GDPR in research: minimisation of use
This website provides information about minimisation of use in the context of the GDPR in research:
The principle of minimisation of use concerns minimising access to and processing of personal data, by only authorised persons, for a pre-defined purpose and period of time.
- In case an authorised person leaves the research project, make sure to revoke his/her rights to process personal data. At the university or institute level, this is usually automatically done when someone’s contract ends. However, in e.g. some research data management systems, access rights must (and can only) be granted and revoked by the manager of the project.
- Transfer of personal data is only allowed if it fits the previously defined purpose for collection of data (see section on goal description) and after consent by the person who’s data are transferred (research participant).
- In addition to permission, transfer of personal data requires documentation of rights and restrictions concerning its use.
- Research participants must be informed about the processing of their personal data through information brochures. Sharing of personal data for goals other than those defined in the research project, is only allowed after specific consent by the participant through the informed consent procedure.
- Before starting data collection, we advise you to ask yourself which personal data you need to collect and for which purpose (see section on data minimisation). In addition, document who should have access to process these data, for which specific purpose and in which stage of research.
- Be specific when defining access rights concerning processing of personal data. That means: use different roles if possible. A project contributor, for instance, should have contributor rights to be able to read, modify and potentially delete information. And someone with a monitor role, such as a primary investigator or other supervisor, may only need reading rights.
- Using a research data management system is highly recommended as these facilitate the granting and revoking of access permissions. However, always keep (direct identifiable) personal data and experimental data strictly separated.
- If access on file folder level is not sufficient, use password-protected files for personal data, and share the password only with those requiring access.
- In information brochures and informed consent forms, be specific to participant about who has or may have access to his/her personal data. Request permission if you may need to share personal data outside the purposes of the research project.
- In case others outside the research collaboration need access to research data, which may include (potentially) identifiable data, this requires a data use agreement that specifies any conditions or restrictions concerning the use of those data.
More information about minimisation of use and access restriction can be found in the following recitals and articles in the GDPR.
Frequently asked questions
Read the frequently asked questions about minimisation of use in the GDPR and its implications for research data management.