Privacy is a fundamental right of every individual and is about respecting everyone's personal privacy. One person experiences privacy differently from another (and that is fine). For organizations (such as Zuyd) it is important that personal data is handled correctly. This is not only a legal obligation, but reflects responsibility, integrity and ethics.
Zuyd attaches great importance to the protection and correct processing of personal data belonging to its students, employees and third parties. Misuse of personal data can cause damage. Think of stigmatization, exclusion, (identity) fraud, spam, phishing, financial fraud and image damage to those involved. But Zuyd can also suffer damage as a result of careless handling of personal data, such as reputational damage, fines, restoration and investigation costs, legal damages and system adaptation costs.
It is therefore important that, before you begin, you carefully consider about how intend to handle personal data. The binding framework for this is (among others) the General Data Protection Regulation (GDPR) and Zuyd's own policy and regulations.
Zuyd's policy on processing personal data (document has yet to be translated into English)
Zuyd regulations for processing personal data (document has yet to be translated into English)
Declaration to be signed by each Zuyd student/lecturer/researcher):
The current digital age requires more protection; digital data traces are increasingly turning us into an open book. For this reason, the General Data Protection Regulation (GDPR) came into force on 25 May 2018. The GDPR replaces the Personal Data Protection Act (Wbp). The same privacy legislation now applies throughout the European Union. The Dutch name is Algemene Verordening Gegevensbescherming (AVG).
No time or don't want to delve into the whole GDPR? Then read the 10 Zuyd privacy principles. These principles reflect the most important elements of the GDPR in 10 sentences.
Also read the tips on privacy proof working and studying.
The GDPR has important consequences for research. SURF has developed an online module with which you can learn what changes and opportunities the introduction of the GDPR will have for your research.
Learn the basics of the GDPR in 45 minutes.
A data breach is a breach of personal data security by accessing, destroying, altering or releasing personal data without intent.
If something goes wrong during or after your research, like:
you are obliged to report this (possible) data breach as soon as possible!
Zuyd is legally obliged to report a data breach to the Dutch Data Protection Authority within 72 hours.
Do you think you're dealing with a data breach?
If so, please report this to the Zuyd ICT Service Desk as soon as possible:
045-4006085
ict-servicedesk@zuyd.nl
Outside office hours: csirt@zuyd.nl
(Zuyd CSIRT coordinates security incidents within Zuyd)
When conducting research, you may have to deal with personal data of participants in the research project, for example by means of a questionnaire or observation. The GDPR applies when directly or indirectly identifiable personal data are processed for scientific research. The GDPR does not apply to anonymous data.
In addition to the GDPR, other (privacy) laws and regulations may apply to your research. For example the Medical Treatment Contracts Act (WGBO), the Medical Research Involving Human Subjects Act (WMO), or the Netherlands Code of Conduct for Research Integrity.
Secure sending of (privacy-sensitive) research data
Do you want to send the research data? You can do this securely via SURF file sender (also suitable for larger files).
The use of facilities such as Dropbox, WeTransfer, hotmail/gmail addresses, etc., is strongly discouraged. These services are not always open and clear about the documents they collect/send and how they deal with them. In the context of the GDPR, you need to know that your documents are secure.
Use of online questionnaires
Use questionnaires that are AVG proof, such as Enalyzer or Questback.
Use of SurveyMonkey is not recommended, this tool is not AVG compliant.
Video calling
If it is not possible to record interviews live, you can use video calling, provided that the program used is AVG proof and complies with the ISO-27001 standard. Programs meeting the standards are:
- Microsoft Teams
- Zoom (only the payed version!)
- Bluejeans
- Jitsi (free)
The use of programs such as Skype, Facetime, Whatsapp and Hangouts is therefore strongly discouraged.
1. Anonymizing
After application, it is no longer possible to trace data back to individuals, it is an irreversible process.
The GDPR does NOT apply to fully anonymized data!
2. Pseudonymizing
Identifying data, with a particular algorithm, will be replaced by encrypted data (the pseudonym). With the right key or additional data, the (personal) data can be decrypted and made readable, making it possible to trace back to individuals. This is a case of (the possibility of) reversibility.
The GDPR DOES apply to pseudonymized data!
3. Processing agreement
Any organization that processes personal data must comply with privacy legislation. If you wish to outsource all or part of this processing to a third party, a processing agreement must be concluded. This ensures that the third party also handles the personal data carefully and complies with the agreements you have made with the parties involved.
Examples: a payroll office that pays salaries, or an accounting firm that does the financial administration for third parties. But also if you store data in the cloud, you outsource the processing to a third party: the cloud provider.
Within Zuyd
functionarisgegevensbescherming@zuyd.nl
External resources
1. Planning phase
a) Inventory for processing activities register
Before the start of the research project, carry out an inventory of your project together with the personal data processing officer of your academy or department for the purpose of the register of processing activities. This inventory is both a legal obligation and mandatory Zuyd policy.
b) Privacy Impact Assessment
If there are likely to be high privacy risks associated with your project, you will need to carry out a Privacy Impact Assessment (PIA) in addition to the inventory. This is a tool to record the privacy risks of data processing in advance, and then to be able to take measures to reduce the risks. Think, for example, of processing large quantities of health data or working with new technologies.
c) Data management plan
Transparency about process and responsibilities is the starting point of the GDPR. This can be well documented in your data management plan. Describe clearly how you guarantee privacy, but also how you take the right technical and organizational measures every step of the research process. It is important to have a good registration of data collection and a transparent description of roles and responsibilities across the entire chain of processing personal data in your research.
More information about a data management plan in this LibGuide.
d) Zuyd privacy principles
Please observe the previously mentioned 10 Zuyd privacy principles and tips for privacy proof working.
2. Research phase
While collecting, structuring and analyzing your data, think carefully about the basis of your collection, about how and what you inform those involved, where you store the data and how you secure the data.
[see also: tab Ethics and LibGuide Zuyd infrastructure data storage]
Personal data must always be processed on a fundamental basis: there is usually a public task.(necessary to teach), a legal obligation (Higher Education and Research Act (WHW)), an agreement (employment or traineeship agreement) or a legitimate interest. In some cases, consent is also a basis.
Do you cooperate with a research partner or agency? If so, you may need to enter into a processing agreement with that party in advance.
3. Usage phase
Make sure that you do not publish/report/archive the research results on an individual level. If you do, you will always need permission from those involved.
Do you no longer need the personal data (e.g. communication files)? Remove them as soon as they are no longer necessary.
The legal retention period of the (raw) data is at least 10 years, but can also be determined by the code of conduct applicable to the research (Medical Research Involving Human Subjects Act (WMO), Medical Treatment Contracts Act (WGBO), Netherlands Code of Conduct for Research Integrity). Research data from MREC-tested research, for example, should be stored for at least 15 years.
