Working with Personal Data
Below you will find specific information that is relevant for researchers that are working with personal data at the Faculty of Social and Behavioural Sciences. This information is supplement to the central information sources on Intranet that cover working with personal data, and the Data Privacy Handbook that is an additional resource on GDPR compliance in research.
Personal data
According to the General Data Protection Regulation (GDPR), personal data is ‘any information relating to an identified or identifiable natural person’. This applies to any information you collect during your research project.
However, the potential for re-identification must be feasible and legally permissible for data to be classified as personal data under GDPR. If identification requires an unreasonable effort or is legally prohibited, the data may not be considered personal. The context and means available to both the data holder and possible third parties receiving data, are crucial in determining the applicability of data protection laws. In practice, this means that when you receive a dataset that is pseudonymous and does not contain any identifiable information, it can be considered anonymous when you are unable to obtain the identities of the participants by reasonable and legal means.
- Read more about what constitutes personal data in the Privacy Handbook, and the distinction between anonymous and pseudonymous.
- Read more on the Breyer decision by the European Court of Justice (in Dutch).
Legal bases for processing
The General Data Protection Regulation (GDPR) states that it is necessary to have a clear legal basis for processing personal data that can be traced back to individuals. This plays a crucial role especially in the field of social scientific research. Consent from participants is often seen as a requirement for such processing. However, consent has its limitations—it is specific to a particular purpose, and can be withdrawn by the participant at any time, which can jeopardize the progress and validity of the research.
Therefore, researchers may use public interest as the primary legal basis for processing personal data within research activities at our faculty that are aimed to increase society’s knowledge. This applies to all research conducted by researchers and PhD students. This is based on the fact that scientific research is a task of the university assigned by law. Students will still need to rely on consent for processing personal data. Sometimes we conduct research that may not primarily benefit society, for instance on behalf of external clients or to improve our own educational processes. We may then use the legal basis of legitimate interest, but only after weighing the interests of the research project against participants’ rights.
Consent from participants does remain an essential element in research, mainly to involve them in the research in an ethically responsible manner, in accordance with the Declaration of Helsinki. For research involving special categories of personal data, such as data concerning ethnicity or sexual orientation, the need for explicit consent remains unchanged (see the section on acquiring consent).
For more information on the legal bases for research under the GDPR, and cases where exceptions may apply, see this article on legal bases in the knowledge base. In addition, take a look at the privacy statement for participants in scientific research.
Collecting special categories of personal information
Special categories of personal information receive additional protection under the GDPR, i.e. ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation (see the chapter on special types of personal data in the Data Privacy Handbookfor more information). When processing these types of data, you will need to ask for consent from your participants, even when you are using public interest as the legal basis for processing your data. The exception is when processing is serving a public interest, but asking for consent proves impossible or requires an unreasonable effort, and processing the data will not cause disproportionate harm to the participants. In practice this often means that you will need to ask for consent, or process this data anonymously. For instance, when you would like to use ethnicity to describe your sample, you can collect these variables in a separate questionnaire from the rest of your data without any personal identifiers.
Acquiring consent
You may ask participants for consent to process their personal data, or are sometimes required to do so when processing special categories of personal data. But apart from consent as a legal basis for processing, you will need to obtain informed consent from participants in accordance with the Declaration of Helsinki. Read more about drafting informed consent forms.
Asking for consent for participating in your project does not always need to be explicit. Passive consent may be permissible for non-invasive studies. This means you have informed your participants beforehand, and give them the opportunity to opt-out. As a guideline, the more invasive the nature of the study is, the greater the necessity of active rather than passive consent. This also applies to the consideration of whether the subjects’ legal representatives should be asked for their active/passive consent. With passive parental consent, it is of great importance that there is an adequate procedure to ensure that the information letter actually reaches the parents. You still need active consent for the processing of special categories of personal data.
When a participant withdraws consent
Participants have the right to withdraw their consent. It then matters whether they have given consent solely for participating in your project, or whether it also is the basis for processing their personal data.
- In your information letter or privacy statement, you will need to indicate that participants have the right to withdraw their consent for the processing of their personal data, and how they can do this. Also emphasize withdrawing their consent should not have any negative consequences for them.
- If a participant withdraws their previously given consent before or during the study, you must immediately erase any personal data that may have been collected. The participant is clearly indicating that they do not wish to participate in the study. On ethical grounds alone, the personal data must then be deleted.
- If someone withdraws their consent after the personal data has been collected, all processing activities (e.g., analyses) that you have conducted with that personal data up to that point remain legally valid. Until you have published your results, the withdrawal of consent must always be honored. You must then erase the personal data of the participant from the research database. If erasing this data makes your research impossible or seriously jeopardizes it, you may also anonymize the personal data.
- If consent only covers special categories of personal data, then the withdrawal also only covers those categories.
While it is technically permitted to anonymize the data after a participants withdraws consent, this might not be appropriate in the spirit of withdrawing consent for processing. Therefore, this is only advised if full removal endangers or compromises the research.
If personal data is processed based on public or legitimate interest, then withdrawing consent has no consequences for this. Participants are informed that if they wish identifiable research data to be deleted, they can object to the further processing of their personal data.
When a participants objects
Participants have the right to object when the processing of their data is based on legitimate or public interest. The GDPR states that participants have to show that their particular situation justifies a stop in processing, and that the request may be refused if the processing is considered necessary for public interest reasons. If full removal endangers or compromises the research, you may anonymize the data. Only when achieving the specific purposes of your project is threatened to become impossible or seriously hindered you can continue using personal data (when in doubt, contact the privacy officer).