The following is a list of frequently asked questions from FGB researchers on the topics of research data management (RDM), privacy (in particular, with regards to the European General Data Protection Regulation (GDPR)) and security requirements at the faculty and the VU. This list will be updated as regularly as possible as new developments are made, as new tools become available or as policies, guidelines, and other rules change.
You can find information on what to prepare prior to starting your research on this VUweb page.
The following FAQs also offer answers to many of the questions that come up prior to starting your research:
In terms of priority, you should first determine which concerns will add to the costs of your research so that you can properly calculate how much funding you require from your grant provider. In addition to data storage costs, there may also be costs when hiring a third party software provider or when receiving in-house technical support from the faculty's Technical Support department. You should also start the processes related to setting up contracts or getting privacy/security support as early as possible in your planning as these steps can take quite some time.
Basically, privacy is about the rights of and risks for your research participants. It doesn't matter whether data was directly collected from research participants or indirectly obtained from another institution; if data are about individual people and the data are not anonymous, then it is necessary to protect the data. (For more information on what is and isn't anonymous data, see the question The GDPR only applies to personal data, but my data are anonymous. Why do I have to worry about the GDPR?).
Security has more to do with the risks for FGB and VU Amsterdam. Privacy plays a role in this. If we don't sufficiently protect the privacy of research participants, it can damage our institution's reputation, which could make it more difficult to recruit participants in the future. Good security keeps information confidential when personal information needs to be kept private or when information needs to be kept secret for other reasons. Good security also helps to minimize the risks that could arise from the loss or corruption of your data.
FAIR data and open data are not the same thing. It is also not a requirement of the FAIR principles that data be openly and publicly accessible to everyone in the world. If the GDPR applies to your data, it won't be possible make the data 100% publicly accessible, but the data can still be made FAIR. Oftentimes, you can openly publish the documentation and metadata about your data; by doing so you make your data more FAIR without making it publicly available.
Documentation and metadata that you can publish (as long as there isn't any confidential information present) to improve the FAIR-ness of your data include:
It's important to be aware that data that are subject to the GDPR must be archived on a VU archive. You shouldn't aim to meet the FAIR principles by storing this kind of data on an external archive. There are ways to manage access to the data even when they are stored on a VU archive. This is discussed further in the question What are the FAIR principles? How can I apply them in my work at the VU?
For further information on the FAIR principles and how to apply them, see the question What are the FAIR principles? How can I apply them in my work at the VU?.
The VU provides a tool called DMPonline, which includes various funder templates as well as a VU specific template that has been approved by NWO and ZonMw. If you wish to use the VU DMP template in DMPonline, click on the "Create Plan" button, and then under "Select the primary funding organisation" check the tick box that says "No funder associated with this plan". This will cause the VU DMP template to appear.
If you need advice on your DMP, you can contact the FGB Research Data Stewards via the e-mail research.data.fgb@vu.nl.
Metadata are data about data and there are both discipline-specific and generic metadata. Generic metadata, or project-level metadata, provide details about what information your data contain, where and when the data were created, and by whom the data were collected/created, as well as information for a reuser of the data about what the terms of use are and how that reuser can get acess to the data. Discipline-specific or data-level metadata provide additional information that is specific and relevant to certain types of data and disciplines. Whether you use metadata standards (also known as metadata schema) or not, you will create metadata in your research: any codebooks, cleaning and analysis scripts, and other documentation about your research are all metadata. However, by using internationally recognized metadata standards for your research, you will ensure that you record and report sufficient information so that others can readily find your data, determine if they are allowed to access your data, and, ultimately, understand how to use your data.
For the purposes of your DMP, it is generally sufficent just to report which generic metadata standard you will use to describe your data and research project. CERIF, DataCite and Dublin Core are all good metadata standards that are frequently used to create generic metadata. Because it's VU policy to register all archived datasets in PURE, which uses CERIF, you can report in your DMP that you will use, at a minimum, the CERIF metadata standard. If you plan to archive your data in a trusted repository, the repository may require that you use a specific metadata standard that you can also report in the DMP. Additionally, if your research involves surveys, you can report in your DMP that you'll use the discipline-specific Data Documentation Initiative(DDI) metadata standard.
If you look up information about metadata standards, you will see a lot of information about machine-readable formats. These formatted metadata are usually created when you fill in a form about your data. For example, when you register your dataset in PURE, structured CERIF metadata is created behind the scenes. That means for your generic metadata, the most important thing you should do is find out what information you will need to report for a certain metadata standard and record that information during your research, even in a simple text file. Then you will have that information on hand when you need to report it later on. For more information on recording metadata, including templates for making your own machine-readable metadata, see this page from the CESSDA Research Data Management tutorial. For your discipline-specific metadata, if you have structured data and are using a codebook to describe all of your variables, you can try making a DDI codebook which can be read by both people and machines.
In addition to metadata standards, you may be asked in your DMP about what ontologies, terminologies and/or controlled vocabularies you will use. There is a lot of overlap between these topics and metadata standards and some of the concepts are quite complex. Ontologies have to do more with taking the information reported in a metadata standard and making that information understandable to machines. Most of the work happens behind the scenes, so unless you are being explicitly asked to figure out ontologies, don't worry too much about that concept. What you can report in your DMP are any standards for terminology or controlled vocabulary you plan to use. You may already apply the concept of controlled vocabularies in your research, e.g. in a survey where only a specific set of answers are allowed for questions about ethnicity, highest level of education or language proficiency. Something that will make your data more understandable to others is if you aim to use terminology and controlled vocabularies that are (inter)nationally agreed upon and well recognized in your discipline, rather than generating new vocabularies and terminolgy just for your research.
Castor EDC is a software tool that can be used to create data entry forms and manage databases. It is available for use by FGB researchers, but in order to use it properly at FGB, you must review the Castor "Spelregels".
Storage costs vary depending on which storage option you use. You will also need to determine the costs of storage during and after your research. You can get the most up-to-date information on storage costs on this page by selecting the storage solution you plan to use. A pop-up window will show you the costs. You can also find information on costs of storage solutions managed by the VU NeRDS program on this page. Note that grant providers don't usually cover the costs of storage after research (a.k.a. archiving), however the VU NeRDS program subsidizes the costs of archiving in YODA (this cost model is described here). Archiving up to 500 GB of data will be covered by the VU; anything above this amount should be billed to your department.
You can find information on how to meet your archiving requirements on this page summarizing the FGB Archiving Guidelines.
Every department has a paper archive and you can contact your department's secretaries to make use of these archives for your paper data.
The original paper copies should not be destroyed after the information has been digitized. Further explanation can be found in the FGB Archiving Guidelines.
The FAIR principles were developed to give structure and guidance in how to achieve good data management, especially for data that will be reused in the future (by you, your research team, or other third parties). There is no requirement that FAIR data be made publicly available, a.k.a. open. Additionally, just because a dataset is openly available, doesn't mean that it is FAIR. There are many datasets publicly available right now that are not reusable because there is insufficient documentation about the data to be able to fully understand, interpret and use that data.
The F in FAIR refers to findable data. This means that
an individual can
find the right dataset for their needs and purposes.
VU researchers can improve the findability of their data
by publishing metadata about their data on YODA or OSF, or
by registering their data in
PURE.
It is a requirement at VU Amsterdam that all archived
data be registered in PURE. If you publish metadata
on OSF, this information will be imported
into PURE automatically. It is not currently possible
for metadata in YODA to be imported to PURE so you will
need to register this information separately in PURE.
It is imperative that data be registered in PURE so that
VU Amsterdam can better monitor and report on
data production activities at our institution.
Another consideration for findability that isn't specifically discussed
by the FAIR principles,
is to strive to make your data findable to you and your
research team by using logical folder structures
and file naming conventions for
your datasets, scripts and documentation. This data management
tutorial provides
many useful tips for how to organize your
work, name your files
and structure your folders.
The A in FAIR refers to accessible data. This term leads to a lot of confusion, but it does NOT mean that your data must be publicly accessible. It means that there needs to be clear documentation regarding how the data can be accessed, if appropriate. If the GDPR applies to your data (which is the case for most data in the faculty), access to the data should only be given upon request. There are several things you will need to address when planning to manage access to the data:
The I in FAIR means data and metadata (data about data)
should be Interoperable.
Basically it means that both humans
and computers can properly interpret and understand the data and metadata.
One way to achieve this is using standards when
creating metadata or by using vocabularly that is also used
by other researchers in your field.
See the question
I'm
writing a data management plan (DMP) and the template is
asking about which
metadata standards, metadata schema, ontologies,
terminologies and controlled vocabulary I will use.
What does this mean? for more information
about metadata. In addition to creating metadata about
your research data, you can also improve the
interoberability of your data by using open-source
software (e.g. R or Python) and data formats (e.g. csv, txt).
If someone needs to use proprietary software
to open and analyze your data files, then
the data are less readily interoperable.
Additional
infrastructure at the
VU is being developed to support researchers in
meeting the Interoperability
requirement; this information will be communicated
as this infrastructure becomes available. For now,
focus on maintaining good documentation about your
data, for example, by:
Finally, the R in FAIR means reusable. In simple terms, it's a summary of the F, A, I aspects of the FAIR principles: if you meet those requirements, your data should be reusable. There are some more details that apply here, but those will be explained as the FAIR data infrastructure at the VU develops.
It is important to be aware that making your data FAIR does not guarantee that your data are of a high quality. Following the FAIR principles only ensures that data can be reused by others. The best way to ensure data quality is to effectively plan for research data management before starting your research. Take the time to think about which variables are necessary to answer your research question and whether the planned methods of collecting data for these variables could lead to unreliable results. For example, if you are creating a question in a questionnaire that contains both open text fields (e.g. "other, namely", "Comments") alongside questions with pre-defined answers, consider whether there is a risk of collecting conflicting information. There isn't a perfect way to deal with such issues; it ultimately depends on what information you need to answer your research question. If you plan ahead, however, you can choose different ways to collect the necessary information. Or you can develop a data cleaning protocol for managing any inconsistencies as they arise; a documented protocol will ensure that all members of your research team clean the data in a consistent manner. Finally, any data cleaning steps should be well documented using code or in a logbook so that there is a clear record of how data were modified prior to analysis. This helps with transparency and prevents any questions about academic misconduct from arising.
If your data are subject to the GDPR, you shouldn't make them publicly available, but you can publish information about the data and how they can be accessed (the "A" in FAIR-data). See the questions How can I meet the FAIR principles/Open Data requirements if my data are subject to the GDPR? and What are the FAIR principles? How can I apply them in my work at the VU? for information on how to make your data FAIR even if they cannot be made publicly available. Addressing the issue in this way should be sufficient for your funder or the journal.
The VU has an Open Access publishing policy since Jan 1, 2023. You can find guidance and help on this topic on this page.
Good research data management not only helps a research project run more smoothly, it can result in higher quality data and improve the validity and reproducibility of your study results. There have been cases where published studies have been retracted because the variables used in the analysis were mislabeled, leading to completely invalid and misleading results. Clear documentation could have helped to avoid this. Clear documentation also makes your data more understandable to yourself, your internal research team and any future users of the data.
Planning ahead with research data management helps you to ensure the privacy and security of your research data; for example, you may need to plan out a good method for collecting data outside the VU. Writing this down in a data management plan gives everyone in your research team a clear understanding of what their responsibilities are and shows any data protection authorities that you’ve considered the risks and taken appropriate and strategic measures to minimize these risks.
Data management planning can also help minimize the amount of work required to clean your data; for example, by building validation checks into your data entry forms, you prevent impossible values (e.g. age of 200) from being entered. Additionally, if you will be using questionnaires in your research and you take the time during data management planning to think about the structure of your questionnaire, you can determine where and when open text fields are absolutely necessary, minimizing the amount of text data that will need to be recoded into categorical data during data processing.
Finally, data management planning helps with preparing for archiving and publishing of research data. Data archiving after an article is published is a requirement of the VSNU Code of Conduct for Research Integrity. There have been numerous cases around the world where research publications have been retracted because the original data were not findable, meaning that the validity of the research findings could not be confirmed. Additionally, data should not only be archived to allow for verification of research findings, but also described clearly and effectively through documentation and metadata so that others who may need to check the data can fully understand the data and interpret them. Archiving takes a lot of work, but the stress of archiving can be reduced if you plan ahead for it during your data management planning (by thinking ahead about what parts of your research need to be archived, what documentation is necessary to understand the data and which archiving location should be used.)
These are just a few examples of how research data management plays a role in how smoothly your research project will run. It’s not necessary to know all of the details about data management at the start of your research, but it is important to document what is known at the start of a project and to regularly review and update the data management plan as more information becomes available.
You can find additional information about research data management on the faculty research data management support page. This VUweb page serves as an overview to guide you to more detailed information.
You can also directly go to the detailed FGB-sepecific support on the Research Data Management @ FGB pages. If you can't find an answer on the Research Data Management @ FGB pages, the VU Open Handbook is also an excellent resource that complements the FGB pages already mentioned.
This GDPR summary page provides an overview of what the GDPR means for you as a researcher.
This is a complex issue. The GDPR has broadened the definition of personal data to: “any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. It is the indirect identification of individuals that makes it difficult to say with certainty that data about people are anonymous because through the combination of several indirect identifiers or by coupling these identifiers with publicly available data a person could actually be quite easily identified. In a world of Big Data, AI and learning algorithms it's almost never possible to 100% guarantee anonimity when data about people are collected. Additionally the rules that the Dutch Data Protection Authority applies when considering if data are anonymous are quite strict. For data about people to be anonymous, the following three conditions must all apply:
Because of these very strict rules, the faculty advises all researchers using data about humans to treat such data as personal data under the GDPR. This means that all data about people should be protected with at least some security measures such as those suggested in this guide. Lower risk data (e.g. benign information about healthy adults) don't require as many or as strict security measures, but at a minimum these data should be saved in a pseudonymized manner (i.e. no names and contact information stored in the same dataset as the research data) and these data should be stored on and shared through VU approved facilities.
For more tips about personal data, pseudonymous data and anonymous data and when the GDPR does or doesn't apply, see this postcard from the National Coordination Point for RDM. Finally, if you think your data are anonymous, check first with the FGB Privacy Officer whether this is actually the case. If your data truly are anonymous, then the GDPR does not apply to you data.
No.
Newer privacy requirements in The Netherlands do not allow us to collect BSNs anymore. In the past, researchers whose studies offered financial compensation to participants were required to collect administrative information, including BSNs, and submit this information to VU Financial Affairs. This is no longer required. The Dutch Tax Authority has now changed its procedures and research participants are responsible for filing income from research participation (if the total annual compensation is above €1500).
It is also not allowed to collect BSNs for any other research purposes. If, for some reason, this information is imperative to your research, you must contact VU Legal Affairs prior to starting your research to determine whether there is any valid legal argument for you to collect BSNs.
You are not allowed to collect BSNs without the approval of the VU Legal Affairs department
The Data Protection Officer for the VU can be reached at functionarisgegevensbescherming@vu.nl.
Under the GDPR, it is no longer necessary to register the processing of personal data with the Data Projection Authority for the Netherlands. Instead a data processing registry must be maintained by the VU. In order to meet this requirement, you are asked to complete a data management plan (DMP) or registration form via DMPonline. First log in to DMPonline with your VUnet ID and then:
Unfortunately, this isn’t really something that can be avoided, particularly when the information is coming from participants or their parents. With regards to institutional third parties such as schools, hospitals or clinics that you are working with, contact the institution to determine whether data will continue to be transferred in this way so that a safe method can be agreed upon. If data will continue to be shared with you in this way, you should set up data transfer methods in line with this guide. For example, it's possible to set up access to a SURFdrive file or create a guest user in SURFFileSender for third parties including for those that don't normally have access to SURF products. SURFdrive and SURFFileSender are safer methods than e-mail is that your partners can use if they need to share sensitive information with you.
If you receive a single e-mail containing sensitive information, simply contact the sender to say you have recorded the information in a safe location and deleted the e-mail. Advise the sender to delete the e-mail from their outbox and then let him or her know that e-mailing is not a particularly safe method for sending sensitive information; if sensitive information needs to be sent again in the future, advise the sender to first contact the research team to set up a safer method of transfer, such as with ZIVVER. You can find more information on ZIVVER on this IT Service Portal page. For additional information on ZIVVER, see this instruction manual: it explains how to use ZIVVER for obtaining digital consent, which is discussed further in the question How can I obtain consent from participants digitally, but also securely and in a way that follows the privacy rules?).
It is understandable that if A LOT of these kinds of e-mails are received, that they will not be addressed immediately. Just try to manage them in a timely manner; your research team can document in your research data management plan or data protection impact assessment what standard response you should send when receiving these e-mails and the time frame within which you will address these e-mails. The GDPR does not define any time frame to manage such situations; instead you simply need to document how you handle personal data, so it is your responsibility to define a reasonable time frame (for example, 2 weeks), then document that time frame and stick to it.
Under the GDPR, there are specific rules you must follow if you plan to share non-anonymous data outside of the EU/EEA. The most feasible options for meeting these rules are to send the data to a country that has an adequate level of data protection according to the European Commission. Note that in Canada, this only applies to commercial organizations and in the U.S., this only applies to commericial organizations that are certified under the Privacy Shield framework. If there is no equivalency status, then you can have the receiving party in the other country sign a Standard Contractual Clause. If none of these options are feasible, contact the FGB Privacy Champion for further assistance.
The first thing to check is whether the informed consent methods used prior to the GDPR meet GDPR requirements. This informed consent checklist includes information about the requirements for valid consent under the GDPR. If you determine that the manner in which consent was previously obtained is not valid under the GDPR and you still need to continue using participant data, then first try to contact participants (if you still have their contact information) to renew consent in a manner that is valid under the GDPR. If it is no longer possible to contact participants (e.g. all contact information has been deleted) then it is not absolutely necessary to renew consent under the GDPR, but you will need to document clearly in a data management plan or data protection impact assessment that it was impossible to contact the participants to renew consent under the GDPR rules and provide an explanation as to why this was impossible.
This question will need to be partially addressed by the FGB Ethical Committee (in Dutch the VCWE) during the ethical approval process; they can inform you about whether doing your research without obtaining consent can be ethically justified. With regards to privacy law, there is an option for data processing without explicit consent under the GDPR but it is important to discuss your desire to use this option with the FGB Privacy Officer as early as possible in your research planning.
It is generally preferred that consent be obtained with a paper consent form, but in many cases, it may be more appropriate to use digital consent. If your research is not medical in nature and not subject to any of the medical research regulations (namely, the WMO law, the GCP guidelines or the Medical Device Regulation), then there are no restrictions on using digital consent instead of paper consent. If you are conducting medical research and it is subject to any of the medical research regulations, you should check with the VUmc METC as to whether paper consent forms are required. As of mid-2022 digital consent is allowed in some cases of WMO-research, but you should always check with the METC if your research is allowed to use digital consent.
If digital consent is an option for you, the second thing you want to ensure is that you can obtain consent legally:
If you are running a survey with a panel provider (see the question Do I need to set up a processing agreement with panel providers, such as MTurk or Prolific Academic? ), you should obtain consent using your questionnaire tool at the very start of your survey. Make sure the information provided to participants, as well as the way consent is obtained, follows the requirements of this checklist.
Review this overview of the GDPR roles from the GDPR Take-Home Points for Researchers. If you are still not sure after checking this page, contact the FGB Privacy Officer.
Check first if the VU or FGB already has a contract with the company you wish to hire or with another company that provides a similar solution. The FGB Privacy Officer can help you with this. Also check if the faculty technicians (TO3) could create an in-house solution for you so that an external company doesn't need to be hired.
If a new company needs to be hired, use the standard VU model processing agreement, which you can obtain from the FGB Privacy Officer. The main text of this model agreement must not be changed, but the annexes at the end of the agreement need to be filled in. Contact the FGB Privacy Officer to review Annex 1 and contact the RDM support desk to get support from an IT expert who can review Annex 3 to check that the security measures of the company are sufficient. Be aware: it's very likely that the IT expert who will review Annex 3 will want to see a data classification about the data that will be collected or stored by the company you are hiring. This will help the expert in their assessment as to whether the security measures are sufficient. You can complete a data classification with this tool, although check first with your supervisor or research teammembers as to whether a data classification has already been completed.
Please note that some companies will wish to use their own model processing agreement. If it’s absolutely not possible to use the VU model then it may be possible to use the model of the company; however the FGB Privacy Officer will need to check the processor's model to make sure it meets the needs of the VU.
In all cases, setting up a processing agreement with an external company will take time, regardless of which model agreement is used. To help avoid trying to set up such agreements last minute, make sure to plan ahead in your data management planning as to whether an external company needs to be hired so that the process of setting up an agreement with that company happens well before data collection needs to begin.
If you are using a panel provider to recruit participants by having the provider share a link for your survey, there is no need to set up a processing agreement with that provider. The provider is in this case an independent controller, according to the GDPR, meaning they are responsible for the data they collect and maintain; the VU is also an independent controller and we are responsible for the data we collect through the surveys. But neither party sees that data of the other party so there is no need for an agreement. This applies even if the panel provider is located outside of the EU/EEA.
If you are using panel providers to recruit participants located outside the EU/EEA, be aware that other privacy laws may apply to the data collected; the VU is required to meet both GDPR requirements and international privacy laws when working with international participants. Finally, the only other thing to keep in mind when recruiting participants with panel providers is that you must ensure that you have a GDPR-compliant informed consent process at the start of the survey. Review this checklist to make sure your consent process is valid.
The VU has developed model agreements for situations where the VU functions as a joint controller with another party (see the question How can I determine what my role is (controller, joint controller or processor) under the GDPR? for further information on what a "controller" is). You can obtain this model agreement from the FGB Privacy Officer. See this page on the workflow of setting up standard VU agreements for more information.
Additional agreements, such as collaboration agreements, may need to be set up when working with third parties. You can contact Legal Affairs for assistance with this process.
In order to assess what kind of privacy agreements are necessary, start by determining if the VU and the third party are joint controllers (see the question How can I determine what my role is (controller, joint controller or processor) under the GDPR? for further guidance. If they are joint controllers, a joint controller agreement needs to be signed; you can obtain a model agreement from the FGB Privacy Officer. You should also consider where the research data will be collected from and stored because if all data are maintained externally by the third party and the PhD candidate is employed by that third party, generally no joint controller or data sharing agreements are required. However, if the third party has no facilities for maintaining the data long-term after the research project is complete (namely for archiving the research data) data may need to be transferred to the VU at which point a data sharing agreement and potentially a joint controller agreement will be necessary. You can contact Legal Affairs for help with drawing up a data sharing agreement.
Make sure to also review the question I am an external PhD candidate/I am supervising an external PhD candidate. Can I make use of services licensed by the VU, such as Qualtrics or Survalyzer? for more information about the use of VU-licensed services by external PhD candidates.
This document provides guidance on how to handle privacy risks when students are using research data, including where and how the data should be stored. If the data are higher risk, but the guidance above isn't feasible, one solution is to de-identify the data before giving the student access so that privacy risks are reduced.
This is a complex question. Ultimately the VU would bear the brunt of the responsibility if a breach occurs. However students are responsible for handling data carefully according to the requirements of the VU. In order to ensure students behave appropriately while under VU supervision, students must carefully read, understand and sign confidentiality agreements before they work with research data. If students will be collecting or transporting data outside of the VU or they will be borrowing equipment from the TO3 Borrowing Service, they must also read this guide on security basics and this guide on physical transport of data so that they know how to carefully handle the data until they can store it in a safe VU location. It is also a good idea to develop a protocol for collecting data outside the VU that will be documented in the data management plan so that everyone collecting and transporting data knows what their responsibilities are; having clear, documented procedures that everyone must follow will minimize the risks of leaking data.
If the student will be conducting research under the sole supervision of the VU and there isn’t another third party (e.g. a hospital, long-term care centre, physiotherapy clinic etc.) involved in the data collection, then a confidentiality agreement can be obtained from your department or section head. He or she can also sign this agreement on behalf of the Director of Operations for the Faculty. If all data collection and data storage will take place at the location of a third party, and the only role for the VU is to provide supervision for the research internship, then the third party is responsible for setting up a confidentiality agreement with the student.
If both the third party and the VU are responsible for the data that the student will work with (i.e. data collection and/or storage happens at both the VU and the third party location) then the student must sign confidentiality agreements for both the VU and the third party. It is advised that the supervisor review the confidentiality agreement template in this situation to make sure that there isn't anything in the agreement that might a problem for the collaboration; if there seems to be a problem, contact the FGB Privacy Officer for advice.
Because of the type of research that is done at FGB, it's very likely that a DPIA will need to be carried out before you begin your research project. First you can check whether it's legally required that you complete a DPIA by completing a pre-DPIA. You can contact the FGB Privacy Officer for this pre-DPIA form; they can also provide you with the full DPIA form, as well as give advice and feedback on the completed form.
If your data are very high-risk, and it's not feasible to de-identify the data as a way of reducing privacy risks, then you should discuss this with the FGB Privacy Officer. You should also ask for support from an IT security expert, via the RDM support desk. They can assist you in thinking of alternative solutions and if necessary they can start the process of developing a custom data storage solution.
As of December 2020, the issues with Qualtrics under the GDPR have been resolved. It is now possible to collect personal data with Qualtrics for your research. FGB has also maintained the license for the alternative questionnaire tool Survalyzer. There are a variety of reasons why you may want to use one questionnaire tool over the other. Additionally, there are important steps you can take when using either of these questionnaire tools to make your data extra secure. For more information on these matters, please refer to this guide on the secure use of questionnaire tools.
No. The reason you can use your VUnet ID to log in to these services is so that they can be used for educational purposes. Google Drive remains an inappopriate solution for storing and sharing data that falls under the purview of the GDPR or any other sensitive types of data.
The most important thing you should do is clarify in the information letter shown to potential survey respondents how many times they are allowed to participate. Also state that responses to your survey that are clearly fraudulent (e.g. it's clear that a bot was used to repeatedly fill in the survey) will not be compensated.
Some survey programs, like Qualtrics, offer technical methods to help prevent fraud, however these methods are not very effective and if you use them, you will need to include additional information about cookies in the information you give to your participants. It is therefore recommended to not use these methods and instead simply monitor for signs of fraudulent responses, such as surveys completed repeatedly from very similar e-mail addresses and survey completion times that are impossible for a human to achieve.
If you suspect that a survey respondent is fraudulently responding to your survey, do not contact this person. Contact instead the FGB Privacy Officer for further assistance.
There are a variety of free online courses available to learn about the GDPR and privacy issues. These include:
*To make use of the GoodHabitz program, you may need to login via this VU page because the Single Sign On with your VU account doesn't always work directly when on the GoodHabitz site. Once logged in switch the language to English and then search for the topic "GDPR". If you'd prefer to study in Dutch, search for the topic "AVG".
There are two options for video calling at VU Amsterdam: Microsoft Teams and Zoom. Zoom should only be used in non-sensitive situations. This means that Zoom cannot be used for the purposes of data collection in research, such as interviews with research subjects. More information on Zoom is available here .
If you need to use video calling for research purposes, the best option is Microsoft Teams, however, Teams has also not been officially approved for this purpose. It is therefore advised to discuss it's use with IT Security to determine whether Teams is indeed appropriate for your research purposes. IT Security can also advise on whether any additional measures can be applied to protect the data. IT Security can be contacted via the RDM support desk.
E-mailing data without additional security measures is strongly discouraged, even if it seems like the data are anonymous (because the standards that one must meet to call data anonymous are much stricter that many people realize and much of our research data do not meet these standards). The VU has multiple options for sending data safely, so it is advised to use these solutions. See this guide for information about these options. On ServiceNow you can also find more information about the security extension, ZIVVER, that can be used with Outlook to secure e-mail traffic. If you aren't sure how to use ZIVVER on a personal computer, a red workstation or MacOS/Linux check out this instruction manual about using ZIVVER for obtaining digital consent (discussed in the question How can I obtain consent from participants digitally, but also securely and in a way that follows the privacy rules?). This manual explains how you can set up ZIVVER on these types of workstations.
See this guide for information on how to safely transport data to and from the VU. This guide also describes the TO3 borrowing service from which researchers and their assistants can borrow devices for offsite data collection.
See this guide for information and advice on where to store your data. If your situation is very complex and you still have questions, contact the Research Data Support Desk for advice.
See the FGB Security Basics for information on how to properly delete data from your computer's hard drive and/or an external hard drive.
Unfortunately external PhD candidates are not allowed to use VU-licensed services. These are only to be used by VU employees and students. It is a good idea to check whether the external PhD candidate can make use of services within the institution they are associated with. If that is not possible, an option is to set up a VU guest account, but this can cost a lot of money and it does not necessary guarantee immediate access to VU licensed services; often more steps need to be carried out. Therefore it is advised to contact the Research Data Support Desk for more information and support on this complex issue.
Actually, your best option for creating a short URL for your research (and also for any educational purposes) is edu.nl. This is a service offered by SURF to all researchers, students and staff with access to SURF services and the main advantage is that the URL that is created does not track the website visitors, which can be an issue with things like bitly.
Inform the IT Service Desk immediately with a high priority message. Provide them with details about what happened, the type of data that may have been leaked and a description of the population from which the data were collected. The Service Desk will forward your question on to the Security Operations and Control Centre and the VU Legal Department, who will review the issue and determine what kind of follow-up is necessary.
You must also inform the faculty's Research and Policy Support (REPS) team via research.data.fgb@vu.nl. Set the message to high priority and include "data breach" in the subject line.
For more information on data breaches (a.k.a. data leaks), see this VU page.
Knowledge Security is applicable if you are collaborating with an international partner and/or hiring a new international employee. The VU and FGB have created guidance frameworks to help you meet the requirements:
There is a basic security course available on GoodHabitz. To make use of this program,
you may need to login via this
VU page because the Single Sign On with your VU account doesn't always work
directly when on the GoodHabitz site.
Once logged in switch the language to English and then search for the topic "Information Security".
If you'd prefer to study in Dutch, search for the topic "Informatiebeveiliging".
Additionally this
guide on security basics
from the faculty provides useful tips on protecting your data.