FAQ goal setting

This website provides frequently asked questions about goal setting in the context of the GDPR in research. Additionally, it is useful to read the general information about goal setting.

  1. Does the GDPR include any direct guidelines that may help in the decision about how long to preserve or when to dispose personal data of research participants?
  2. Concepts such as data removal, data deletion, data fading and retention periods (such as: viewing, correcting, deleting rights of respondents) are really new to policy makers as well. Could you provide some main guidelines for both researchers and policy makers?
  3. Provided research data are always shared pseudonymised, does the sharing of indirect identifiable research data (DNA, biological data or unique data combinations etc.) impose different legal constraints than the sharing of anonymous data?
  4. Provided research data are always shared pseudonymised, does the sharing of special categories of personal data (i.e. data pertaining to health, religion, political opinion) impose different legal constraints other than the sharing of non-special categories of personal data?
  5. We could use some practical information on data minimisation, since this is quite a grey area. How do you account for the data you need? How do we stimulate our researchers to really consider this when collecting data (instead of harking lots of data sources)?
  6. The GDPR includes exceptions concerning personal data processing for archiving data in the public interest, for scientific and historical research purposes and for statistical purposes. Which exceptions are included?
  7. Is it true that data deposited in an archive do not fall within the scope of the GDPR?

1. Does the GDPR include any direct guidelines that may help in the decision about how long to preserve or when to dispose personal data of research participants?

The GDPR states that it’s prohibited to store personal data for a longer period than necessary. This also applies to research. Personal data used for research can’t be stored longer than necessary for this research, unless an exemption is made.

A researcher has to determine the period of preservation of personal data. Therefore, he has to consider all aspects of the research and the privacy. On the one hand, personal data may be required to be able to contact the participant in case of occurrences or simply for reasons of scientific integrity. For example, informed consent forms contain personal data and must be preserved to enable scientific integrity checks. On the other hand, often research data can be processed in an anonymised way that does not require the actual personal data after the data has been collected. In any way, one must ensure to – whenever possible – store experimental data separate from personal data (as it is used for different purposes) and only store personal data for as long as necessary according to your goal description. Determine whether and how long to store personal data based on the following questions:

  1. Which personal data do you actually need to store, and for which purposes?
  2. Is the purpose described legitimate? I.e. is it reasonably valuable to store this data, without unnecessary risks or disadvantages for the participant?
  3. What would be the consequences for the data subject if a data leakage occurs?
  4. For how long would you need to store the personal data, i.e. when does the purpose as described above no longer apply?
  5. How will you ensure privacy protection of participants (anonymisation, pseudonymisation, password protection of files, etc.)?

2. Concepts such as data removal, data deletion, data fading and retention periods (such as: viewing, correcting, deleting rights of respondents) are really new to policy makers as well. Could you provide some main guidelines for both researchers and policy makers?

In general, in line with GDPR, inaccurate personal data should be rectified or deleted without any delay. The following steps could help you do that:

  1. Document for which purposes personal data are stored.
  2. Implement regular checks on data quality and give data subjects the opportunity to rectify/delete data.
  3. Implement procedures for rectification/deletion of personal data, including who will be responsible and how to make sure the rectification/deletion is actually processed.
  4. If personal data is inaccurate and you are not able to rectify the data, the data must be deleted.
  5. If personal data is no longer necessary for the purpose described (see 1), the personal data must be deleted.

3. Provided research data are always shared pseudonymised, does the sharing of indirect identifiable research data (DNA, biological data or unique data combinations etc.) impose different legal constraints than the sharing of anonymous data?

Pseudonymised data are data that can indirectly be traced back to an individual. Because of the fact that it is possible to trace the data back to an individual, the data should be treated as personal data and thus falls within the scope of the GDPR. For indirect identifiable data, the same principle applies. It should thus be treated as personal data, in contrast to anonymised data which falls out of the scope of the GDPR.

4. Provided research data are always shared pseudonymised, does the sharing of special categories of personal data (i.e. privacy sensitive: pertaining to health, religion, political opinion) impose different legal constraints other than the sharing of non-sensitive personal data?

If data are pseudonymised, it still can be traced back to an individual using for example a key file. Pseudonymised data thus are always personal data. Therefore, also with regard to pseudonymised data, extra security measures must be taken.

Special categories of personal data are personal data showing race or ethnic origin, political views, religious or philosophical convictions, health, sexual orientation, genetic data and biometric data. Processing of special categories of personal data (i.e. sensitive data) is prohibited, unless explicit informed consent is given by the data subject. For personal data in general, on the contrary, informed consent is just one of the legal grounds for processing data.

For sharing special categories of personal data, the same principle applies: you cannot share these data without informed consent. Other than informed consent, however, there are no other legal constraints regarding the sharing of special categories of personal data, compared to the sharing of personal data in general.

5. We could use some practical information on data minimisation, since this is quite a grey area. How do you account for the data you need? How do we stimulate our researchers to really consider this when collecting data (instead of harking lots of data sources)?

Data minimisation must be applied when processing direct as well as indirect personal data. Data which does not contain any personal data (unidentifiable data) are not subject to the obligation of data minimisation.

The amount of personal data processed during research must match the purpose of that processing. For example, the use of the full birth date is usually not necessary. Part of it, such as the year of birth, is often sufficient. In case of research into premature birth, the use of a birth date may be necessary. In that case the inclusion of a full birth date is acceptable, provided this is explicitly stated in the protocol and informed consent.

Human-related research that has to be tested by the METC (Medische Ethische Toetsingscommissie) is always provided with a protocol in which the study parameters are mentioned. This forces researchers to think carefully about which parameters will be collected before starting a study. After approval of the protocol, the researcher must stick to this protocol so that no more data can be collected than is written down in the protocol.

6. The GDPR includes exceptions concerning personal data processing for archiving data in the public interest, for scientific and historical research purposes and for statistical purposes. Which exceptions are included?

Article 89 of the GDPR describes the following exceptions concerning personal data processing for scientific research:

  1. In general, processing of personal data for these purposes must be subject to appropriate safeguards for the rights and freedoms of the data subject and, in particular, to respect the principle of data minimisation. These measures include pseudonymisation, however, as soon as the research purpose can be fulfilled by processing data that does not permit identification of data subjects, one must fulfil those research purposes by using only those (de-identified) data.
  2. In addition, when processing personal data for scientific purposes, Union or Member State Law (see specifications in Dutch law below) may state derogations from the data subjects’ rights (i.e. right of access, rectification, restriction of processing and right to object) if these rights seriously impair the achievement of the scientific purpose, and such derogations are necessary to fulfil the purpose.

The Dutch UAVG (Uitvoeringswet Algemene Verordening Gegevensbescherming) specifies the following exceptions with respect to processing of personal data for scientific research:

  1. Processing of special categories of personal data (GDPR article 9) is not prohibited if processing is necessary for the purpose of scientific and historical research or statistical purposes (UAVG Article 24).
  2. When processing personal data for scientific or statistical purposes, participants’ rights as in GDPR Articles 15, 16, and 18 (right to access, rectification, and restriction of processing) can be disregarded, provided that the data processor ensures that personal data is only used for the scientific or statistical purposes described (UAVG, Article 44).

7. Is it true that data deposited in an archive do not fall within the scope of the GDPR?

In the GDPR, no distinction is made between personal data in general and archived personal data in a repository. However, in the case that data is archived in a public repository, it is either anonymised data (and thus does not fall within the scope of the GDPR) or there is informed consent for archiving personal data in a public repository and making it available for the long term (often: indefinite). In the latter case, data is thus still qualified as personal data and falls within the scope of the GDPR.