Category: General Data Protection Regulation (GDPR)
Risk assessment
Risk assessment
When processing personal data, it is important to use a risk based approach. This means that you have to reflect carefully, when processing personal data, on the possible negative consequences for the privacy and integrity of the research participants. Taking into account these risks, you have to decide which technical and organisational measures are needed in order to guarantee the confidentiality of the data.
An inadequent risk assessment, whereby technical or organisational measures are insufficient to protect the data, makes a data breach more likely, whereby the privacy and integrity of the data subjects can be harmed (e.g. discrimination, exclusion, … of individuals and/or communities).
The data protection impact assessment (DPIA): a risk assessment in the GDPR
When the nature of the personal data or the processing results in a potential high risk for the data subjects, you are obliged to conduct a data protection impact assessment (DPIA), which is a risk analysis before the start of the data processing. A DPIA will help you to manage the risks for the rights and freedoms of the data subjects following the processing of their personal data (by assessing the risks and taking appropriate measure to deal with these risks). A DPIA can cover one specific research, but also a series comparable processing activities (or research projects) with comparable high risks.
The following criteria of possible risks can help you to determine whether or not the processing of personal data within your research forms a potential high risk.
- Special categories of personal data are being processed.
- Personal data of children or other vulnerable persons are being processed.
- Personal data are processed on a large scale (take into account the number of data subjects, either as a specific number or as a part of the relevant population).
- Aspects relating to the performances of the data subject on the work, the economic situation, health, personal preferences or interests, reliability or behavior, location or movements, are being evaluated, scored, profiled or predicted.
- The personal data are shared with or transferred to countries outside the EEA, or to countries which are not on the ‘white list’.
- The research concerns datasets which are or will possibly be shared.
- The processing is aimed at taking decisions which entail legal or comparable significant effects for the data subjects. For example, the processing could lead to exclusion or discrimination of the data subjects.
- The processing ensures that the data subjects are impeded to exercise a right or use a service or a contract.
- Your research covers the systematic monitoring of person in one or more publicly accessible areas.
- Your research concerns innovative use or application of technological or organisational solutions, like the combination of fingerprints and face recognition for enhanced physical access control.
- Your research concerns the processing of non-pseudonymised personal data.
- It is planned to link different (special categories of) personal data.
If 2 or more of these criteria are applicable in your research, your research forms a potential high risk. In this case, a DPIA is obliged in order to list the privacy risks relating to the processing.
In a DPIA you will be asked to describe and assess the risks, assess the necessity, proportionality and to describe the technical and organisational measures taken to mitigate the risks. By completing the questions in the DPIA, you should be able to estimate the impact and the likelihood of the risks in your research. By balancing the impact with the likelihood, you can indicate whether or not there are risks left in your research and whether or not they are acceptable.
References
Anonimisering—Reference card voor onderzoekers.pdf. (z.d.). Geraadpleegd 27 mei 2021, van https://www.lcrdm.nl/files/lcrdm/2020-01/Anonimisering%20-%20reference%20card%20voor%20onderzoekers.pdf
Privacy in Onderzoek. (z.d.). SURF. Geraadpleegd 27 mei 2021, van https://maken.wikiwijs.nl/117199/Privacy_in_Onderzoek
Measures to protect privacy
Measures to protect privacy
When you process personal data you have the ethical and legal obligation to ensure that personal data are sufficiently protected. The basic level of security must always be in accordance with the information security policy of your university. However, additional measures may be necessary specifically for each processing. The choice of additional security is based on assessment of the risks of the processing. Processing involving more risks will have to be accompanied by a more extensive set of safety measures.
In the area of data protection, anonymisation, pseudonymisation and encryption are put forward by the GDPR and sometimes even required as guarantees.
Pseudonymisation and anonymisaton
When (pseudonymised) personal data are wrongfully assessed as being anonymous data, they most likely lack sufficient protection. This creates an unwanted chance for re-identification and possibly other negative consequences for the data subject(s), researcher(s), the research institution and even for the scientific world.
Pseudonymisation is a security measure. Pseudonymised personal data (in the previously privacy legislation indicated as ‘coded data’) are personal data (possibly sensitive) that can only be associated to an identified or identifiable person by use of a non-public (secret) key. Pseudonymised personal data are still personal data protected by the GDPR, even when you are not in the possession of the decryption of the coded key. If you receive pseudonymised data from a researcher at another university (in the context of secondary use), these remain personal data subject to GDPR and should not be considered to be anonymous.
“I anonymised my data but I can still reverse the process ‘just in case’.”
Anonymous data are data which do not concern an identified or identifiable natural person. Also personal data which are anonymised in such a way that the data subject is not identifiable anymore (by all reasonable means) because the possibility for identification has been made irreversible by means of a processing technique.
Data that do not include names or contact information are often too easily seen as anonymous. However, IP addresses and audio/video recordings of interviews for instance should also been seen as identifiable data. In some cases, there may not be any data that can identify individuals directly but do allow identification when put togehter. For instance, when you know for which company someone works and what their function is in combination with some demographic information (such as age and gender), it may become possible to identify certain individuals.
Anonymous data are not personal data and do not fall within the scope of the GDPR.
Pay attention, if you only process anonymised data, it is still important to evaluate the ethical aspects on the collection and processing of these data.
Data which are, with reasonable effort, traceable to original individuals are not anonymous data, but are still personal data whereby they fall within the scope of the GDPR. For this reason, many types of research data (e.g. qualitative data, big data sets with a broad range of personal data, …) are difficult to anonymise completely.
Data that do not include names or contact information are often too easily seen as anonymous. However, IP addresses and audio/video recordings of interviews for instance should also be seen as identifiable data. In some cases, there may not be any data that can identify individuals directly but do allow identification when put together. For example: when you know for which company someone works and what their function is in combination with some demographic information (such as age and gender), it may become possible to identify certain individuals
Pay attention, if you are still working with identifiable personal data at the beginning and during the anonymising process, the GDPR still applies.
How to comply with the GDPR?
How to comply with the GDPR?
There’s a lack of transparency when there is no information letter for the participant, or the information letter is very unclear.
The participants need to understand the scope of the research and be aware of how their data will be processed. If the participants have questions on this or they want to launch a complaint, it is important they are also informed in the information sheet on who they can contact in this matter.
You are obliged to process personal data in a transparent manner with respect for all applicable laws, regulations and rules. You also need a legal basis before collecting and processing personal data and you have to inform the data subjects about this legal basis and why you will collect and process these specific personal data (e.g. in an information sheet). The data subjects have certain rights which they can assert regarding the processing of their personal data.
Records of processing activities
In order to keep an overview of the processing of personal data within the research and to meet the legal obligation to document, you have to fill in the “records of processing activities” (GDPR Register) of your institution. You complete the questions in the register before the start of your research processing activities and you keep it up to date during your research. The questions in the GDPR Register focus on the processing of personal data and the compliance with the GDPR-requirements in your research.
When to think about this?
The GDPR is applicable to the processing of personal data throughout the entire research lifecycle. Because there are some important requirements prior to working with personal data, most of these requirements will be integrated in the design of the research (privacy by design). In the design phase of your research, usually you reflect on the substantive and methodological aspects of it.
During your research, these requirements will change along with your research data and your research design. So it’s very important to keep this up to date.
Processing of personal data fits within research data management, conceived in a broad sense.
When these principles are applied to the research life cycle, this results in the following overview of points of attention and ‘to do’s’
Who’s involved?
Who’s involved?
Within the GDPR different roles are being defined. The most important roles are:
- Data controller
- Joint data controller
- Processor
Considering the different responsibilities and duties of data controllers and processors, it is important to clearly define these roles (together with other partners in your research) at the start of your research.
Data controller
The data controller is defined as the institution/organisation/person who decides on the purpose and resources of the processing. Please note, only providing research funding (like the FWO, EU, …) is insufficient to be considered as a data controller in the context of your research.
For example: you are a FWO PhD fellow and together with your supervisor, who is professor at your university, you determine the purpose of your research. Despite your research is funded by the FWO, your university will be data controller. The FWO is merely a funder.
Joint data controller
Concerning joint data controllers, the purpose and the resources are determined by two or more organisations or institutions. In this situation, it is important to establish in a transparent manner, together with the other controller(s), who is responsible for providing information to data subjects and who data subjects can contact if they want to exercise their rights.
For example: you conduct research together with another university in Belgium or abroad, where both partners design the research plan (to a greater or lesser extent). This is not a situation where one university is merely a supplier of data or only carries out a specific contract for subcontracting.
Processor
Finally, an institution, an organisation or a researcher can act as a processor. In this case, the institution, organisation or researcher processes personal data commissioned by another organisation. For example: contract research, services commissioned by private companies, or some types of policy relevant research. This other organisation determines the purpose and the resources of the research.
For example: contract research, services commissioned by private companies, or some types of policy relevant research.
As part of a research project or a research collaboration, you may also work with processors to collect, process, store or make personal data available. For example: researchers contract with a company to send surveys to data subjects, or to analyse certain results of interviews and surveys. In this case, your university will act as the controllers and the company as the (sub)processor.
It is important to stipulate all agreements in a contract between (joint) data controller(s) and processor(s) and subprocessor(s).
Which specific roles are there within the institution?
As a researcher within a research institution, you are responsible to make sure that your research is in line with the applicable guidelines. For specific advice in relation to the application of the GDPR, you can contact the ‘Data Protection Officer (DPO)’. For legal advice you can contact the valorisation/legal services of your institution. In some institutions, you can contact Data Stewards for further support on research data management.
When you share research data with another researcher or institution, in the context of your research, you have to be sure that this other researcher or institution holds the same safe and integer level of protection so that the rights and freedoms (including privacy) of the data subjects are guaranteed. In a joint project in which personal data are processed at different institutions/universities, it is also important that the processing of personal data at each institution is registered in a GDPR register.
Local collaborations
Although the GDPR applies to everyone who processes personal data in Belgium, the process for compliance of these requirements can be different. For example, the GDPR Register of one university can differ to some extent from the register of another university or research institution.
Interdisciplinary collaborations
Take into account, when dealing with the processing of personal data, different disciplines can have additional (ethical) requirements when it comes to processing personal data (e.g. medical or health data). In addition, not every ethics committee will review these ethical requirements associated with the processing of personal data in its ethical advice.
International collaborations
In research projects where organisations/institutions from different Member States are involved, you should always take a look at the national legislation of all Member States involved and perform the processing in line with these national requirements. When you collaborate with (researchers from) countries outside the European Economic Area (EEA), you have to take into account any third country or international legislation. Moreover, you will have to take extra measures in order to guarantee that the research data are protected in a safe and integer manner (e.g. by an EU model agreement).
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
When you process personal data in your research, you have to take into account the rules of the General Data Protection Regulation (GDPR).
The GDPR, which has been is in force since 25 May 2018, modernised the existing privacy legislation. It creates a uniform European legal framework and gives citizens/data subjects more control over the processing of their personal data. The GDPR requires organisations to be transparent and responsible regarding citizens/data subjects, especially about how and why they process personal data.
The GDPR provides that EU Member States can draw up national legislation for certain areas and exceptions. In Belgium, the Law on the protection of natural persons with regard to the processing of personal data was published in the Belgian Official Gazette on 5 September 2018.
What are personal data?
Personal data is any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier, or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural, social …identity of a natural person.
Indirect identifiers, or Combinations thereof, may also lead to identification and are therefore also personal data.
Why is it important to comply with this legislation?
If you process personal data, part of your job is to protect the rights and freedoms of data subjects in accordance with the GDPR.
In addition, there are a number of other important reasons for applying the GDPR rules meticulously in your research:
- Careful handling of data increases the quality and reliability of your research and the research results.
- Careful handling of data retains the confidence of citizens in scientific research.
- A violation of the law can lead to reputational damage and negative media attention for your institution, your department and yourself as a researcher, and can also lead to heavy fines.
- Compliance with the GDPR is often explicitly imposed by research funders (such as Horizon Europe, ERC, FWO) or even described as a work package (deliverable) in a project.
- When publications are submitted, journals are also increasingly asking for compliance with the GDPR.
General principles
The GDPR is based on six basic principles, which you have to take into account when processing personal data before, during and after your research.
- Lawfulness, fairness and transparency: You are obliged to process personal data in a transparent manner with respect for all applicable laws, regulations and rules.
Lawfulness means that you have to collect and process personal on a legitimate legal basis or legal ground.
Fairness means that your collection and processing of personal data should be in the best interests of the data subject and that the extent of the data processing can reasonably be excepted by the data subject.
Transparency means that you have to inform the data subjects about the legal basis, what personal data you will collect and process and why you will collect and process these specific personal data (e.g. in an information sheet).
The data subjects have certain rights which they can assert regarding the processing of their personal data. - Purpose limitation (finality and proportionality): You can only process personal data for your particular research purpose, and the processing has to be reasonable and proportional for achieving the research goals. As far as possible you have to inform the data subject about possible future use of the personal data, for other purposes or research projects.
- Data minimisation: You may only use the personal data necessary to achieve the objectives of your research.
- Accuracy: The personal data that you process must be accurate.
- Storage limitation: The personal data that you process may not be kept longer than necessary for your current research or for possible further analyses of data.
- Confidentiality and integrity: As a researcher you must handle personal data confidentially and take appropriate technical and organisational measures to guarantee the confidentiality and integrity of the data, so that they are protected, among other things, against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Pseudonymisation (and if possible anonymisation) and encryption are important safety measures you can take to guarantee the confidentiality of the data. Confidentiality and integrity is also an important concern when sharing personal data with other researchers or institutions, whether or not they are part of your research project. When drafting your research design, you have to determine who should have access to the data and which measures should be taken into account to protect the data (also when sharing these data).
The GDPR leaves sufficient room to process personal data for scientific research. Article 89 of the GDPR allows derogation from the right of access, for example, where this would render impossible or seriously impair the achievement for the research objectives.
Self-accountability: self-accountability applies as a general principle. You must be able to demonstrate that you comply with the principles set out above. For this, it is important to ask yourself the following questions:
- At the start of my research, did I thoroughly consider and document the privacy aspects of my research?
- Am I able to demonstrate that I have actively taken responsibility for processing personal data in a secure manner?