GDPR in research: data minimisation

This website provides information about data minimisation in the context of the GDPR in research:

• Definition
• Guidelines
• GDPR articles
• Frequently asked questions

Definition

The data minimisation principle comprises that data has to be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This implies that:

• Data collected, processed, analysed, and archived should not be held or further use, unless this is essential for reasons that were stated in advance.
• Data collection and processing should only include as much data as is required to successfully answer the research question(s).
• Data collected for one purpose cannot be repurposed without further consent. The reason for this is to support the privacy of the subjects involved. The reuse of data for scientific purposes is not considered to be incompatible with the initial purpose (Article 5.1.b).

Guidelines

1. When collecting personal data, we advise you to ask yourself for which purpose you collect the data, how you are planning to use the data, and whether there is a way of achieving this purpose without having to collect the personal data. Document the choices you make in this process.
   
   
2. Only collect the personal data that is strictly necessary to achieve the purpose, i.e. answering the research question(s). Our advice: don’t collect personal data that you cannot reasonably account for.
   
   
3. It is advisable not to keep the personal data stored longer than necessary to achieve the purpose, i.e. answering the research question(s), being able to prove validity of research outcomes, complying with legal obligations, etc.
   
   
4. Think about distinguishing between personal data required for administrative purposes (contacting data subjects, paying data subjects or following up on incidental findings) and personal data necessary to answer the research question(s). As the first type of personal data (data for administrative purposes) is usually not necessary to answer your research question, we advise you to delete these personal data as soon as you don’t need it anymore. However, there are some exceptions, for example in medical research and financial data.
   
   
5. De-identification of personal data reduces the chance of identification. Anonymisation is the process in which you delete all information that may lead to identification of an individual. Consider indirect indicators and combinations of indicators as well, as these may lead to identification as well. Once personal data is properly anonymised, the data does not fall within the scope of the GDPR anymore.
   
   
6. Another form of de-identification is pseudonymisation, which offers a (temporary) solution when personal data is necessary to keep (for instance for longitudinal research or accounting for scientific integrity), but the personal data itself is redundant in the daily routine of processing and analysing data. Pseudonymisation refers to the process of replacing personal identifiers with codes that are stored in a different file on a different location. Keep in mind that pseudonymised data still remains personal data and therefore the GDPR still applies to this data.
   
   
7. Repurposing personal data becomes an issue in the case the purpose is formulated in a (too) restrictive way in the informed consent procedure (e.g. ‘for this research project’ or ‘by the involved researchers’). If you reasonable expect repurposing of personal data in the near future, we advise you to make sure your consent is formulated wide enough (e.g. ‘for research purposes’ or ‘by researchers employed by a scientific organisation’). However, data may only be processed for specified end explicit purposes (Article 5.1.b and Art29WP guideline on consent). If data is anonymised, future repurposing of the data collected is allowed without any consent, since anonymised data does not fall within the scope of the AVG.
   
   
8. Be particularly careful when you process biometric data (such as facial details, dental records, fingerprints, genetics and clinical data), as this type of data is often so unique that identification of individuals is relatively easy. Don’t collect biometric data if you cannot account for it.

GDPR articles

More information about data minimisation can be found in the following recitals and articles in the GDPR.

• Recital 39
• Recital 78
• Recital 156
• Article 5
• Article 25
• Article 47
• Article 89

Frequently asked questions

Read the frequently asked questions about data minimisation in the GDPR and its implications for research data management.