GDPR in research: step by step

Do you want to know if your research applies to the privacy regulations? Read the online tutorial: 'Stappenplan om te voldoen aan de AVG binnen onderzoek' (in Dutch). The tutorials includes the following steps: 

  • Research proposal
  • Choose legal basis
  • Consent
  • Security measures
  • Accountability
  • Deleting data

Consent

If you use consent from research persons as legal basis to process personal information, you should comply with the following requirements: 

  • Consent should be given freely
  • Unambiguousness: Consent should be given actively (e.g. orally or written) 
  • Informed. Research persons should have been informed in an understandable manner about the organisation conducting the research, the purpose of data collection, the type and nature of personal data at stake, and the right to be able to retract their consent. See more information about the specifics of informed consent in the next tab. 
  • Specific. Consent should be given for a specific processing activity and for a specific purpose. This can be multiple purposes as well, e.g. use for current research as well as reuse for future research purposes. 

Before participants give consent for participating in research, they should be well informed about the research and how their personal information will be managed. This is called 'informed consent'. Researchers often use a separate information letter and send this to the participants well ahead of the start of the data collection. This gives participants sufficient time to read the information letter and consider their participation.

 

The information should at least contain the following:

  • The purpose of the research
  • Which organisation is responsible for conducting the research
  • The role of the respondents in the research
  • Any adverse effects of participating in the research
  • How the data will be managed: who will have access to the data, where will the data be stored, how long will the data be kept
  • How the integrity of participants will be protected 
  • How participants can withdraw their participation in the research and whom they can contact for questions 

 

Last, participants are asked for giving their consent to participate to the research. It's mandatory by law to be able to prove that informed consent has been given. This is why researchers often choose for written consent. Hanze UAS has an informed consent template that can be used as an example. 

If written consent is for some reason not feasible, you can also ask for consent orally. It is important that you can prove that consent is given, for example using an audio recording.

 

Consent for reuse of the data

The personal information in your research can only be used for the indicated research purposes. Do you want to be able to use the data for follow-up research? Of make the data available with other researchers or students, e.g. in a data repository? You will have to explicitly include this purpose in the informed consent. 

Right to erasure ('right to be forgotten')

Research persons have the rights to have their personal information erased and to retract their consent. If it is reasonably feasible to remove the data from a person, you should honor their request. However, in research this is not always possible. For example if identifiable information is already removed from the dataset or if the dataset is already used for analysis and/or publication.

Prepare the respondents in your research for this scenario. You can provide a 'deadline', before which they can request to have their data removed from the dataset, for example a month. 

 

Right of access

Individuals have the right to access and receive a copy of their personal data, and other supplementary information.

Registration of working with personal data

Researchers at Hanze UAS are required to register the processing of personal data in research with the Data Protection Officer. It is important that you clearly support the processing with a legal basis. For advice, you can contact the Privacy Protection Officer at: ict-security@org.hanze.nl.

 

Another way to register the processing of personal data is writing a data management plan (DMP) with the Hanze template at DMPonline. If you write the DMP and indicate that your research contains personal data, you have registered your research project.

Anonymisation and pseudonymisation

In some circumstances, it is possible to anonymise personal data in a dataset. This implies that all data, which can be used to identify an individual person, is removed. Anonymisation means that this information is irrevocably removed: this cannot be undone. Hereby, it is also important to think of removing old copies or removing copies from your device's recycle bin.

 

An application for data anonymisation is Arx.

 

Advantages of anonymisation

Anonymisation ensures an optimal protection of the privacy of respondents in your research. If you have fully anonymised a dataset, there are no personal data left and therefore, the GDPR is not applicable to the data anymore. The advantage of anonymisation is that you need less security measures to protect privacy and that it allows you to do more with the data than when it would contain personal data. This allows for sharing of the data more easily, for example.

 

Disadvantages of anonymisation

Not all data can be anonymised, for example in case you need contact information for follow-up research. Or if full anonymisation would imply to remove information from the dataset that you need for your analysis. Moreover, it is important to realize that anonymisation means that you will have to delete (part of) the raw data. This may limit the option to verify your research results. For more advise on this matter, please contact your Information Specialist or the Privacy & Security team. 

An alternative to anonymisation is to replace the identifiable information by a code (a pseudonym). By pseudonymising data, you create a 'key' to the information that can identify individual persons. Every respondent receives a different code. Next, you create two different data files: 

  • The pseudonymised data: The identifiable information is removed and replaced by the key
  • The key: This file contains only the identifiable information linked to the key. 

 

Want to know more about pseudonymisation? 

Estimation of risks

Before starting your research project, you could do a risk analysis of the data that will be processed. This will help you to get insight in which security measures should be taken during the research. At Hanze, three different risk levels are distinguished: low, medium and high risk. In case of high risk data, a Data Protection Impact Assessment (DPIA) should be conducted.

 

Risk analysis of personal data

  • Low risk: General contact information (name, address, location, year of birth, IP address, phone number). If a dataset contains a large amount of data (e.g. more than 30.000 respondents), or if the dataset can be combined with other datasets, a medium risk level will apply instead.  
  • Medium risk: Financial data, bank account number, birthday, study progress, data regarding your employment, passport photo (just for authentication purposes, not for ethnical profiling).
  • High risk: Unique personal identification, such as social security number, copy of ID card or passport. Also information about someone's ethnical background, political or religious opinions, union membership, genetical data, biometrical data for processing unique identification of a person, health information, or information about someone's sexual orientation or sexual behaviour.

A Data Protection Impact Assessment (DPIA) is an instrument to map the privacy risks of data processing. A DPIA identifies in a systematic way which personal data will be processed, an appraisal of the risks of the processing, and an overview of the planned measures to minimise the risks as much as possible.

A DPIA is mandatory if the processing of data very likely has a high privacy risk for the persons whose data is being processed. The responsible organisation will have to determine whether there is a high level of risk. The Dutch Data Protection Agency (DPA) has made a list of types of data for which a DPIA is required. The list includes information such as genetic data and health data.  

 

Do you collaborate in a research project with 'special category' type of data, or other data to which a high risk level applies? Get in contact with the Information Specialist of your research centre and/or with the Privacy & Security team to check whether it is necessary to conduct a Data Protection Impact Assessment. A 'pre-DPIA' can be done to quickly assess whether a more extensive DPIA is necessary for this specific case.

[anchornavigation]