When you collect personal data for scientific research or education purposes you must work in accordance with the VSNU Code of Conduct for using personal data in scientific research. A new is currently being developed. It describes how the AVG should be applied in scientific research.
Does the GDPR apply to your research?
The GDPR applies:
- If you are processing personal data for scientific research.
- If you or your organization is responsible. This is the case when you are the researcher, play an important role in it (e.g. as a data collector) or if you have contributed to the research proposal.
- When you or the participants are in the EU (the GDPR applies to EU citizens).
The following principles must be respected at all times when processing personal data. As a researcher or student, you are responsible for ensuring that your research meets the requirements.
The processing is lawful
A legal basis is required to process personal data. The following processing grounds can be used for scientific research:
- Processing is necessary for the protection of legitimate interests (in dutch).Please note!
If the interest can also be represented in a different, less radical way, the processing of personal data can still be unlawful. It is therefore important to look at the sensitivity of the data and to what extent the rights and interests of those involved are taken into account.
- If you process special personal data, or if your research involves participants younger than 16 years of age, you need explicit permission in addition to the legal basis: Informed consent (in dutch).Declaration of consent
A Declaration of consent describes which research you do and what exactly the participant gives permission for. The permission must be documented because you must be able to prove that you have obtained permission. See the sample forms on the page Informed consent (in dutch).Special aspects of the research, such as the nature of the research (genetics research) or the scale on which it takes place (nationally or internationally) can extend the obligation to provide information. For example, additional requirements may apply with regard to access to data, confidentiality and presentation of the results.
The processing of the data is transparant
Participants have the right to receive information. You must be able to tell the participant in clear language that his personal data is being processed, why and by whom. You must answer any questions that participants ask you. In the GDPR Manual (in dutch)
you can check what exactly you need to tell to your participant.
Leiden University is obliged to keep all processing of personal data in an administration. You must record your data processing activities in Data Register for research..
Managing your research data is an essential part of your research. Data management includes the creation, storage, protection, maintenance, availability, archiving and long-term storage of research data. Data management is essential for the quality, safety, confidentiality and transparency of the research.
>> More about data management
Better safe than sorry. Carefully consider which personal data are necessary for your research. By only collecting data that are strictly necessary (data minimization) you reduce the privacy risk. You can also reduce the privacy risk by splitting data in different files.
Do not store the data any longer than necessary. Identifying data must be discarded as soon as it is no longer needed for data processing purposes.
Purpose and limitation
Personal data may only be used for the specific purpose of the research not for other purposes. You must clearly describe this purpose and be able to explain it to those involved.
However, in scientific research, in which data is made available for reuse, it is not possible to describe any future goals in advance. In such cases, the data subject can give permission for the data to be used for certain research areas instead of strictly defined goals. For example a certain illness. Further processing of data is not considered incompatible with the original purposes.
Ensure that the data are correct at all times. Update data where necessary.
Integrity and confidentiality
Treat all data confidentially. Protect the data adequately so that they cannot leak and can be used for other purposes.
High privacy risk: Risk analysis
In some cases, data processing presents a high privacy risk for those involved. You must perform a risk analysis in advance.
The following processes are risky anyway:
- processing of sensitive personal data
- processing that entails a high risk for those involved
Consider, for example, legal consequences or interests, rights or freedoms that affect the person concerned considerably. For example, obtaining diplomas, loans, health treatment and the like. processing of data on a large scale
- processing of data on a large scale
In order to determine the risk, a form with 9 questions (Pre-DPIA or Pre-Data Protection Impact assessment). This allows you to identify the privacy risks and determine whether a more extensive DPIA is necessary. To complete the form or determine follow-up actions you can contact your information manager or the data protection officer.
Can you use Qualtrics at all?
- If it is determined that sensitive data are collected in the research, which can’t (or no longer) easily traced back to individuals because they are pseudonymised, Qualtrics can be used. Please consult your Information manager if you need further advice.
- However, if it is determined that both a high degree of sensitive data is being collected with a high chance of traceability to individuals, Qualtrics cannot be used and an alternative survey tool must be considered. Please contact your information manager for this.
If – despite all measures – personal data is intentionally or unintentionally exposed to an unfamiliar audience, you must report this. This may involve the loss of data, but also the use of email addresses for different purposes than the participants gave their consent for.
How to report a data leak