Do you want to know if your research applies to the privacy regulations? Read the online tutorial: 'Stappenplan om te voldoen aan de AVG binnen onderzoek' (in Dutch). The tutorials includes the following steps:
If you use consent from research persons as legal basis to process personal information, you should comply with the following requirements:
Before participants give consent for participating in research, they should be well informed about the research and how their personal information will be managed. This is called 'informed consent'. Researchers often use a separate information letter and send this to the participants well ahead of the start of the data collection. This gives participants sufficient time to read the information letter and consider their participation.
The information should at least contain the following:
Last, participants are asked for giving their consent to participate to the research. It's mandatory by law to be able to prove that informed consent has been given. This is why researchers often choose for written consent. Hanze UAS has a template (in Dutch) that can be used as an example.
If written consent is for some reason not feasible, you can also ask for consent orally. It is important that you can prove that consent is given, for example using an audio recording.
Consent for reuse of the data
The personal information in your research can only be used for the indicated research purposes. Do you want to be able to use the data for follow-up research? Of make the data available with other researchers or students, e.g. in a data repository? You will have to explicitly include this purpose in the informed consent.
Right to erasure ('right to be forgotten')
Research persons have the rights to have their personal information erased and to retract their consent. If it is reasonably feasible to remove the data from a person, you should honor their request. However, in research this is not always possible. For example if identifiable information is already removed from the dataset or if the dataset is already used for analysis and/or publication.
Prepare the respondents in your research for this scenario. You can provide a 'deadline', before which they can request to have their data removed from the dataset, for example a month.
Right of access
Individuals have the right to access and receive a copy of their personal data, and other supplementary information.
Researchers at Hanze UAS are required to register the processing of personal data in research with the Data Protection Officer. It is important that you clearly support the processing with a legal basis. For advice, you can contact the Privacy Protection Officer at: ict-security@org.hanze.nl.
Another way to register the processing of personal data is writing a data management plan (DMP) with the Hanze template at DMPonline. If you write the DMP and indicate that your research contains personal data, you have registered your research project.
In some circumstances, it is possible to anonymise personal data in a dataset. This implies that all data, which can be used to identify an individual person, is removed. Anonymisation means that this information is irrevocably removed: this cannot be undone. Hereby, it is also important to think of removing old copies or removing copies from your device's recycle bin.
An application for data anonymisation is Arx.
Advantages of anonymisation
Anonymisation ensures an optimal protection of the privacy of respondents in your research. If you have fully anonymised a dataset, there are no personal data left and therefore, the GDPR is not applicable to the data anymore. The advantage of anonymisation is that you need less security measures to protect privacy and that it allows you to do more with the data than when it would contain personal data. This allows for sharing of the data more easily, for example.
Disadvantages of anonymisation
Not all data can be anonymised, for example in case you need contact information for follow-up research. Or if full anonymisation would imply to remove information from the dataset that you need for your analysis. Moreover, it is important to realize that anonymisation means that you will have to delete (part of) the raw data. This may limit the option to verify your research results. For more advise on this matter, please contact your Information Specialist or the Privacy & Security team.
An alternative to anonymisation is to replace the identifiable information by a code (a pseudonym). By pseudonymising data, you create a 'key' to the information that can identify individual persons. Every respondent receives a different code. Next, you create two different data files:
Want to know more about pseudonymisation?
Before starting your research project, you could do a risk analysis of the data that will be processed. This will help you to get insight in which security measures should be taken during the research. At Hanze, three different risk levels are distinguished: low, medium and high risk. In case of high risk data, a Data Protection Impact Assessment (DPIA) should be conducted.
Risk analysis of personal data
A Data Protection Impact Assessment (DPIA) is an instrument to map the privacy risks of data processing. A DPIA identifies in a systematic way which personal data will be processed, an appraisal of the risks of the processing, and an overview of the planned measures to minimise the risks as much as possible.
A DPIA is mandatory if the processing of data very likely has a high privacy risk for the persons whose data is being processed. The responsible organisation will have to determine whether there is a high level of risk. The Dutch Data Protection Agency (DPA) has made a list of types of data for which a DPIA is required. The list includes information such as genetic data and health data.
Do you collaborate in a research project with 'special category' type of data, or other data to which a high risk level applies? Get in contact with the Information Specialist of your research centre and/or with the Privacy & Security team to check whether it is necessary to conduct a Data Protection Impact Assessment. A 'pre-DPIA' can be done to quickly assess whether a more extensive DPIA is necessary for this specific case.