Intro
Data Privacy Handbook
How to use this Handbook
What are you looking for?
License and Citation
Disclaimer
Contributions
Privacy FAQs
General questions
Procedures and responsibilities
Informed consent
Legal questions
Storing personal data
Sharing, publishing and reusing personal data
Practical questions
Students and student data
Finding support
Knowledge Base
The GDPR
Chapter summary
What is the GDPR?
Definitions in the GDPR
Principles in the GDPR
Legal bases for working with personal data
Legal bases suitable for research
Legal bases not suitable for reseach
Further processing for research purposes
Data Subjects’ Rights
What are personal data?
Definition of personal data
How to assess whether data contain personal data?
Special types of personal data
Special categories of personal data
Data that are otherwise sensitive
Designing your project
Privacy by Design strategies
Data-oriented strategies
Minimise
Separate
Abstract
Hide
Process-oriented strategies
Inform
Control
Enforce
Demonstrate
Risk Assessment
How to assess privacy risks?
What are high-risk operations?
Classifying personal data
Examples of privacy risks and how to mitigate them
Documents & Assessments
Information to data subjects
When to use a privacy notice?
Content and examples of privacy notices
Form of a privacy notice
Informed consent
Consent step-by-step
Requirements for valid consent
What forms of consent are valid?
Demonstrating (valid) consent
Broad consent in research
Examples and templates
Privacy scan
When to use a privacy scan?
Examples and templates
Data Protection Impact Assessment
The process of performing a DPIA
Examples and templates
Legitimate interest assessment
How to do a legitimate interest assessment?
Examples and templates
Data Transfer Impact Assessment
What is a third-country transfer?
Goal and content of a DTA
Examples and templates
Processing register
Agreements
How to set up an agreement?
Non-disclosure agreement
Data processing agreement
Data Transfer Agreement
Joint controllers agreement
Data Use Agreement
Standard Contractual Clauses for international transfers
Techniques & Tools
Research scenarios
Pseudonymisation & Anonymisation
Statistical privacy
Statistical disclosure control
K-anonymity and its descendents
Differential privacy
Secure computing
Other techniques
Encryption
Synthetic Data
Data donation
Tools & Services
Utrecht University tool finders
Tools to deidentify, synthetise and work safely with personal data
Requirements for a third-party tool
1. Who is processing the personal data: arrange an agreement
2. Security level
Storage, Sharing, Publication
Storing personal data
Chapter summary
Where should I store personal data?
Storage media at UU
How should I store personal data?
For how long should I store personal data?
Deleting personal data
Sharing data with collaborators
Sharing data for reuse
Sharing anonymised data
Sharing personal data with a legal basis
1. Be transparent
2. Make sure you have a legal basis
3. Protect the data while sharing
4. Make your data FAIR
Alternatives to sharing personal data
Publish metadata and documentation
Use other techniques and strategies to enable reuse
Use Cases
Data minimisation in a survey
Data pseudonymisation
Publishing metadata
Reusing education data for research
Resources
Seeking help at Utrecht University
Education
Online information
In-person support
Glossary
Resources
Visit the GitHub repository
Data Privacy Handbook
Examples of privacy risks and how to mitigate them