Handling personal data

To get you started on this topic, we offer the workshop Handling personal data in research, or you can read this guide.

To show that you’ve considered the potential risks of working with personal data it is important to write down the security measures you will adopt to safeguard the privacy of your data subjects, in your data management plan (DMP). Be sure to assign responsibilities (record who is authorized to do what) to adhere to the GDPR principle of accountability. 

Making a DMP before you start collecting personal data will help you practice 'privacy by design', which is an important principle in the GDPR. The GDPR states that you should only collect data which is relevant, limited to what is necessary and only for specified, explicit and legitimate purposes. The GDPR does not concern the processing of anonymous information, including for statistical or research purposes.

See the guide on 'Data management planning' for more information on developing your DMP.

If you want to know more about handling personal data at Utrecht University you may also read the ‘Utrecht University Personal Data Processing Policy’. This document lays out the responsibilities, measures and duties Utrecht University researchers must uphold concerning personal research data.

Personal data

If you collect research data that can identify a person, then this is classified as personal data. Personal data can include a variety of information, such as name, address, phone number, occupation and IP address. 

Sensitive personal data

Certain personal data is considered particularly sensitive and thus requires more protection. This is because divulging such information may place these individuals in vulnerable or disadvantageous situations. Examples of sensitive personal data include BSN (‘burger service nummer’), criminal history and illegal acts.

Special categories of personal data

There are special categories of personal data that need extra security. Examples are data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Processing of this special personal data shall be prohibited, except for specific purposes and under certain circumstances. Research is one of the possible exceptions that allows processing of special personal data. Please look at the section further below called “Assessing the risks” for more information on working with special categories of personal data.

Direct or indirect identification

An identifiable natural person is someone who can be identified, either directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, an occupation or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Keep in mind that even if the information contained within your dataset is not sufficient to identify an individual, this does not necessarily entail that your dataset has been anonymised. If information from other external datasets/registries can be used in conjunction with your own dataset to identify an individual then your dataset it still considered to hold personal data and as such is not fully anonymised. This makes full anonymisation difficult to achieve.

Personal data must be carefully secured against loss, theft and tampering. As part of Utrecht University's Information Security Policy, you are asked to assess the risks associated with your data. To do so, we recommend to start by asking yourself the following questions:

Will I be working with special categories of personal data?

Check ‘what is personal data’ to see if your data fits in any of the special categories.

Such data is classified as sensitive since making it available to the public can have detrimental consequences for the data subject.

When working with such data it is important to take extra security measures to prevent data breaches and thus safeguard the privacy of the data subjects. The GDPR recommends a Data Protection Impact Assessment (DPIA) to be carried when for instance dealing with sensitive personal data.

Please check the section on “Carrying out a DPIA” for more information.

Will my data be securely stored?

To minimise the risks of a data breach it is of the utmost importance to understand where and how your data is stored throughout its lifetime. The GDPR has strict restrictions on the countries where data can be stored and also requires proper technical safeguards to be  established when storing personal data. For this reason it is important to make a plan as to where and how your data will be stored after collection, after analysis and later on when archiving.

Having a pre-determined plan on how personal data will be handled is a key requirement of the GDPR. As such writing this information in a data management plan (DMP) is highly recommended.

Check the section on “Securing personal data” for more information.

Do I have a system implemented to restrict and give access to the data as needed ?

Throughout the research project different people may require access to the data. Ensuring that only authorized users are able to access the data will highly increase the integrity and confidentiality of the data.

It is also important to consider whether researchers from other institutions (i.e. consortium projects) will require access to the data. By implementing proper data transfer or data access workflows you greatly reduce the chances of resorting to unsafe data transfer practices such as e-mail or Dropbox. Notably, YODA is a suitable solution for managing access rights for your data, including external users.

The way in which users can obtain access and the level of security implemented to prevent unauthorized access should be well explained in your DMP. Information regarding the access rights and the privacy responsibilities of each consortium member should be explicitly and clearly laid out in the consortium agreement.

Lastly, if you work with personal data you should be able to access this data and remove a data subjects data easily upon request. This will enable you to be compliant to the GDPR by ensuring a data subjects “Right to Erasure” or “Right to Rectification” can be carried out effectively and without undue delay. For more information check the section on “Rights of Data Subjects”.

When working with personal data we must take into consideration both the legal and ethical aspects. Although there is considerable overlap between the two, this does not mean that one should be overlooked over the other.

To consider the ethical issues pertaining to your research data by yourself, you can use the Data Ethics Decision Aid (DEDA for Research) from the Utrecht Data School. This tool allows you to make an assessment on the ethical aspects of your research. It is shaped as an online survey in which you are asked a series of open questions to raise awareness of certain issues and help document the decision making process.

As a researcher you may also wish to submit your research to an ethical review board.
The following faculties have their own Ethical Review Board:

• Faculty of Social and Behavioural Sciences
• Faculty of Humanities
• Faculty of Law, Economics and Governance
• Faculty of Geosciences and Faculty of Science (combined)
• University Medical Center Utrecht

Filling out a data management plan before an ethical review will ensure that you think about the security and technical measures you will undertake to safeguard the rights of your research participants.

Informed consent grants a legal basis for personal data processing and is therefore necessary to collect, share, preserve and use a participant’s personal data.

Every participant should be unambiguously informed of what kind of data will be collected, who the controller of their data is and how their data will be used. Consent must be freely given and all personal data processing should be carried out as stated in the informed consent form. Furthermore, the GDPR requires participants to be made aware of their rights to withdraw consent and this process should be as easy as giving consent.

See 'Informed Consent for data sharing' for information on gaining informed consent for sharing of research data beyond the purposes for which your data is collected.

According to the GDPR you should ensure data integrity and confidentiality and ensure that data are accurate and where necessary kept up to date. Every reasonable step should be taken to ensure that inaccurate personal data are erased or rectified without delay. Also, data which are not used should be removed, unless these data are needed to be able to verify or reproduce the research.   

The most effective and efficient way to protect personal data is to use only (– no bring your own devices) UU approved IT hard- and software. The IT department offers different services.

For more information on security refer to the UU intranet where you also can find the general policy on information security aside more practical advice.

Additonal:

• Encryption
  For additional security you can use encryption. See BoxCryptor is used for encryption.
  Also, you shouldn't send personal or confidential data via email or through File Transfer Protocol (FTP), but rather by transmitting it as encrypted data (e.g. via SURFfilesender).
   
• Procedural arrangements
  Like arranging access conditions in a consortium agreement and, if necessary, through non-disclosure agreements with participants and data handlers via data transfer or processor agreements (See the guide on 'Legal instruments and agreements').

You can also learn more about preventing unauthorised access to research data in the online training ‘Learn to write your DMP’: Data security: Prevent unauthorised access.

Identifiable personal data is data that without a disproportional large effort leads to the identity of a person. The best way to protect your participant's privacy may be to not collect certain identifiable information at all. The second best way to protect data subjects is to apply one or more of the GDPR privacy principles:

• Anonymise data
  Take note that a person's identity cannot only be disclosed by direct identifiers (name, address, telephone number) but also by indirect identifiers (age, place of birth, occupation, family composition, salary) that, linked with other information, can lead to a person's identification. Anonymisation, to the point that the person is no longer identifiable, is one way to avoid having to take strict security measures when sharing your data. In fact fully anonymised data is no longer considered personal data.
• Pseudonymise data
  Pseudonymization is achieved by replacing the unique identifier of a person with a pseudonym. This measure can provide the means to still be able to link records between sets with information from the same person while protecting their privacy at the same time.
• Separate identifiable information from other information
  Storing identifiable information apart from other information and storing these and their key separate is another possible security measure you can take. 
• Minimisation
  Personal data that is not necessary to process will not be collected. Personal data that is not processed therefore cannot compromise the privacy of the data subject.
• Storage restriction
  Limit the number of copies of the personal data. The less personal data you store, the less personal data is to be protected and secured.
• Encrypt data
  If it is not feasible to de-identify the data, encrypting data is also a way to prevent personal data to be disclosed (See “Securing personal data””)

Only if the access can unambiguously be restricted to authorized persons can data be stored without such measures. YODA, for instance, is a safe storage environment where this is possible.

For an elaborate visualisation of what is considered identifiable data, check out the information sheet at the Future of Privacy Forum which offers a useful visual guide to practical data de-identification.

When your project is finished and you decide to publish and share your data in a data repository, be aware that personal data can only be put there with appropriate consent and after considering ethical issues. If both do not pose problems, you can still protect personal data as an extra precaution, by limiting access to the data.

Many data repositories offer the following access categories:

• Open access
  Data that can be accessed by any user whether they are registered or not. Data in this category shouldn't contain personal information (unless consent is given, and data is not very sensitive).
• Restricted access
  Access is limited and can only be granted upon request. This access category is for sensitive personal data. A creative commons license is less appropriate, as you do not want data under restriction to be spread further without explicit permission. A user agreement can settle such obligations.

Article 35 of the GDPR introduces the concept of a Data Protection Impact Assessment (DPIA). In Dutch, it is called Gegevens Beschermings Effect Beoordeling (GBEB). Carrying out a DPIA is mandatory if data processing is likely to pose a high privacy risk for the data subjects. Even when you are not legally obliged to carry out a DPIA, researchers are still encouraged to carry out a DPIA when they are uncertain about the risks involved in their handling of personal data. A DPIA is also recommended if researchers are working with new methodologies or technologies whose impact on the privacy of data subjects is not entirely clear.

The process and goal of a DPIA (or GBEB)

During a DPIA you fill in a form which helps you assess privacy issues and resulting measures to fix possible privacy problems in an early stage. For example: when storing personal data on laptop computers, the use of appropriate technical and organizational security measures (effective full disk encryption, robust key management, appropriate access control, secured backups, etc.) in addition to existing policies (notice, consent, right of access, right to object, etc.) can be required. The DPIA should be seen as a tool to help you with decision-making concerning data processing. It should be continuously reviewed and regularly reassessed

FAQs are:

• When should I perform a DPIA?
  The DPIA should be carried out at the earliest possible stage prior to data processing. This is consistent with the legal obligation of data protection by design. Check if you are obliged to do so with the DPIA checklist.
   
• When isn't a DPIA required?
  Note that when the nature, scope, context and purposes of the intended data processing are very similar to the processing for which DPIA has already been carried out, the results of the previous DPIA may be used.
   
• How should I perform a DPIA?
  You can choose a tool yourself as long as it contains at least the following:
  • A systematic description of the intended data processing and the purposes thereof. Do you rely on a legitimate interest as the basis for processing?Include this in the description.
  • An assessment of the necessity and the proportionality of the processing. That means: is the processing of personal data necessary in this way to achieve your goal? And isn't a possible violation of the privacy of those involved (the people whose data you process) disproportionate to this purpose?
  • An assessment of the privacy risks for those involved.
  • The intended measures to (1) address the risks (such as safeguards and safety measures) and to (2) demonstrate that you comply with the GDPR.

In order to carry out an effective DPIA, sufficient expertise on both the project and privacy is required. Make sure to involve the correct people in carrying out the DPIA. For the right contact person on privacy in your faculty, please go to the UU intranet (UU employees only).
 

• Which tool to perform a DPIA does Utrecht University recommend?
  ​The following Dutch models are recommended:
  • Privacy Impact Assessement by the Rijksoverheid.
  • Englisch translation of the Privacy Impact Assessement by the Rijksoverheid.
  • Privacy Impact Assessment for Utrecht University (requires logging in with your Solis-id, based on an instrument by SURF).

• What is the role of the Data Protection Officer (DPO) for DPIA’s?
  The Data Protection Officer is legally obliged to advise on the DPIA, and the advice of the DPO has to be included in the DPIA. For this advise, the DPIA can be sent to privacy@uu.nl. The DPO is not responsible for carrying out the DPIA, but can provide assistance in explaining legal terminology.
   
• ​When should I consult the supervisory authority (Autoriteit persoonsgegevens)?
  Only in cases where the identified risks cannot be sufficiently addressed after the DPIA (i.e. the residual risks remains high). In such cases, always contact privacy@uu.nl first.

If your data with information on persons (possibly) leaked, you have to report this as soon as possible to the university security officer at cert@uu.nl as it may be considered as a data leak or breach. Not reporting a (possible) data leak can lead to a very high fine.

The GDPR gives data subjects certain rights that allow it to control the processing of their personal data. Below you will find a brief description of these rights. For more information check the 'Utrecht University Personal Data Processing Policy' (English) or ‘Beleid Universiteit Utrecht verwerking persoonsgegevens’ (Dutch).

Right of access (art 15)

The data subject has the right to have Utrecht University inform him of certain aspects of the processing of his personal data.

Utrecht University will inform the data subject free of charge of the processing of his personal data, both in the situation in which the personal data is collected from the data subject directly, and in the situation in which these are collected via a different route.

Right to Data Portability

Every data subject can submit a request to Utrecht University to obtain his data (free of charge) in a structured, common and machine-readable form, or to have this transferred directly to another controller, without being hindered by Utrecht University, if the following conditions are met:

1. The processing by Utrecht University is based on 'consent' or 'performance of an agreement with the data subject'.
2. The processing in question is entirely computerized.

Right to rectification (art 16), supplementation, erasure (art 17) or restriction (art 18) of the Processing

Every data subject may request with regard to the personal data Utrecht University has recorded about them that these data be corrected, supplemented or erased, or that the processing thereof be restricted. For the right of rectification, the personal data are temporarily blocked and no longer processed by Utrecht University. The block will be clearly indicated in the file.

! Article 44 of the ‘Uitvoeringswet AVG’ defines some exceptions for the rights of the data subject when using personal data for research. For research purposes the right of access, rectification and right to object to further processing can be restricted in case of just reasons. Whether this restriction is proportionate has to be judged on a case-by-case basis. You can contact privacy@uu.nl for more details.