FAQ data minimisation

This website provides frequently asked questions about data minimisation in the context of the GDPR in research. Additionally, it is useful to read the general information about data minimisation.

  1. How long should personal data be preserved? How long should the informed consent be preserved?
  2. Am I allowed to keep participants’ names and contact details after the end of the research project?
  3. How long may the pseudonymisation code list (combination of subject code and personal contact information, which includes the informed consent) be preserved? What might be the exceptions to the rule? (e.g. incidental findings, post-study withdrawal)?
  4. Is a penalty imposed when data are not disposed in a timely fashion?
  5. In case of agreements and collaborations with third parties, do we even need to have personal data transferred to us, or should we make sure (as much as possible) to receive pseudonymised/anonymised data?

1. How long should personal data be preserved? How long should the informed consent be preserved?

According to the GDPR, personal data collected, processed, analysed, and archived should not be held or further used, unless this is essential for reasons that were stated in advance. How long personal data can or should be preserved thus depends on the research project and what is agreed on in the informed consent procedure. It is important to document these reasons as well as the processing steps taken.

Since personal data are often part of the scientific output and thus are necessary in assessing scientific integrity (e.g. to control cases of suspected fabricated survey data or fake interviews), it might be necessary to keep personal data for the long term (ten years). Make sure that data archiving for the long term is explicated as well in your informed consent procedure.

Informed consent forms need to be stored (restricted access) minimally ten years after publication, for reasons of scientific integrity (according to Radboud University’s RDM policy)

2. Am I allowed to keep participants’ names and contact details after the end of the research project?

According to the GDPR, personal data collected, processed, analysed, and archived should not be held or further used, unless this is essential for reasons that were stated in advance. Names and contact details are generally personal data required for administrative purposes, and this data should be deleted (i.e. the data should be anonymised) once data collection has been finished.

There are reasons to keep the administrative personal data longer, i.e. when you made the arrangement to inform participants about the research results or when you are carrying out longitudinal research. In the latter case, de-identification could be done by pseudonymisation instead of anonymisation, and this process should be mentioned in the informed consent procedure. Another reason to keep personal data after finalising the project is when the personal data are part of the scientific output and are necessary in assessing scientific integrity (e.g. to control cases of suspected fabricated survey data or fake interviews).

3. How long may the pseudonymisation code list (combination of subject code and personal contact information, which includes the informed consent) be preserved? What might be the exceptions to the rule? (e.g. incidental findings, post-study withdrawal)?

The data minimisation principle comprises that data has to be adequate, relevant and limited to what is necessary for the purposes for which they are processed.

Pseudonymisation code lists can thus only be kept as long as it is needed for the reasons stated in advance, in practice: the length of the study. Contact data, on the contrary, are usually only necessary to collect data, and should be deleted as soon as possible after data collection. Consequently, anonymisation is preferred over pseudonymisation.

There are exceptions to this, for instance when you promised to inform data subjects about the study results. If pseudonymisation is necessary in the context of your research, make sure your informed consent procedure explicates what personal data you will be storing for what period. If incidental findings or post-study withdrawal are reasons to store contact details for a longer period, this should be explicated as well. However, once data is anonymised, the right to withdraw included in the GDPR expires, since anonymised data falls out of the scope of the GDPR.

Informed consent forms need to be stored (restricted access) minimally ten years after publication, for reasons of scientific integrity (according to Radboud University’s RDM policy). Make sure that data archiving for the long term (after publication) is explicated as well in your informed consent procedure.

4. Is a penalty imposed when data are not disposed in a timely fashion?

Heavy fines for serious breaches reflect just how important the processing of personal data is in a 21st century world. Article 83 and Article 84 of the GDPR refer to administrative fines, based on certain criteria that need to be assessed before imposing a fine (such as the number of people affected, any damage to the data subjects, the negligent or intentional nature of the infringement and action taken by the data controller to mitigate the damage). In addition, there are other tools to change the behaviour of organisations such as warnings, reprimands or corrective orders. The Dutch Uitvoeringswet AVG has some provisions on penalties as well (Articles 16, 17 and 18).

What ‘timely fashion is’, however, depends on the specific research project. Since personal data are often part of the scientific output and thus are necessary in assessing scientific integrity (e.g. to control cases of suspected fabricated survey data or fake interviews), it might be necessary to keep personal data for the long term. Make sure that data archiving for the long term is explicated in your informed consent procedure, since informed consent is a legal ground for processing data.

5. In case of agreements and collaborations with third parties, do we even need to have personal data transferred to us, or should we make sure (as much as possible) to receive pseudonymised/anonymised data?

Based on the principle of data minimisation, personal data that doesn't serve the purpose of the research project, shouldn’t be processed. If the personal data isn’t necessary to answer the research question, this personal data shouldn’t be transferred to Radboud University. Request data to be anonymised when transferred. Pseudonymisation is an option as well if the key file that connects the data to individuals isn’t transferred. Of course, personal data can be transferred to Radboud University when the data serves the purpose of the research project. In this case a processor agreement or data exchange agreement is necessary. Be aware of data sharing or processing outside the EEA. When you share or process personal data outside the EEA a processor agreement or data exchange agreement isn’t enough. For more information see the introduction on data minimisation.