Date of last review: 2023-01-27
On this page you can find Frequently Asked Questions (FAQs) about handling personal data in research. Click a question you have to read its answer.
When should I be dealing with privacy in my project?
- as soon as you are processing personal data. Processing means anything you do with personal data, e.g., collecting, analysing, sharing, storing, etc. The definition of personal data is explained in the chapter What are personal data?.
- during the earliest stages of your project. This principle is called “privacy by design”. It is easier and more effective to address any privacy issues at the design phase of your project rather than having to change your plans later on due to privacy concerns.
When are data truly anonymous?
What should I consider when handling personal data?
My data were collected prior to the GDPR, what rules do I need to follow?
My data were collected outside of the EU, does the GDPR apply to them?
How sensitive are my data?
Who is responsible for correctly handling personal data?
What does the procedure look like for researchers at Utrecht University?
How long will the planning process of my research take?
- writing a Data Management Plan and having it reviewed (a few days)
- filling out the privacy scan and consulting with the privacy officer (a few days). If a DPIA needs to be conducted, this will take more time because the Data Protection Officer also needs to be consulted.
- creating information for data subjects and potentially a consent form.
- going through ethical review: it can take up to 1 month before a first decision is taken by some faculty review boards, or longer for the Medical-Ethical Review Board.
- in some projects, setting up an agreement.
Doesn’t the ethical committee also look at privacy?
When is parental consent needed?
Can consent be digital?
Where can I find a template consent form?
How to balance being complete vs. being intelligible in the information to participants?
Where, how and for how long should I store my consent forms?
A participant wants to withdraw their consent. Can I continue to use their data afterwards?
Additionally, if you cannot find the participant’s data in your dataset because they are deidentified too much, then you are exempt from removing them, unless participants can provide you with information to enable their re-identification.
What if I cannot formulate a specific research question in advance?
I will move to another institution, can I take my research data that contains personal data with me?
When do I have to perform a Data Protection Impact Assessment?
Do I need an agreement?
What is the difference between a Data Transfer Agreement and a Data Processing Agreement?
Am I a processor as employee of my university?
Where should I store physical personal data?
Where to store participants’ contact information?
I am using hardware to collect personal data. What should I take into account?
I want to combine data from multiple sources. How can I do so securely?
How to generate suitable pseudonyms?
How to pseudonymise qualitative data?
I am analysing my data in a git repository to ensure reproducibility. How can I make sure I do not accidentally push the data to GitHub?
Please note that if the data were tracked by git before, adding a line to your .gitignore will not prevent the data from being tracked. In this case, it is best to create a new git repository where you add a .gitignore file from the start, and delete all old versions from GitHub if there were any. If you delete the data, add the line to the .gitignore file, and then re-add the dataset, the tracking history from before the .gitignore will still exist and be pushed to GitHub.
Sidenote: it is possible to override the .gitignore file by force. This will likely not happen accidentally, but it is important to realise that the .gitignore file is not iron clad. You can read more on the gitignore here.