FAQ minimisation of use
This website provides frequently asked questions about minimisation of use in the context of the GDPR in research. Additionally, it is useful to read the general information about minimisation of use.
- Provided a participant has agreed (via an informed consent form) with the de-identified sharing of research data, to what extent has that person the right to withdraw this agreement?
- Participants have the right to demand from the researcher the erasure of personal data concerning him or her, including data at any third party to which the controller has transmitted the data. In cases that pseudonymised data is archived in an online repository, to what extent can the participant request to erase the data based on this right to be forgotten?
- Can I share my participants’ personal data with (external) research collaborators, and/or which ethical/legal issues should be taken into account when considering to transfer personal data or identifying research data in scientific collaborations?
- Who is responsible for keeping the pseudonymisation key safe, especially when the primary researcher leaves the research institute?
1. Provided a participant has agreed (via an informed consent form) with the de-identified sharing of research data, to what extent has that person the right to withdraw this agreement?
First of all, the GDPR concerns participants’ rights with respect to processing of personal data, so participants can no longer withdraw processing of data that cannot be linked to them (i.e., anonymised data). If de-identified research data concerns indirect personal data of participants, participants have the right to be forgotten (i.e., right to erasure) if the data are no longer required for the purpose(s) earlier described, or if the participant withdraws his/her agreement. However, these rights do not apply if this data is to be archived for the common interest, for scientific or historical research or statistical reports. Make sure to only (publicly) share de-identified research data for scientific purposes.
2. Participants have the right to demand from the researcher the erasure of personal data concerning him or her, including data at any third party to which the controller has transmitted the data. In cases that pseudonymised data is archived in an online repository, to what extent can the participant request to erase the data based on this right to be forgotten?
See the answer to question 1. Pseudonymised data that is archived in an online repository cannot be used to identify the participant, without access to the pseudonymisation key (i.e. only the researchers may still be able to identify participants from this data). The participant can be forgotten by deleting the pseudonymisation key; this must be done only if keeping the key file is no longer required, i.e. if the minimal preservation period for purpose of scientific integrity has passed.
3. Can I share my participants’ personal data with (external) research collaborators, and/or which ethical/legal issues should be taken into account when considering to transfer personal data or identifying research data in scientific collaborations?
Participants’ personal data can only be shared according to the applicable information brochure, and informed consent form that was signed by the participant. Therefore, make sure to explicitly address with whom you will be sharing which data.
In principle, personal data or identifiable data should not be shared outside the initial research collaboration for two reasons: 1) to protect the privacy of research participants, and 2) because anonymised or pseudonymised data is usually sufficient for re-use of the data.
If sharing potentially identifiable data is required, one must use a data transfer/use agreement or other contract that describes the conditions and restrictions under which the data is shared to protect the participants’ privacy. If sharing is done within a research consortium, check whether any agreements were made concerning data transfer e.g. in the consortium agreement.
4. Who is responsible for keeping the pseudonymisation key safe, especially when the primary researcher leaves the research institute?
In principle, the principle investigator (PI) is responsible, and the researcher is accountable for keeping the pseudonymisation key safely stored, with limited access. Whenever the researcher leaves the institute, he/she must make sure to transfer access to this key to the PI, who can then decide to transfer accountability to someone else.
Of course, the key must be disposed as soon as no longer necessary for the purposes described. However, in some cases, the key must be kept for a longer period of time (e.g. in longitudinal studies) and therefore explicit agreements between researcher and PI are required.