As a university employee, you probably work with personal data. That is not just names and telephone numbers – it can also include things like cookies. How can you make sure you are working in a privacy-proof way?
Personal data refers to any information that can be traced back to a person. This information could be a name, address or location, but it could also be bank account numbers, telephone numbers or post codes with house numbers.
As of 25 May 2018, personal data also includes cookies, information linked to IP addresses and MAC addresses, so bear in mind that data is now more likely to be sensitive to privacy issues.
Extraordinary (sensitive) personal data
Sensitive information, such as someone’s race, religion or health, is called extraordinary personal data. This data has an extra layer of legal protection.
4 tips for research involving personal data
Tip 1. Collect as little personal data as possible
Think before collecting data: what personal data is really necessary for your research? For example, do you really need to collect personal data that could be traced back to a private individual? The less data, the better. This also reduces the chance of an unnecessary Data Privacy Impact Assessment (DPIA) having to be carried out.
Tip 2. Request permission
The test subjects must give their permission voluntarily. Explain as clearly as possible:
- the reason why you are collecting the personal data
- that you will not use the personal data for any other purpose
- When test subjects are under 16, you should also obtain (additional) permission from the subjects’ parents/guardians.
Tip 3. Work securely
Make sure no personal data falls into unauthorised hands. Find out how you can easily protect personal data.
Tip 4. Destroy or anonymise personal data once your research has finished
For more information about destroying or anonymising personal data, please contact the Centre for Digital Scholarship.
Permission to work with personal data
Do your duties make it necessary to collect personal data? The law includes some principles under which this may be the case:
- You have obtained permission from the person involved.
- The data processing is necessary for the implementation of an agreement.
- The data processing is necessary to comply with a legal obligation.
- The data processing is necessary to protect vital interests.
- The data processing is necessary to carry out a task which is in the general interest or to exercise public authority.
- The data processing is necessary to represent legitimate interests.
Any one of the above principles provides sufficient grounds for the use of personal data. To work with extraordinary (sensitive) personal data, you must also be able to claim a legal exception.
There has been a data leak. What now?
If personal data has fallen into the hands of unauthorised third parties, for example because your laptop has been stolen, you must report the data leak to the ISSC Helpdesk (tel. 8888) as soon as possible. If in doubt, contact the Privacy Service Point.
Use of personal data in scientific research
Personal data can also be collected at the university within the framework of academic research and education. This requires that all those involved work in accordance with the General Data Protection Regulation (GDPR) and the VSNU’s Code of Conduct for the Use of Personal Data in Scientific Research (NB: this is the old code of conduct. The VSNU is consulting with experts to draft a new code of conduct that satisfies the GDPR).
If patient data is involved, for instance during research at the LUMC, the relevant professional codes also apply. If you collect privacy-sensitive or otherwise confidential information during your research project, you must take data protection measures.
Data processing register for research
Are you starting a new academic study that includes personal data? You set out how you will process this information in the research data processing register. You can use the data management plan (DMP, .docx, 62 kB) to describe the intended actions and agreements. If you have questions or would like advice or training, visit the Centre for Digital Scholarship.
For questions about the research data processing register, contact your privacy officer or the Privacy Service Point. For general questions and advice about the processing of personal data and drafting a data management plan, contact the Centre for Digital Scholarship.