When doing research, you may process personal data in your dataset.
It may include such direct identifiers as name or different data points (like age, education, position, company), which in combination can indirectly identify an individual and therefore is still considered as personal data.
If your research involves any data that can directly or indirectly identify an individual, you will need a privacy evaluation from ESHCC Privacy Officer.
Share your data management plan and relevant documentation via firstname.lastname@example.org and you will receive an assessment within a few working days. The privacy assessment includes evaluation of compliance with GDPR principles and recommendations for appropriate measures to ensure data protection.
If the evaluation indicates high risk for research participants, a Data Protection Impact Assessment (DPIA) must be arranged, signed off by the EUR Chief Privacy Officer.
Privacy assessment of your research is also an important component of your application for ethics approval by the Ethics Review Board.
When collecting data directly from individuals for your research studies, always make sure you receive consent for their participation. The informed consent form template will help you to create an information sheet and consent form. The information sheet ensures transparency regarding your research activities. Privacy regulation does not require you to define a specific purpose/title of your research. It is sufficient to describe the research field where you wish to process the collected data.
When you receive data indirectly (e.g. from companies, governmental institutions), the partner is responsible for transparency towards research participants by collecting consent or including information in the privacy statement of the organisation.
Consent exemption can be granted in specific cases when:
- Providing information to people involved is impossible or requires disproportionate effort.
- Providing information will seriously impair or render impossible the objective for which you are processing that personal data (i.e. researchers will not be able to deliver their research objectives).
When considering an exemption for your research, always contact the privacy officer via email@example.com before the data collection.
Before organizing the data collection, be aware of the following rights for individuals provided by General Data Protection Regulation:
- The right to be informed – individuals must be well informed about the research purpose, data collection, analysis and retention
- The right of access – individuals may request to view the data you have collected about him/her
- The right to rectification – individuals may submit corrections to the submitted information
- The right to erasure – individuals may request to erase their information from your dataset
- The right to restrict processing – if it is not possible to erase the data, individuals may request you to stop processing their data in your research
- The right to data portability – individuals may request to transfer their data to another party
- The right to object – individuals may object to your data collection and processing
- Rights in relation to automated decision making and profiling – if the decision is made solely by automated means, individuals may request human intervention.
Privacy regulation offers exemption for scientific research from the right of access, right to rectification and right to restrict processing.
The right of erasure can be excluded only insofar as it is “likely to render impossible or seriously impair the achievement of the [research] objectives (GDPR Article 17(3)(d))”. Always consult the privacy officer before applying this exemption.
When your research participants are minors, the following rules apply:
- younger than 16 years: informed consent from parents/guardians is required.
- older than 16 years: informed consent from the participant.
When collaborating with other organizations for your research, be sure to arrange appropriate agreements regarding the roles, rights and responsibilities. When sharing data with parties outside the European Economic Area, be aware that you must take additional organizational measures. For advice and assistance, please contact the privacy officer via firstname.lastname@example.org.
When collaborating with students for your research, ensure clear working instructions on data collection, storage and sharing. When students use their own devices, they are responsible for protecting their equipment. More information available on the EUR website.