FAQ GDPR in research
This website provides frequently asked questions about the GDPR in research. Additionally, it is useful to read the general information about the GDPR in research.
- Does the GDPR only apply to data collected and processed from May 25, 2018, or does the regulation also apply retrospectively?
- Isn’t there a tension between the GDPR's direction to delete personal data once it doesn’t serve the purpose anymore, and Radboud University’s RDM policy with regard to archiving data for minimally ten years for the reasons of scientific integrity?
- Privacy by design and privacy by default still are rather vague concepts. Could they be explained in steps with regard to research data (management)?
- Are there any exceptions to scientific research in the GDPR?
- Does the GDPR distinguish between different types of scientific research, such as for instance medical-ethical research and experimental research, compared to for instance interview research?
- Do we have to report to the data protection officer and/or the Dutch Data Protection Authority when working with personal data in a research project?
- How do we need to store informed consent forms? Is there a difference for this between research that falls under the WMO and other research? Is it legally required to keep the originals of consent statements from participants? Or does a digital copy suffice?
- Are there any checklists or formats for joint agreements and collaborations with third parties?
- Storage of paper data for ten years is risky. How do we deal with for instance paper questionnaires and field notes, at the same time making researchers aware of the risks (and proper alternatives/steps to take) when doing paper research with personal data?
- Article 2 of the GDPR states that the scope of the regulation is limited to personal data. If research data are anonymised/pseudonymised, to what extent do they still fall under the GDPR?
- What is the difference between anonymised, pseudonymised and de-identified data?
- What is the difference between personal data, indirectly identifying personal data and research data?
- Are there any guidelines on how to document your decisions on the collection and handling of personal data?
1. Does the GDPR only apply to data collected and processed from May 25, 2018, or does the regulation also apply retrospectively?
The GDPR applies to all the processing of personal data, also retrospectively. Actions before May 25th 2018 cannot be fined with the regulation of the GDPR. However, if these actions still continue, the GDPR applies to these actions.
Processing personal data refers to everything that can be done with data, from collecting to storing and from viewing to deleting personal data. Make sure that you act in accordance with the GDPR regarding all the data you processed in the past and will be processing in the future.
2. Isn’t there a tension between the GDPRs direction to delete personal data once it doesn’t serve the purpose anymore, and Radboud University’s RDM policy with regard to archiving data for minimally ten years for the reasons of scientific integrity?
There isn’t any tension if you:
- Anonymise the personal data that you are using if possible. (Be aware that there is a difference between anonymisation and pseudonymisation. In case of anonymisation it is not possible to link the data to a person, there is no key anymore).
- Make sure that archiving personal data for assessing scientific integrity is included in the description of the purpose of the processing of personal data (e.g. in the project proposal).
- Mention the archiving of personal data for scientific integrity in the informed consent procedure, so the data subject is informed.
- Distinguish between the personal data required for administrative purposes (contacting data subjects, paying data subjects or follow up on incidental findings) and personal data necessary to answer the research question(s). As the first is not necessary to answer your research question and as such doesn’t need to be archived to guarantee the assessment of scientific integrity, these personal data should be deleted as soon as you don’t need it anymore.
Please keep in mind that the latter example is a grey area, and that you should decide yourself what fits your research project. There might be a good reason and a legal base to archive contact details as well. In that case, make sure to pseudonymise the data and archive the key file in another storage location.
3. Privacy by design and privacy by default still are rather vague concepts. Could they be explained in steps with regard to research data (management)?
- Privacy by design implies that right from the start, any actions involving the processing of personal data is done with data protection and privacy in mind.
- Privacy by default ensures that by default, all technical and organisational measures are taken to process data with the highest privacy protection (for example: only data necessary should be processed, short storage period, limited accessibility). Privacy by default can be understood as a subpart of privacy by design.
Marlon Domingus (Erasmus University Rotterdam) drafted a London Metro Map approach to visualise and assess privacy by design in your project, including determining the need for a Privacy Impact Assessment (PIA).
4. Are there any exceptions to scientific research in the GDPR?
- Consent from a data subject is not always required (at least from the perspective of the privacy protection of the data subject; asking informed consent is an ethical consideration as well). It is only one of the bases for the lawful processing of personal data to which a researcher could refer.
Other bases which can be used for research as well, are a contract, compliance with a legal obligation, the public interest, or the legitimate interests pursued by the controller or a third party (Article 6; Recital 47).
- There is an exception to the principle that personal data is not saved longer than necessary for the purpose of processing, namely from the perspective of archiving in the public interest, scientific or historical research, and statistical purposes (Article 5.1.e).
- These other grounds also give room to repurpose personal data, but only based on an additional compatibility test (Article 6.4; Recital 50).
- There are special provisions for medical research and research with genetic data.
- The importance of linking data from registers for research is recognised as well (Recital 157). There are additional safeguards for the processing of criminal data (Article 10).
- For research, special categories of personal data may be processed. Provided that appropriate technical and organisational measures have been taken, certain right of data subject may be renounced, if this is necessary for research (Article 89). Each member state may provide further implementation of this exception (in the Netherlands: Uitvoeringswet AVG (UAVG)).
- The UAVG also formulates an exception on academic expression, aimed at creating a balance between freedom of expression and the protection of personal data (Article 85).
- Generally, the GDPR and the UAVG prohibits the processing of special categories of personal data (Article 9), but there are clear exceptions to this (such as explicit consent, public personal data and substantial public interest). For data collected for the purpose of providing healthcare article 548 of the WGBO (Wet op de Geneeskundige Behandelingsovereenkomst) should be considered as well.
5. Does the GDPR distinguish between different types of scientific research, such as for instance medical-ethical research and experimental research, compared to for instance interview research?
The GDPR is applicable to all scientific research involving data which can identify an individual (personal data), regardless of the nature of the research. The type of scientific research, therefore, is not a differentiator in the context of the GDPR.
There is, however, a distinction between personal data and special categories of personal data. As medical data often involves special categories of personal data, there are some additional rules in place with regard to for instance security measures and consent. Not only medical data are special categories of personal data, for example religious beliefs also are. For more information see Article 9.
6. Do we have to report to the data protection officer and/or the Dutch Data Protection Authority when working with personal data in a research project?
The duty to report working with personal data to the Dutch Data Protection Authority has expired on May 25th, 2018, with the introduction of the GDPR. However, accountability is one of the biggest changes introduced by the GDPR: a new data protection principle that says organisations are responsible for, and must be able to demonstrate, compliance with the other principles.
As a researcher, you need to be proactive about data protection, and evidence (document) the steps you take to meet your obligations and protect people’s rights.
7. How do we need to store informed consent forms? Is there a difference for this between research that falls under the WMO and other research? Is it legally required to keep the originals of consent statements from participants? Or does a digital copy suffice?
In research that falls under the WMO (Wet Medisch-Wetenschappelijk Onderzoek met Mensen), signed paper informed consent forms (also known as documents with wet signatures) should be stored for 15 years. For clinical trials, informed consent forms are stored for 25 years. For this type of research, it is legally not allowed to substitute (i.e. destroy the original document after digital copies are made): if they are paper, they must remain paper.
For scientific research that does not fall under WMO legislation, paper informed consent can be digitised (i.e. make digital copies), in order to make a proper backup. The original paper informed consent forms can be destroyed six months after digitisation. The digitisation process should be in line with the RU substitution manual. Since informed consent forms include personal data, make sure you are GDPR compliant when processing them.
8. Are there any checklists or formats for joint agreements and collaborations with third parties?
Yes, there are formats. You can ask advice from your Decentralised privacy manager of your department when closing an agreement that involves the processing of personal data.
9. Storage of paper data for ten years is risky. How do we deal with for instance paper questionnaires and field notes?
Making backups is for paper data as important as for digital data. Therefore, always make a backup of your paper data, for instance by digitising it. Since paper data often include personal data, make sure you are GDPR compliant when processing them, both for the original paper document and the (digital) backup. For practical tips, see the following webpage.
Substitution is the process of digitising paper documents and then destroying the original documents. This process together with all the accompanied rules and regulations is described in the RU substitution manual. A good way to secure paper questionnaires and field notes, for instance, is by substituting these documents. However, it is important to store the non-digital data after digitisation for 6 months before destroying it. The digitisation and destroying process should be well documented and stored. Store the documented replacement process together with the digital data.
For the processing of paper informed consent forms, see question 7.
10. Article 2 of the GDPR states that the scope of the regulation is limited to personal data. If research data are anonymised/pseudonymised, to what extent do they still fall under the GDPR?
In order to answer this question, it is important to explain the difference between anonymisation and pseudonymisation.
- Anonymisation is the process of removing all the direct and indirect information that can link the data to an individual.
After anonymisation, nobody, including the party that performs the anonymisation process, can link the data to an individual anymore, i.e. no key files, pseudonyms, etc. are used. When data is fully anonymised, the data isn’t personal data anymore and it doesn’t fall in the scope of the GDPR.
- When the data is pseudonymised it is still possible, albeit indirectly, to identify the person. Generally, a key file is used so that at least one person can link the data to an individual. Even though most people cannot trace the data back the participant, the data is still personal data and therefore falls in the scope of the GDPR.
11. What is the difference between anonymised, pseudonymised and de-identified data?
- De-identification refers to the process preventing a person’s identity from being connected to the information. De-identification can be achieved by anonymising or pseudonymising personal data.
- Anonymisation of data is thus a subcategory of de-identification whereby data can never be re-identified. It is the process of removing all the direct and indirect information that can link the data to an individual. In case of anonymisation, the process of de-identification is irreversible, even for the study organisers.
- Pseudonymisation of data refers to a form of de-identification in which the data can be linked to an individual using a code, algorithm or pseudonym. The data becomes indirect identifying personal data after pseudonymisation. This process of de-identification is reversible by linking the code, algorithm or pseudonym to the data.
12. What is the difference between personal data, indirectly identifying personal data and research data?
- Research data is any kind of experimental data, observational data, operational data, third party data, public sector data, monitoring data, processed data, or repurposed data necessary to formulate hypotheses and answer research questions. Research data may involve personal data as well.
- Personal data refers to any information relating to an identified or identifiable natural person, that is: a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, etc.
- Direct identifying personal data refers to data which contains for example the name of the data subject, identity numbers, telephone numbers, email addresses, postal addresses or bank account numbers, etc.
- Indirect identifying personal data refers to data that can be traced back to an individual when combined with other information. Since these data can be traced back to an individual (even though not in a direct way), the data are personal data and should be treated as such.
13. Are there any guidelines on how to document your decisions on the collection and handling of personal data?
This documentation is usually referred to as the processing register. The Data Protection Manager of your department can help you with this.