Privacy and research

Since 25 May 2018, a new European privacy legislation has been in force: the General Data Protection Regulation (GDPR). Compared to previous legislation, it does not change the principles substantially, but makes a number of new emphases.

The 'Generic Code of Conduct for processing personal data and confidential information' that is in force at Ghent University already reflects the general principles that must also be applied to academic research.

The following guidelines inform Ghent University researchers about the impact of GDPR on their research.

Specific questions about the application of the privacy legislation can be directed to privacy@ugent.be.

General info about GDPR

The questions below outline the general framework and go through a number of basic concepts that are discussed in the GDPR.

• What is the General Data Protection Regulation (GDPR)?
• When does the GDPR apply to my research? 
• What are personal data? 
• Who are considered as vulnerable persons?
• What are the basic principles of the GDPR? 
• What has changed with the GDPR? 
• Why is it important to comply with the GDPR?

The research plan

The questions in this section must be addressed when you, as a researcher or supervisor, are developing the research plan.

By going through and answering a number of basic questions in this phase, you ensure that no unexpected problems arise at the start of your research. Omitting to do this could ultimately lead to the research not being able to be carried out due to incorrect processing of personal data as required by the GDPR.

• What should I keep in mind when designing my research? 
• How can I ensure that the processing of personal data is lawful? 
• What should I do in the event of further / secondary processing of personal data? 
• What are the different roles and responsibilities according to the GDPR? 
• What rights do data subjects have, how do I respect them and what exceptions may apply to research? 
• How do I register personal data processing activities? 
• What should I keep in mind when processing special categories of personal data?
• When am I processing high-risk personal data and when do I need to conduct a Data Protection Impact Assessment (DPIA)?
• What should I think about when processing personal data from minors?
• What should I think about when I collaborate with others or share my data?

During your research

• How am I transparent to data subjects in my research? 
• What information should I include in an informed consent form when the processing of personal data is based on the consent of the data subjects? 
• How can I protect my data correctly?
• How to pseudonomise data?
• What do I need to think about when transferring personal data to third countries or international organisations?
• What do I need to do if there is a data breach?
• What do I need to think about when using a mailing list in the context of my research?
• What do I need to think about when using (online) survey tools?

After your research

• How long can research data with personal data be stored? 
• Can I share research data with personal data with other researchers or institutions when my research project has ended?