FSBS Privacy & Data Management

FAQ

Frequently asked questions

If your question isn’t answered below, please contact the faculty’s privacy officer.

 

Personal identifiable data

Personal data is ‘any information relating to an identified or identifiable natural person’. This applies to any information you collect during your research project. However, when you receive a dataset that is pseudonymous and does not contain any identifiable information, it can be considered anonymous when you are unable to obtain the identities of the participants by reasonable and legal means.

Read more about what constitutes personal data.

Ethics

There is a mandatory ethical review procedure for all research involving human subjects, including usage of existing data sets. For researchers and PhD-students this is handled via PRIDE (Privacy Data management & Ethics). All thesis projects falling under bachelor, master and research master programmes must obtain ethics approval through UU-SER (Utrecht University Student Ethics Review).

Consent

There is consent for participating in your research, and consent for the processing of personal data. For participation this may sometimes be done on an opt-out basis, also called implicit or passive consent. Processing of personal data is often done on the basis of public interest, and consent is then only required when processing special categories of personal information. See our section on acquiring consent.

Consent for the processing of personal data always needs to be explicit, and is used for example when:

  • You are processing special categories of personal data.
  • You want to give participants more control over the processing of their data. For instance, when collecting sensitive data the participant is able to require removal of their data by withdrawing consent.

There is consent for the processing of personal data, and consent for participating in research.

When it comes to consent for participating in your study:

  • For children under 12: Consent is generally required from both parents unless this is impractical, in which case one parent’s signature is sufficient.
  • For children aged 12 to 18: Consent is required from the minor and, in principle, both parents unless this is impractical, in which case one parent’s signature is sufficient.
  • For individuals over 18: Only the individual’s consent is required.

For non-invasive research, the current guideline is to allow 16- and 17-year-olds to provide consent independently. If the participant is legally or mentally incapacitated, consent must be obtained from an authorized representative (guardian, curator). In some cases of non-invasive research (for instance anonymous, or trivial forms of data collection done with public interest as a legal basis) parental consent may be done passively as well – please contact the Ethics Review Board whether this is applicable.

When consent is the legal basis for processing, parental consent is required for children under 16. When data is processed with public interest as a legal basis, active consent is only required when special categories of personal data are processed.

We have parental consent forms and information letter templates available.

There are a number of different templates available, depending on the type of research and whether you are processing personal data.

Visit our page with consent forms and information letter templates.

When a participant withdraws consent it depends whether consent was given solely for participating, or if it also was a legal basis for processing. See our section on withdrawn consent for more information.

When personal data is processed with public interest as a legal basis, participants may object to processing of their data. See our section on objections for the consequences.

Participants have a number of different rights under the GDPR. However, not all rights apply when it comes to academic research. Provided that you have made the necessary arrangements to ensure that personal data cannot be used for any purpose other than academic research, the right of access by the data subject, the right to rectification, and the right to restriction of processing do not apply. The right to object to processing still applies.

See the page on research exceptions in privacy legislation for more information.

Agreements

When personal data is processed by another party on your behalf, you will need a processing agreement. A data transfer agreement is applicable for when you are transferring personal data to another party, and they will use the data at their own discretion. See our page on legal agreements for more information.

Contact the faculty privacy officer for the latest templates, and instructions on how to fill them in.

Your department manager may sign a processing agreement or data transfer agreement

Exchanging data

If the data includes personal identifying information, you can share it with another UU researcher. However, you must inform them of any usage restrictions specified in consent forms or information letters. For external researchers, a Data Transfer Agreement (DTA) is necessary when transferring personal data. This agreement allows you to specify that the data can only be used for a specific purpose and that the receiving party cannot further distribute the data. See our section on agreements for more information.

If the data includes personal identifying information, you can receive it from another UU researcher. However, you need to know whether there are any usage restrictions specified in informed consent or information letters. When receiving data from external researchers, the sending institute usually has a Data Transfer Agreement (DTA).

Reusing data

If a dataset contains personal data, reuse is not automatically permitted. It depends on the legal basis used to initially collect the data, and what participants were told would happen with the data.

See our page on data reuse for more information on reusing datasets and web scraping.

If a dataset contains personal data, you are not allowed to publish it openly on the internet. Even with anonymous data, publishing may be unethical when participants were initially promised confidentiality during the initial data collection.

Either publish the dataset via restricted access, or look into anonymization.

See our page on publishing data for more information.

Data management

FSBS has a data manager and a data steward available to assist you, and can be contacted via datamanagement-fsw@uu.nl. Most research funders use the DMPonline system. For more information, visit the RDM support page on DMPonline.

See our Research Data Storage and Archiving Protocol.

Participant contact information is deleted once the data collection of a research project is completed and the information is no longer needed. If consent is the legal basis for processing personal data, consent forms are retained as long as the data remains identifiable. See our page on the storing of contact details for more information.

Funding

The Research Support Office is there to assist researchers with funding requests and knowledge transfer. You can contact them via research.support.fsw@uu.nl.