Research projects that deal with privacy issues or otherwise sensitive data require additional measures to protect these data.
Protective measures may involve storage and access restrictions. Other measures render the data less sensitive by anonymising or encrypting the data. Especially in the phase of collecting data, careful attention should be paid to transportation and sending of data. The way data are shared with other researchers is also an important question. Cooperating partners should first of all agree on protective measures before they start to collect data.
Funders often require a detailed description of the data protection procedures. If the data management of the project is in accordance with applicable laws and regulations, the Data Protection Officer will provide a declaration accordingly.
The Data Protection Officer advises on the protection of research data in cooperation with Leiden University's security officer. When funders require a description of security procedures for certain research projects, the Data Protection Officer can validate the procedures. On request and when applicable, she can give out a declaration stating that measures match the university’s security policy.
Measures for the protection of personal data
Firstly, ask yourself which personal data are really necessary for your research, if any. Do not collect more than you really need. Take special care to guarantee the confidentiality of special personal data such as religion, health issues, or political orientation.
We recommend that you separate any data that can be linked to a person from the data you actually need for your research at the earliest possible stage of data collection. If this is not possible, be careful with transporting or uploading your data. Leiden University is working on an overview of trustworthy applications for sending or sharing data. Surfdrive may be an alternative for using GoogleDrive or Dropbox. The last two mentioned are not authorized for the management of personal data. USB devices or laptop can be protected with a password; data can also be encrypted.
Additionally, you can avoid issues of confidentiality by anonymisation
or pseudonyms. Audiovisual data are difficult to anonymise. For this type of data access restriction may be the only suitable solution.
Finally, personal data are best kept at a limited number of locations for storage and back-up, off-line. Confidential data should be destroyed at the end of a project within the period of time required by law (at this moment within six months after your research finishes). Simply removing a file may not always be sufficient to destroy the data entirely.
As of 1st January 2016 the Dutch Data Protection Act has been expanded with an article on data leakage. A data leak is considered to be a breach of technical and organisational measures to secure personal data against loss or against any form of unlawful processing by third parties, such as publication of passwords, theft of a laptop without password protection, or the loss of a USB stick with research data that have not been encrypted. In the case of a data leak, the ISSC must be notified immediately by telephone, 071-5278888, or by email, firstname.lastname@example.org
In case of doubt, you may contact the information manager of your unit.