LIS Research Support Weblog: RS Weblog

Privacy and scientific research

[This is a post from our colleagues of the Research Data Office]

On May 25, 2018, the General Data Protection Regulation (GDPR) came into force, which harmonized privacy legislation throughout the European Union. Read our earlier blogpost on the GDPR. The GDPR has consequences for the collection and processing of personal data in scientific research. It is now up to the researchers to follow the correct procedures. In this blog post we have listed a number of sites you can go for more information and support.

National online module “Privacy in Research”

In a national context, the online module Privacy in Research has been compiled for researchers who are connected to a university or a university of applied sciences. After completing this module:

• it is clear what the GDPR means;
• you know which aspects of the GDPR are important for your research; and
• you are familiar with the steps you can take to comply with the GDPR.

Information and support Tilburg University

Several information meetings have been organized within Tilburg University. The video presentation Scientific Research and the GDPR is available (recording of presentation in the Auditorium on May 8, 2018).

Some important points for research are:

• Data Protection Impact Assessment. In research involving high-risk processing of personal data, it may be necessary to have a DPIA (Data Protection Impact Assessment) carried out. The data representative can offer support with this.
• Follow the principles Privacy by Design & Privacy by Default. Privacy by Design: when you set up your study, build in measures to promote privacy. Privacy by Default: Ensure that the default settings of all involved systems promote the privacy of the research subjects.
• Informed Consent Form. Under the GDPR, stricter requirements apply for obtaining permission from the person concerned (respondent). Existing ‘Informed consent’ forms must be adapted accordingly.
• Processing agreement for external data processing programs. Programs for data collection and processing (e.g. Qualtrics, Survey Monkey, Mechanical Turk) cannot be used without a processing agreement (a list of programs for which a processing agreement already exists is being prepared). For all other programs, you are responsible, as a researcher, for concluding a processing agreement yourself. The data representative can also offer support with this.
• Data storage. Sharing, storing, and archiving data must take place in a secure manner. The Research Data Office can support this. If data is not stored on the university servers (M- and O-drive), a processing agreement is required. This does not apply to SURFdrive, for which a processing agreement already exists. Only send personal data in encrypted form. This is possible with Secure Filesender.

Application Form Research Ethics, Data Management, Data Processing Register

For researchers who process personal data in their research, it is important to know that every new processing of personal data must be reported from now on. You can do this by filling out the Application Form Research Ethics, Data Management, Data Processing Register at the start of the research. This is an integrated form for ethical review (if applicable), data management and the GDPR processing register. More information about the form and to whom it should be sent (choose the section “Prior to research” and then “Data Processing Register, Ethics and Data management”).

Key documentation on the university’s intranet

• Privacy Statement Scientific Research (PDF)
• Special website Scientific Research and the GDPR
• List of frequently asked questions about Privacy, Personal Data Protection & Security

Questions about the GDPR?

For each School there is a so-called data representative available who you can ask questions about the GDPR:

• Tilburg School of Economics and Management: P.H. (Pam) Dupont
• Tilburg Law School: L. (Linda) Martens
• Tilburg School of Social and Behavioral Sciences: P.H. (Pam) Dupont
• Tilburg School of Humanities and Digital Sciences: C. (Cécile) de Vos
• Tilburg School of Catholic Theology: N.C. (Nico) de Groot

If you notice a (possible) security incident, report this immediately to the UvT-CERT team. Privacy incidents can be reported by mailing to privacy@tilburguniversity.edu

Questions about research data management?

For questions about the management of research data (data management plans, data storage, data archiving), contact the Research Data Office (RDO): http://www.tilburguniversity.edu/rdo, e-mail rdo@uvt.nl

Questions about ethical issues?

For questions about ethics, please contact your School’s ethics committee.

Data Protection Officer

The GDPR also prescribes that a Data Protection Officer (DPO) be appointed. At our university this is M.R.G. (Moswa) Herregodts. The DPO’s task is to supervise the application of and compliance with the GDPR and to provide advice. Questions to the DPO can best be submitted via the data representatives.