When using Qualtrics there is a big chance that you will collect personal data. Personal data are protected by law and they can only be processsed under certain conditions. In addition to legal requirements and university guidelines, other guidelines may also apply. The protection of personal data is a joint responsibility of the university and of you as a researcher or student.
On these pages we explain what to be aware of when using Qualtrics. Many things play a part in this. Therefore, it’s impossible to make a simple overview of what is and is not allowed. Moreover, every research asks for specific security measures.
Personal data are all data about a person. This includes names and addresses, but also data such as IP addresses, bank account numbers, origin or sexual orientation. Personal data are protected by law and conditions apply to processing them.
Law and regulations
General Data Protection Regulation (GDPR)
When collecting personal data, you must work in accordance with the General Data Protection Regulation (GDPR) or AVG in Dutch. This European law is effective from May 25, 2018.
The GDPR strengthens and extends privacy rights. Organizations must put more effort to protect privacy than before.
Organisations have to record what they are doing with the personal data and you must be able to explain this to participants in clear language. Within organizations, a dedicated staff member must ensure that personal data is handled properly. At Leiden University this is the Data Protection Officer.
Even better protection is required when processing sensitive data. For certain types of processing a risk analysis is required before starting your study.
Failure to comply with the law may lead to substantial penalties.
VSNU code of conduct
The Code of conduct for using personal data in research describes how the GDPR should be applied in scientific research. When you collect personal data for scientific research or education you must work in accordance with this code of conduct.
In addition, guidelines from the faculty or specific codes of conduct may apply, such as when processing medical data. The ethics committee can also impose requirements with respect to the study.
Securing personal data
The security of the personal data must be a focus throughout the study: privacy by design.
Before starting the study the legal requirements that apply must be taken into account. Then the risks must be assessed that the nature of the data and the processing entails for those involved. On this basis, the desired security level must be determined.