Personal Data
Introduction to Data Protection (Privacy) Compliance
All projects at the Geosciences Faculty that process personal data must demonstrate compliance with the GDPR (The European General Data Protection Regulation, AVG in Dutch). The Privacy Scan is the tool used at the faculty that will demonstrate your project compliance. We advise you not to start collecting personal data if you have not completed a Privacy Scan, to avoid the possible cancellation of your project.
Are you ‘processing personal data’?
What does the term ‘processing personal data’ actually mean?
Personal data is any information relating to an identified or identifiable natural person – the “data subject.” What makes data personal is both the nature and the context of the data. Something like “12 December 1980” is not personal data unless the context indicates the date is someone’s birthday.
Processing refers to any use of personal data – anything that is done with it, from collecting information by asking or observing people, to analyze it, store it, share it with others and/or delete it when no longer needed.
We explain in more detail what is considered personal data, and what is considered anonymous data according to the GDPR in the Personal vs. Anonymous data guidance.
What (research) activities should be considered as ‘processing personal data’?
- Any activity that collects data directly from people. If your project conducts interviews, or even if it is only conducting ‘anonymous’ surveys or questionnaires, that activity is considered as processing personal data.
A researcher asks people on the street for their favourite colour, or if they like coffee or not. Even though collected data is likely to be considered not personal data (it will just be a tally of how many people like blue, red or yellow, or what proportion of people do not like coffee), the activity involves collecting people’s personal data (their personal opinions/preferences), and the collection of personal data is a type of personal data processing.
- Any activity that observes or derives data from people. If your project conducts observations of people, even if this happens in public spaces like parks or on the street, or in open online environments like Facebook or Twitter, that activity is considered as processing personal data.
A researcher observing a group of people writes down her observations in her notebook. Since her observations relate to people as a group, not individually, the notes recording her observations are likely to be considered anonymous data – as long as she does not refer to any person individually.
But the processing of collecting this data is considered processing of personal data, as she is actually observing each person within the group. She can see that maybe one person is wearing a blue skirt, and another is wearing green shoes, even if she is not writing this down. If someone in that group punches someone else, she will likely be able to identify that individual if asked by the police. The act of collecting data from observing individuals is considered as processing personal data.
Another example: A project aims to count the number of bicycles per day that are crossing a given street section.
-
-
-
- One proposed method uses a camera pointed at the street section, analyzing the video feed using AI to identify and count the number of bikes per day.
- Another method counts bikes using their electromagnetic signature, detected using an induction loop embedded in the pavement.
-
-
The first method is considered as processing personal data, because the video feed obviously captures an individual’s movements – even if this information is only used to count them. The privacy scan would have to document the measures taken to ensure compliance, like having sufficient security measures, and appropriately informing people about the purpose of the (video) data collected by the camera.
In contrast, the second method may not be considered as processing personal data, as from the start only one type of data is captured – an electromagnetic signal – which can be considered non-personal from the moment of initial collection. Whereas in the first method it is possible to change the algorithm and count how many red bikes are crossing, or how many people are using their phone while biking, that is not possible using the second method.
But be aware of the context: if the induction loop is placed in front of someone’s house, you will be able to monitor the whereabouts of the individual living in that house – and that will definitely be considered as processing personal data.
Still, having a privacy scan of the second method is recommended, as it will be useful in documenting why the activity should not be considered as processing personal data.
- Any activity that uses previously collected personal data – even if that data is freely and publicly available. If your project is using data that was previously obtained from or linked to people, and this data has not yet been properly anonymized, that activity is considered as processing personal data. If you plan to use shared data obtained from previous research projects or activities, this is also considered as processing personal data, and will likely require having a privacy scan to demonstrate how this further processing is compliant with the GDPR.
In a recent case, a study analyzed publicly available Twitter messages for research and journalistic purposes. Among other findings, the Belgian data protection authority (DPA) remarked that just because personal data is publicly available, it does not mean it is not protected by the GDPR. Due to their lack of compliance, the Belgian DPA decided to give a fine for infringements to the GDPR.
- Any activity that uses personal data for supporting tasks. Many projects that use data that is definitely not personal (mineral data, climate data, etc.) may still be using personal data for supporting tasks. A project website is likely tracking website visitors using cookies, or the project’s workshops or conferences are likely asking users to submit their data for registration. When that happens, these supporting tasks are considered as processing personal data.
A project is planning to build a website to give access to a dataset of electron microscopy images of rock samples – this is clearly not data about people. But if this website is using cookies, or a mailing list to send regular updates, or ask people to register to keep track of how many people use the site, that is definitely considered as processing personal data.
What is a Privacy Scan?
Once you have determined that your project is processing personal data, the next step is to start a Privacy Scan.
The Privacy Scan is a protocol designed to facilitate the process of evaluating and documenting the GDPR compliance of your project. GDPR compliance is achieved when a project appropriately implements Data Protection by Design and by Default (DPbDD), and the Privacy Scan is the documentation that demonstrates a project adequately implements DPbDD.
The information on how to complete a Privacy Scan is presented here.
Because GDPR compliance is not commonly applied in the project structure from the start, the privacy scan will often require changes to the way the project handles personal data, or even stop the project from using some tools or services – which may lead to lost time and money. That is why it is critical to start and keep working on the privacy scan at the same time the project is being designed, when it is relatively easy and straightforward – in both effort and economic terms – to implement required changes in the project design. Keep in mind that projects that do not comply with the GDPR are not suitable for handling personal data.