Research Integrity

The right to privacy is a fundamental human right, established in the 1950 European Convention on Human Rights, which states:

"Everyone has the right to respect for his private and family life, his home and his correspondence."

The EU Charter of Fundamental Rights contains an explicit right to the protection of personal data (article 8), next to the right to privacy (article 7).

1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an independent authority.

The General Data Protection Regulation (GDPR) is a European privacy law that came into effect on May 25, 2018. It applies to all organizations that process or control personal data. The regulation covers both European entities handling the personal data of individuals within the EU and organizations outside the EU that target or process data from EU residents.

Processing personal data involves collection, combining, erasing, recording, storage, structuring, using, sharing, dissemination, deletion of personal data. 

Lawfulness
The processing of personal data must be lawful, meaning there must be a valid legal basis and purpose. 

Consent is the primary basis in scientific research. Key requirements for valid consent:

• The data subject must be clearly informed in advance about the processing.
• Consent must be actively given (e.g., no pre-checked boxes).
• Consent must be documented and provable.
• If consent is part of a broader statement, it must be clearly distinguishable, using a separate checkbox if needed.
• Consent can be withdrawn at any time as easily as it was given.

The use of the legal basis public interest requires a social need, a gain of knowledge for society, and an explicit task in the public interest assigned to the institution. 

Legitimate interest can only be considered as a legal basis if processing based on consent or public interest does not succeed. For this, the researcher must conduct a balancing test, considering:
a. The impact on the data subject.
b. Whether additional safeguards are in place.
c. The severity of the privacy intrusion.
d. Whether the data subject could reasonably expect the processing.

The researcher must document this assessment in their ERB/IRB application.

The organization that decides why and how personal data is processed is called the controller. For example, if Tilburg University hires a third party to collect data or uses a cloud service to store personal information, Tilburg University is acting as the controller. 
The organization that processes the data on behalf of the controller, and only under the controller’s instructions, is known as the processor.

As a data controller, Tilburg University has agreements with market research agencies, cloud service providers, and software platforms that may be used for processing personal data. Before using any external organization to process personal data, ensure that a processing agreement with Tilburg University is in place. 

The university maintains a list of approved software for data processing, available here: Tilburg University Approved Software. If the software you wish to use is not on the approved list or if you have questions, contact your school’s data representative for guidance.

All personal data processing must adhere to the fundamental principles outlined in Article 5 of the GDPR:

Source: Secureframe

Research often involves using paper or digital datasets containing personal data. These may include:  

• Creating a new dataset: This can involve video/audio recordings, interviews, observations, (virtual) experiments, eye tracking, ECG/EEG/MRI, and wearables. New datasets can also be compiled from public or restricted sources, such as web scraping from (semi)public platforms. When scraping forums, social media, or other websites, researchers must consider the context, copyright, and terms of use.  
• Using existing datasets (secondary use): Whenever possible, only anonymized or pseudonymized data should be used. In the case of pseudonymized data, researchers should not have access to the key linking data to individuals. If a dataset contains personal data or can be linked to individuals by combining datasets, or if the researcher has access to the key file linking data to individuals, the research must meet all relevant requirements. Consult your data representative to assess compliance.

Mistakes happen: you might accidentally send an email to the wrong person or have your work laptop stolen. While inconvenient, such incidents can also result in a data breach, potentially affecting others. To minimize the impact, Tilburg University prioritizes swift reporting and response to data breaches.

A data breach occurs when personal data is accessed, lost, altered, disclosed, or destroyed without authorization or by accident. Common examples include:

• Sending personal data to the wrong recipient.
• Cyber-attacks leading to data theft.
• Misconfigured application settings allowing unauthorized access.
• Losing a USB drive with personal data.
• Theft of a work laptop or phone.
• Leaving confidential documents (e.g., exams) in a public place.

Tilburg University is required to log all breaches and, if they may impact individuals' rights and freedoms, report them to the Autoriteit Persoonsgegevens (Dutch supervisory authority) within 72 hours to comply with regulations.

When in doubt, report it! 

If you are unsure whether an incident qualifies as a data breach, always report it internally. It’s better to report too many times than too few. You can report a data breach using the form at the following link: https://www.tilburguniversity.edu/form/data-breach-security-problem