FAQ security measures

This website provides frequently asked questions about security measures in the context of the GDPR in research. Additionally, it is useful to read the general information about security measures.

1. How do I keep the pseudonymisation key safe?
2. How do I keep my paper research data safe?
3. Which software programs can I use if I need to collect personal data?

1. Since pseudonymisation and encryption are important concepts to secure research data, how do we make sure that we keep these keys in the proper hands, preventing the risk of losing them (data leakage!) over the minimal preservation period?

During research planning, make sure to write down who is responsible for maintaining and securing the key files and in what way (e.g. in a data management plan).

Pseudonymisation key files must be disposed as soon as no longer required for the purpose described. In some studies, this may be quite long (e.g. longitudinal studies), but in other projects, deleting the key-file may already be possible after finishing data collection. Make sure to describe this goal and the responsible persons prior to data collection.

The primary researcher is accountable and the principal investigator is responsible for making sure that the key file and any related passwords are kept, if required, after the researcher has left. Usually, the primary researcher hands over all relevant information to the principal investigator (who then may assign a new researcher to maintain those files). Key files and passwords should be safely stored on Radboud University or institute specific storage systems.

2. Storage of paper data for ten years can be risky but sometimes required. How do we deal with for instance paper questionnaires and field notes?

It is becoming more common to replace all paper forms by electronic forms, e.g. by using electronic (lab) note books, online questionnaire tools, etc. However, some tests can only be taken on paper, and also, quite some paper materials collected in the past are currently being archived.

In principle, paper data must be digitized and preserved in digital format together with other study data, after which the paper forms must be disposed. However, if digitizing is not possible and it is absolutely necessary to preserve the paper forms, they should be preserved on a secure location with limited access and including project info, researcher info, date of deposit and foreseen date of disposal. Ask your institute’s data steward what would be the best location for your paper study materials.

In addition, make sure to add information to your archived file folders about where to find these paper materials. Direct identifiable personal data should always be stored separately from other study data.

3. Which software programs for data collection and data processing/analysing are safe, when dealing with personal data (such as Atlas.ti and Qualtrics)?

Collection of direct identifiable personal data through software programs should be avoided. However, in some cases this is not possible, as specific personal data may be required for e.g. informed consent and payment of participants (such as name, BSN, address).

Whether or not a software program is considered safe – i.e. in compliance with the GDPR – is determined by the RU privacy officer. A processing agreement (verwerkersovereenkomst) with the party indicates that the RU considers the software package safe in terms of the GDPR, so this would be a first thing to check. Some agreements may however be faculty or institute specific. In general, the faculty’s decentral privacy officer can inform you about accepted tools.