Privacy for researchers
On 25 May 2018, the new European privacylaw came into force: the General Data Protection Regulation (AVG). In this information brochure you will find more information on how to organise your research at TU Delft in a privacy friendly way. After all, protecting our data is the responsibility of all of us. If you have any questions, please feel free to ask the privacy team at email@example.com.
When do we speak of personal data?
We speak of personal data if data can be traced directly or indirectly to a natural person. For example, a name, e-mail address, date of birth, photo or IP address. Or answers from a person that can be traced back to that person.
Guidelines for research
- Be aware that you need to fill in a Data Management Plan (DMP). Ask your data steward for the latest version of the DMP template. Grant providers (NWO, EU) are also increasingly asking for a DMP.
- Make sure you have a legal basis for conducting the investigation. This will often be the consent of the person(s) involved. Check hrec.tudelft.nl for more information about "informed consent" (including checklist and templates).
- Make sure that you inform the person(s) concerned clearly and transparently about what you are going to do with his or her personal data. Check hrec.tudelft.nl for more information about "informed consent" (including templates).
- Collect as little personal data as possible. Take special care when collecting special personal information, such as race, religion or health data. Extra care and precautions are also required for the data of vulnerable groups, such as children.
- Store personal data in a secure database, such as DANS.
- Delete/anonymise personal data when you no longer need them.
- When publishing, use anonymised personal data as much as possible.
- Ensure that personal data is stored within the EU. Cloud applications such as Google and Dropbox store data outside the EU. If it is necessary to store data outside the EU, additional measures will have to be taken. Please contact the data steward of your faculty about this.
- Report (suspected) data leaks via firstname.lastname@example.org.
- Check if you need approval from the Human Research Ethics Committee (hrec.tudelft.nl). Sometimes an investigation raises many (privacy) questions. For example, when complex constructions are involved, such as a public-private partnership with a large number of international parties. If you have any questions, please contact your faculty's data steward.
Right to be forgotten
The right to be forgotten is one of the rights of data subjects according to the AVG. When a data subject makes a request to be forgotten (withdrawal of consent), the data processed up to that point will be retained. From that moment on, however, the processing of personal data will be stopped. After all, data subjects may have second thoughts regarding participation in scientific research. It is not required to remove the personal data completely. In some cases in scientific research, a request to be forgotten may not be granted because it may affect the results of the research. It is therefore important that the researcher - prior to the research - always clearly communicates this to the data subject(s).
Reuse of data
If research is conducted for a specific field of research and the researcher wishes to use the processed data again for another study in the future, this is allowed when the research takes place within the same field of research.
A data breach means that personal data has been lost or an unauthorized person (possibly) has access to the personal data. For example, the loss of a laptop or USB stick, an e-mail sent to the wrong person or authorisations that have not been properly arranged. Report (suspected) data leaks via email@example.com.
Data Management Plan
The Data Management Plan includes a number of AVG assessment criteria. These "checks" are used to determine whether additional steps need to be taken. Such as, for example, carrying out a Data Protection Impact Assessment (a risk analysis). Ask your data steward for the latest version of the Data Management Plan template. For more information click here.