The European General Data Protection Regulation (GDPR) specifies how
personal data must be managed and protected by organizations located in
Europe. Almost all data used by FGB researchers are about human beings
and the majority of this data qualifies as personal under GDPR
definitions. The GDPR addresses many issues, but leaves a lot of details
up to interpretation. This document sets out how FGB interprets and
implements GDPR requirements for research in the faculty. Additional
detail about what the GDPR is and what it means for FGB researchers can
be found in this short summary.
Position 1: Handling of directly identifying
personal data
- Directly identifying personal data (e.g. name,
address, contact information) may be maintained for the entire duration
of a research project if this information is required to
carry out the project. For example, it may be necessary to: contact
individuals about the next phase of the project; contact participants
for a follow-up project, if they have given consent to be contacted for
that reason; or for communication with participants’ caregivers or
teachers who may need to provide supplementary information about
participants, but who should not know the identification code under
which participants are registered by the research team. Directly
identifying personal data should be stored separately from other
research data, at a higher level of security than indirectly identifying information and they should
only be accessible to those individuals (usually research assistants and
data managers) who absolutely require access to them and only for the
period for which access is required (i.e. once access is no longer
required, access rights should be revoked).
- If it is not feasible to store directly identifying data in a
separate storage location from all other research data, these data
should be stored in a separate folder with controlled access rights to
only those who need to know these data and ideally with encryption on
the folder or the file itself that contains the data.
- If it is not feasible to separate directly identifying data from the
research data which need to be analyzed (e.g. photographs or audiovisual
data), the storage solution used for the data should provide the highest
possible level of security and/or encryption should be used.
- Information on how to archive directly identifying personal data can
be found in the local FGB implementation of the DSW National Guidelines
on Archiving.
Position 2: Legal basis for processing data
- The fundamental legal basis for conducting a research project using personal data should, in the
majority of cases, be the informed and freely given consent of
participants. Legitimate interests can in some specific cases be invoked
as an alternative legal basis for conducting a research project if
obtaining informed and freely given consent is impossible or would
impair the aims of said project. In order to use legitimate interests as
a legal ground for conducting a research project, the benefits of the
research project must outweigh the rights of the individuals whose data
are being used. Additional conditions are also required if special
categories of personal data will be processed on the basis of
legitimate interests (see Rule 5 from Privacy in Scientific Research – 10 Key Rules).
Situations where legitimate interests may be more appropriate
than obtaining consent include, but are not limited to:
- Child abuse (cannot ethically inform the parents, but the child is
<16 years old)
- Youth crime (cannot ethically inform the parents, but the child is
<16 years old)
- Misconduct in public organizations/the church/social support (cannot
inform the individuals responsible for misconduct without risking harm
to others or to the aims of the research project)
- Retrospective research or reuse of existing data sources where it is
no longer possible to contact the subjects
Position 3: Consent for reuse of data
- FGB is working to meet the FAIR-principles and data sharing goals.
However, almost all of the data utilized at FGB is about human subjects
and the vast majority of this data cannot be sufficiently anonymized to
both meet current definitions for anonymity and remain useful for new
research. This means that when data are collected at FGB, researchers
should ensure that informed consent is also obtained from participants
for the reuse of the data, regardless of whether the data will be reused
by the original research team or by new researchers at other
institutions in the future. It should be clear to the subject reading
the consent form whether they are giving consent to the former, the
latter or both.
NB: It is insufficient to simply ask: “Do you consent to the reuse of
your data for new research?”, as this is not sufficiently informative.
For support on how to obtain consent for the reuse of research data that
cannot be sufficiently anonymized see this checklist and
contact the FGB privacy
champion if there are additional questions.
Position 4: Appropriate reuse of existing personal
data
- FGB researchers are encouraged to utilize existing sources of
research data, for example, data found in research data repositories.
Despite these data being available for reuse, it is still the
responsibility of FGB researchers to:
- Determine whether the data could be considered personal data under
the GDPR and, therefore, whether it is legal for the data to be
reused;
- Determine whether the research subjects in the data can be informed
about the reuse of these data, if appropriate.
Position 5: Research and the right to be
forgotten
- A research project is exempt from the GDPR’s right to
be forgotten if data erasure “renders impossible or seriously impairs
the achievement of the objectives” of the project. If a study
participant wishes to exercise this right, but the project is already in
the analysis phase or later, researchers may refuse this right. The
reasoning is that once data have been analysed, published and/or
archived, the data can no longer be deleted without severely impairing
the integrity and aims of the research. Regardless, requests for the
right to be forgotten must always be forwarded to the VU Data Protection
Officer (functionarisgegevensbescherming@vu.nl), who will lead
the communications between the requesting participant and the
researchers.
- If a participant revokes their consent to a research project, the
usage of any data already collected depends on the nature of the
research project and the phase of the research cycle when consent is
revoked. If a research project consists of repeated measurements and a
participant revokes consent by saying that they no longer wish to be
contacted or to take part in the study, all of the data collected up
until that point may still be used, unless the individual exercises the
right to be forgotten and the erasure of the data is not detrimental to
the aims of the research project. If a participant revokes consent to
the entirety of the research project, without invoking the right to be
forgotten, and the research project is still in the data collection
phase, the data do not need to be deleted, but they may not be used for
analysis; if the research project is in the analysis phase or later when
the participant revokes consent to the entirety of the research project,
the data cannot be deleted; these data however
should be flagged as not to be used for any follow-up research
projects.
Position 6: Research and the right to data
portability
- Any requests from a research participant for the GDPR’s right to
data portability will be reviewed on a case-by-case basis
with the VU Data Protection Officer (functionarisgegevensbescherming@vu.nl). Such requests
are not expected to occur very often, and as such, FGB researchers are
NOT required to prepare for any such requests (i.e. by
ensuring that the data in question are machine-readable). FGB
researchers are not obliged to execute requests for data portability if
this would risk the privacy of other individuals or severely harm the
aims of the research project, but, ultimately, the decision to approve a
request for data portability lies with the Data Protection Officer for
the VU.
Position 7: Updating consent for long-term
research
- Long-term or ongoing longitudinal research projects should
occasionally update consent. This should be done if there are any
fundamental changes to the nature of the study, such as a change to the
purpose of the study, the types of data collected, or any planned data
sharing that was not mentioned earlier. FGB researchers should also
review their consent forms every ten years to determine if consent needs
to be refreshed.
- Consent forms from long-term research projects that started prior to
the implementation of the GDPR should be reviewed for compliance with
the GDPR. If found to be non-compliant, researchers must attempt to
refresh participant consent. If it is not possible to obtain refreshed
consent from all participants, for example, due to changes in contact
information, data may continue to be used based on the original consent;
however, an updated information letter about the changes to consent and
participant rights should be made public, such as on a study website or
published on OSF, so that
the individuals who could not be contacted can find such information and
can contact the researchers for more information, if necessary. FGB
researchers can contact the FGB privacy champion for advice on what to
include in this information letter. This checklist also
provides guidance on what information is needed.
Position 8: Requirements for Data Protection
Impact Assessments
- FGB researchers are expected to assess whether a Data Protection Impact Assessment (DPIA) must be
completed and to complete the DPIA to the best of their abilities. The
FGB privacy champion will provide initial advice on DPIAs and if complex
issues are identified, the privacy champion will forward the DPIA to the
privacy lawyers in VU Legal and Institutional Affairs for additional
support.
- DPIAs should be occasionally refreshed for long-term research
projects. For cohort studies with discreet collection phases, DPIAs
should be reviewed and updated prior to each new collection phase if at
least 5 years have elapsed since the last collection phase. Long-term
data registries (e.g. NTR, NAR) that are continuously collecting data
should conduct a new DPIA at least every 5 to 10 years. Any research
project that previously required a DPIA must complete a new DPIA if
there are fundamental changes to the project, such as new purposes, new
methods of data collection or new technologies being utilized for data
collection and analysis.
Position 9: Handling of non-digital personal
data
- Non-digital personal data (such as saliva samples or written
documents) must be protected from theft, loss, damage and unauthorized
access, just like any other personal data. Safe transport of non-digital
data is described in the FGB
Security Tips on Physical Transport.