Personal data in research

In the RDM policy of your research institute, you will find a lot of information on secure storage, preferred tools, workflow, etc. Additionally, the following tips can help you plan how to manage personal data:

Data management plan (DMP)

You might be required to write a data management plan by an ethics committee, your funder or your institute’s RDM policy regardless of whether you work with personal data or not. A data management plan can help you structure the decisions regarding personal data. You can also request feedback or ask for help with questions that might arise.

Transparancy 

Be clear on how you manage any personal data during your research. This concept comes back in all other aspect of working with personal data: Be transparent about goal setting, security measures, possible anonymisation, storage, access management, archiving and publishing plans, etc. Let your participants know about your research in general and about their rights particular (in an informed consent procedure). Be transparent towards all parties that are involved in the project. Give all relevant information to ethical committees. Writing a data management plan is one way in which you can do this.

Goal setting

Two reasons to collect personal data during research are to answer research questions or for administrative reasons (for example when you need to keep in contact with your participants). You can include your goal setting in a data management plan or in a separate document.

Describe what personal data you are planning to collect and use, with which legal basis and for how long you will be using it. When collecting personal data, a legal basis is required by the GDPR and in research this is often an informed consent form (see ‘Informed consent’ below). Other legal bases can be public interest or a contract. 

Informed consent

When working with research participants, you usually need to acquire their informed consent. Check the webpage of your faculty’s ethics committee to see if they have a template or can help you create an informed consent form.

Data minimisation

Only collect persona data if you have good reasons to do so: if the data are necessary to achieve the goals you set (see ‘Goal setting’ above). Delete the data as soon as they are no longer required to reach those goals.

Ethical approval

Most, but not all, faculties require that you obtain ethical approval before you start a study that involves research participants (and thus personal information). Check if you need to get ethical approval before the start of your data collection at the webpage of your ethics committee.

Liability

Make sure you know who is responsible and liable for the management of personal data in your research. For more information, take a look at the Radboud University guidelines on control of research data. Also, when working with other parties (e.g. universities, companies, schools), make sure that proper arrangements are in place concerning personal data and control of the data.

(Pre-) Data Protection Impact Assessment (DPIA)

If your project involves working with personal data, a pre-DPIA needs to be written. Contact your Local Privacy Officer for help.

These tips can help you manage personal data during your research:

Data quality

Make sure that your data is correct and up to date. As stated in article 5 of the GDPR, “Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.” This is related to the data subjects’ (participant) ‘right to rectification’, i.e. the right that any inaccurate or incomplete information regarding their person is edited. The addition to your data mentioning “at time of collection” is an example of a small, but important improvement in data quality.

Rights of data subjects

Data subjects (e.g. participants) have specific rights under the GDPR. Here, we summarise two of the most important rights in relation to research. 

• The ‘right to be informed’ means that participants must be informed about what information you collect about them, when, how and why. In research, this right is usually covered by an informed consent procedure. See your faculty’s ethics committee for more information on informed consent. 
• The ‘right to be forgotten’ means that a participant can have their personal information deleted anytime they want. This is difficult, if not impossible, in research and that is why you can inform the participant of the timeframe during which they can have their data deleted. Make sure this is a reasonable length of time (a few weeks rather than days).

Minimalisation of use

During your research, make sure that you only share personal data with those who are allowed to see these data. Who those persons are is often specified in your informed consent form and can vary from project members to only you. Make sure you do not easily grant access to the parts of your data that contain personal data. The fewer people who have access to the personal data, the better.

Anonymisation and pseudonymisation

If you collect personal data, make sure that you anonymise or pseudonymise where possible. More information on anonymisation and pseudonymisation.

Security measures

Take a look at what Radboud University offers in terms of technical security measures, such as encryption methods.

At the end of your research, make sure you properly archive and/or publish your data. In short, when dealing with personal data, check if you are allowed to publish your data or if you must restrict access. Also, choose a trustworthy repository that allows you to publish under your selected access level and with a suitable Data Use Agreement or in which you can safely archive your data if you cannot share it. For more information on choosing a repository and whether and under which access conditions you are allowed to publish data.

More information about archiving and publishing research data