How to protect your participant’s personal data? 

What is personal data? 

Personal data is data that comes from, or relates to, living individuals. Your name and address are obviously your personal data, but your pet’s name may also be considered your personal data – if that name is unique enough, a google search would easily identify you as the dog’s owner. 

What makes personal data personal depends on both the nature of the data and its context. A date, “12 December 1980”, is not personal data unless the context indicates the date is someone’s birthday. 

We explain in more detail what is considered personal data, and what is considered anonymous data according to the GDPR in the Personal vs. Anonymous data guidance. 

What does processing personal data mean? 

The term processing refers to any operation performed on personal data, such as using, collecting, recording, tracking, observing, erasing, etc. Practically everything you do with personal data is processing. 

So, every time you collect data from people, e.g., using a survey or interviews, you are processing personal data, and your activity must comply with the GDPR – even if the collected data ends up being anonymous.  

Examples of activities that constitute processing personal data include: 

• Collecting data directly from people, e.g., surveys, interviews; 
• Observing or deriving data from people, e.g., observations in public spaces; 
• Using previous collected personal data, e.g., from previous research, repositories, even from publicly available personal data; 
• Using personal data for supporting tasks; e.g., websites, e-mail lists, newsletters, conferences, etc. 

How to process personal data in compliance with the GDPR? 

The GDPR can be challenging to understand. That is why we have summarized it into four components 

1. Have a clear and legitimate purpose: Identify the purpose of your project and describe why using personal data is necessary to achieve that purpose. The purpose will tell you which of the six legitimate reasons (lawful basis) is appropriate to use. In research, the most useful ones are:

• To perform a public task – applicable for when it is impractical or impossible to get consent from all participants, e.g., conducting observations in public. 
• To pursue a legitimate interest – applicable for tasks that are not strictly about research data, e.g. targeting and recruiting participants. 
• Because the individual has given consent – Most used in research, but there are strict conditions to ensure consent is legitimate. 

2. Design safe processing: The collection of personal data should, from the outset, be limited to what is appropriate, relevant and necessary for the purpose pursued. Identify the risks associated with the processing and implement suitable measures that adequately reduce those risks. Useful things to consider include:

• Only collect data that is necessary – keep it at a minimum  

• Justify why you need participants (and their data) – e.g., why do you need their age?  

• Remove details – anonymize/pseudonymize as much and as early as possible  
• Restrict data access – Encrypt data, control who has access to research data 
• Keep data safe and accurate – avoid data breaches! 
• Use safe tools – tools.uu.nl  
• Do not keep data unless is necessary – justify storage periods  
• Identify potential risks – and implement mitigating measures 

3. Inform people and give them control: People must be able to determine the scope and consequences of the processing and must know their data protection rights and how to exercise them. The processing should be expected by data subjects, they should not be surprised by it.

• Provide information: Information must be clear, accessible, and provided in an appropriate manner, and should at least describe who is processing their data, how their data is being processed and for what purposes. You should be able to provide information for as long as you keep processing personal data – so be prepared to provide information even when personal data is being archived after publication. 
• Give them control: People must be able to have a say on how their data is processed. You should seek their views on the processing, and they should know what rights are available to them – and how to exercise them – within the context of the project. You also need to explain that once data is deidentified, you likely won’t be able to (and do not have to) comply with data rights requests (like access, rectification or erasure), because you won’t be able to identify their specific data within your dataset – unless you are provided with additional information that may enable you to locate that specific individual’s data. 

4. Document the process: Document all the above requirements, in writing, to ensure you can demonstrate your compliance efforts. To simplify the process of documenting GDPR compliance for research projects, we have developed the Privacy Scanat the Geosciences faculty. The Privacy Scan consists of 11 items that describe and review the requirements listed above. Once potential issues have been addressed, the privacy scan documentation will demonstrate your project’s compliance with the GDPR.

Get in touch with the UU Geosciences Data Team 

The data stewards, faculty data manager and faculty privacy officer all monitor and reply to emails sent to datateam.geo@uu.nl. If you would like to email a particular person, the members of the team and their roles can be found here. 

Also, do not forget about data management of your project!