In the RDM policy of your research institute, you will find a lot of information on secure storage, preferred tools, workflow, etc. Additionally, the following tips can help you plan how to manage personal data:
Data management plan (DMP)
You might be required to write a data management plan by an ethics committee, your funder or your institute’s RDM policy regardless of whether you work with personal data or not. A data management plan can help you structure the decisions regarding personal data. You can also request feedback or ask for help with questions that might arise.
Transparancy
Be clear on how you manage any personal data during your research. This concept comes back in all other aspect of working with personal data: Be transparent about goal setting, security measures, possible anonymisation, storage, access management, archiving and publishing plans, etc. Let your participants know about your research in general and about their rights particular (in an informed consent procedure). Be transparent towards all parties that are involved in the project. Give all relevant information to ethical committees. Writing a data management plan is one way in which you can do this.
Goal setting
Two reasons to collect personal data during research are to answer research questions or for administrative reasons (for example when you need to keep in contact with your participants). You can include your goal setting in a data management plan or in a separate document.
Describe what personal data you are planning to collect and use, with which legal basis and for how long you will be using it. When collecting personal data, a legal basis is required by the GDPR and in research this is often an informed consent form (see ‘Informed consent’ below). Other legal bases can be public interest or a contract.
Informed consent
When working with research participants, you usually need to acquire their informed consent. Check the webpage of your faculty’s ethics committee to see if they have a template or can help you create an informed consent form.
Data minimisation
Only collect persona data if you have good reasons to do so: if the data are necessary to achieve the goals you set (see ‘Goal setting’ above). Delete the data as soon as they are no longer required to reach those goals.
Ethical approval
Most, but not all, faculties require that you obtain ethical approval before you start a study that involves research participants (and thus personal information). Check if you need to get ethical approval before the start of your data collection at the webpage of your ethics committee.
Liability
Make sure you know who is responsible and liable for the management of personal data in your research. For more information, take a look at the Radboud University guidelines on control of research data. Also, when working with other parties (e.g. universities, companies, schools), make sure that proper arrangements are in place concerning personal data and control of the data.
(Pre-) Data Protection Impact Assessment (DPIA)
If your project involves working with personal data, a pre-DPIA needs to be written. Contact your Local Privacy Officer for help.