may include opinions and experiences, or information about a person's behavior, personal characteristics, consumption, energy consumption or skills.
A special category of personal data is sensitive personal data. These are personal data about a person's:
Generally, the law prohibits the processing of special personal data, unless your research falls under a legal exception. The same applies to criminal personal data, such as well-founded suspicions of criminal acts or convictions.
Indirect personal data
Some information is directly and clearly traceable to a person, such as name or social security number. However, data that cannot be traced back to an individual at first glance may also be personal data. This is called indirectly identifiable data. These can be combinations of data that can refer to an individual or a very small group, e.g. combinations between age, place of residence and income, occupation, etc. Data can also contain information or patterns that are unique, such as geographical information of where a person moves or, for example, rare medical conditions or professions such as king, astronaut or minister.
Pseudonymized data is also personal data under the GDPR (Dutch: AVG). These are data sets where the personal information has been replaced by a random code or number. If these data can be combined with (directly identifiable) personal data by means of a key file, the pseudonymized dataset should also be considered personal data.
As of 2018, the General Data Protection Regulation (GDPR) is the new privacy law. Throughout the European Union, the same legislation has been implemented. The GDPR strengthens and expands individuals' right to privacy while placing more responsibility on organizations working with data about individuals.
A guiding principle in the GDPR is "privacy by design". In research, this means that you plan data collection and data processing while keeping in mind the protection of the privacy of research subjects. It also means that you do not collect more research data than is absolutely necessary to answer your research questions. This is the principle of "data minimization".
For each study, it should be clearly justified why it is necessary to process the personal data and for what purpose it will be used. This helps meet the accountability requirements of the GDPR.
Another principle of the GDPR is that you may only process personal data if you have a good reason to do so. In other words, this is only allowed if you cannot achieve your objectives without this personal data. The GDPR lists six lawful bases for processing personal data. For research, one of the following three bases is often used:
The GDPR establishes eight rights for research participants about who data is collected or processed:
The terms of the GDPR have quite an impact on how you should conduct your research. Since some of the provisions may pose considerable obstacles to research, a number of exception situations exist for scientific research.
The right to be forgotten is difficult to enforce in research practice. For example, if research subjects wish to withdraw their data from the research after a period of time, you can no longer use this data for your analysis. This could potentially affect the results that follow from your data analysis. In this case it is advisable to set a time limit for research participants to withdraw from the study. If they withdraw within that time period (e.g. 5 working days) all their data will be deleted.
If you are collecting data at different points in time (e.g. a longitudinal study) and a research participant 'drops out' before the end of the study, then the data that has already been collected may still be used for the research analysis.
Objective. The GDPR states that personal data can only be used for the purpose or objective for which it was initially collected, but this conflicts with the ambition to make research data reusable or to use the data for follow-up research. However, there is an exception to this for scientific research: data may also be used for a different research purpose than the original project. In the event that permission is sought from research subjects, however, it is important to explicitly state the possibility of reusing the data in the informed consent form.