How will the GDPR affect your work as a researcher?
This online module constitutes the abridged version of the standard online module ‘Privacy in Research'. The standard online module can be accessed from this link. If you have any questions about this course, please contact us at: info@cybersaveyourself.nl.
Purpose and overview
From 25 May 2018, the General Data Protection Regulation (GDPR) applies. This means that from this date the same privacy legislation applies in the entire European Union. The Dutch Data Protection Act (Wbp) will no longer apply from this date.
What will change?
The GDPR will, among other things:
strengthen and expand privacy rights;
expand the scope of responsibilities for organisations;
provide the same robust powers for all European privacy regulators, such as the power to impose fines of up to € 20 million.
The GDPR also has significant consequences for the work of researchers. This abridged online module tells you about the changes in about 20 minutes.
Purpose
The purpose of this module is threefold:
to learn how to work safely as researcher;
to become familiar with the steps you can take to comply with the GDPR;
to know where you can get more training or information if you want to learn more.
Target audience
This module has been developed for researchers who are associated with a university or a university of applied sciences.
Summary
In this abridged module, you will learn what you can do as a researcher to increase the privacy of data subjects involved in a study and how to do that. More detailed information about the topics covered here can be found in the standard online module 'Privacy in Research'.
Duration
The entire module takes about 20 minutes to complete.
1: What should you do?
Five points
What are the most important issues you need to remember concerning privacy in research?
The GDPR applies to personal data. Therefore, the first question to ask is always: do you process personal data in the study? If this is not the case, then the GDPR does not apply. If you do process personal data, however, there are five points you need to remember to ensure maximum protection of such data in your study.
WORK SAFELY
There are various (often simple) measures you can take to maximise the privacy of data subjects involved in your research. An overview of these measures is available on the 'Quick wins' page.
LEGAL BASIS
A legal basis, such as consent or a legitimate interest, must exist in order for personal data to be processed in a study. You can view the six possible legal bases in this figure.
PRIVACY BY DESIGN & PRIVACY BY DEFAULT
Build maximum privacy and data protection safeguards into your research plan from the earliest stages of development. This is referred to as 'Privacy by design'. And where possible, set all default settings to the most privacy-friendly option. This is referred to as 'Privacy by default'.
COMPLY WITH THE PRIVACY PRINCIPLES
Comply with the six privacy principles, such as 'data minimisation' and 'transparency’, when processing personal data before, during and after the study. You can view the six privacy principles in this figure.
GENERAL DATA PROTECTION REGULATION (GDPR)
If you want to know exactly what technical and organisational measures you need to take to ensure the proper handling of personal data in a study, conduct a DPIA together with an internal privacy expert. A DPIA is a questionnaire that quickly maps out all possible privacy risks in a research plan. We will cover this in more detail on the 'DPIA' page.
Would you like more information?
If you would like to learn more about the GDPR, we recommend you visit hulpbijprivacy.nl. This is the website of the Dutch Data Protection Authority and it provides clear and accurate general information about the GDPR.
2: How do you do it?
Working safely
What useful actions can you take right away to increase privacy during your research?
There are a number of general quick wins for you as a researcher; simple adjustments to your working method that ensure a great deal of added security. Below, you will find six relatively simple actions that significantly reduce the risk of data breaches. We advise every researcher to implement them where possible.
Privacy filter: a special type of foil that can be used on any laptop or desktopscreen. It reduces the viewing angle, safeguarding data from prying eyes, which is useful, especially if you travel extensively for work. Search for ‘privacy filter laptop’ to find a suitable type.
Webcam cover: prevents unauthorised viewing from your webcam. A webcam cover is a 'small lock’ that is easy to install and can cover the webcam completely, if desired, making unauthorised viewing a thing of the past. Search for ‘webcam cover’ to find a suitable type.
Encryption of the hard drive: encryption protects the data on the drive from unauthorised access, as the drive can be easily removed from your laptop and be effortlessly read by a PC. BitLocker Drive Encryption is a good option for Windows, and FileVault will get the job done on Macs.
Terms of service (ToS) reader: many online services have included provisions in their ToSas to what they can do with your data. There are add-ons available for your browser to facilitate assessment of these often lengthy ToS documents. These add-ons provide additional information about the risks you may encounter when using the service.
Anti virus software: good anti-virus software and regular system updates are essential to prevent malicious attacks and unauthorised access to your computer or laptop. This software keeps your computer clean and secure.
Anti tracking and anti cookie software: web browser software that analyses cookies and provides information on what these cookies do and blocks harmful cookies. This software also checks whether a party is ‘tracking’ and collecting information about you, which it may pass on to third parties.
Privacy by Design
What does 'Privacy by Design' mean for your work as a researcher?
Privacy by Design: one of the key starting points for the proper handling of personal data. It means that not only do you clearly describe in your research plan how you will safeguard privacy, but also that you will take the appropriate technical and organisational measures for each step in the research process. Watch the video below before trying to complete the exercise:
Privacy by Design exercise
Every study is different, so the exact measures to be taken for each step in your research will differ as well. It mainly involves cultivating a mindset of focusing on privacy throughout the entire study.
Below, you will find a study divided into six steps. Try to discover the technical and organisational measures that you could take with every step.
Context
The specific organisational and technological measures you have to take in each step of your study depend on the context in which you perform the study. This involves such questions as:
Does the study involve collaboration among public or private parties?
Are multiple countries involved in the study and if so, which countries?
Is the study based on existing datasets or does it only create a new dataset?
Do the researchers use new technologies or very extensive datasets within the study?
To know which measures apply in your individual or collective situation, conduct a DPIA – i.e. a data protection impact assessment – prior to your study. We will cover this in greater detail on the next page.
A DPIA
What’s the use of a DPIA, how much time does it take and how do you conduct one?
How do you, as a researcher, know whether you have taken all possible measures to protect the personal data in your study? By using a Data Protection Impact Assessment (DPIA). The Dutch name of the DPIA is 'gegevensbeschermings-effectbeoordeling'.
A DPIA can best be compared to traffic lights. It contains a series of questions that show at which points in your study the light is green, orange or red in terms of handling personal data.
Why?
Within the GDPR, a DPIA serves as a risk assessment. It is a structured way of identifying risks with regard to the handling of personal data within a study. Answering all of the questions in the DPIA together with a privacy expert in your organisation will give you an overview of the potential risks, allowing you to take effective measures early on to save yourself a lot of time, and prevent the risk of data breaches, later on in your study.
How?
Always conduct a DPIA when you have outlined the study. Complete the questionnaire together with a privacy expert within the organisation. This usually takes sixty to ninety minutes. The questionnaire will result in a risk assessment that will usually constitute the basis for adjusting parts of your research plan. Another DPIA might need to be performed to check your adjusted research proposal for risks.
The framework of the process is as follows:
Example
As mentioned above, a DPIA is a questionnaire. If you would like to see the questions covered in a DPIA, view an example here. Note: the questionnaire used by your organisation may differ from this example. Contact your internal privacy expert for the DPIA used by your organisation.
3: Summary and practice
Summary
To summarise, examine the five key points concerning privacy in research.
Remember that you can carry out points 1 to 4 yourself.
You only need the assistance of an internal privacy expert for the DPIA.
WORK SAFELY
There are various (often simple) measures you can take to maximise the privacy of data subjects involved in your research. An overview of these measures is available on the 'Quick wins' page.
LEGAL BASIS
A legal basis, such as consent or a legitimate interest, must exist in order for personal data to be processed in a study. You can view the six possible legal bases in this figure.
PRIVACY BY DESIGN & PRIVACY BY DEFAULT
Build maximum privacy and data protection safeguards into your research plan from the earliest stages of development. This is referred to as 'Privacy by design'. And where possible, set all default settings to the most privacy-friendly option. This is referred to as 'Privacy by default'.
COMPLY WITH THE PRIVACY PRINCIPLES
Comply with the six privacy principles, such as 'data minimisation' and 'transparency’, when processing personal data before, during and after the study. You can view the six privacy principles in this figure.
GENERAL DATA PROTECTION REGULATION (GDPR)
If you want to know exactly what technical and organisational measures you need to take to ensure the proper handling of personal data in a study, conduct a DPIA together with an internal privacy expert. A DPIA is a questionnaire that quickly maps out all possible privacy risks in a research plan. We will cover this in more detail on the 'DPIA' page.
Practice case
Time to practice! Determine how well you know what the GDPR says based on a case...
This case focuses on bullying among young people and possible interventions. Please take the time to read through all the information about the case before trying to answer the questions. In this way, you will find out how much you already know about handling personal data in this type of study.
Title of the study:
"Bullying among young people aged 12 - 18 years”
Purpose of the study
This study investigated the extent to which bullying among young people aged 12 - 18 occurs at school and which interventions can contribute to the reduction of bullying behaviour.
Structure of the study
This study was conducted at the sociology department of a single university.
This study was conducted in the Netherlands.
This study did not use existing datasets.
Implementation of the study
In this case, the researcher wanted to create a dataset using video recordings in the classroom and interviews with young people. The study included the following steps:
The researcher asks teachers in schools if they are interested in participating in the study and explains it.
The researcher uses forms to ask teachers/parents which students have permission to participate in the study.
Students who are not permitted to participate are given a red sticker, the other students receive a green sticker.
The researcher makes the recordings and keeps the ‘red stickers’ out of shot. The interviews are also conducted.
The researcher transports the data by public transport to the university for processing in the study.
The researcher publishes the study and archives the data. He shows parts of the video recordings at conferences.
This gives you a general impression of the structure and implementation of this study. Now, using the exercise below, check the extent of your current knowledge of handling personal data processing in this type of study:
Oefening: Bullying among young people
0%
Which measures should the researcher take in this case to ensure that the personal data are properly processed? Take the test to find out how much you already know about the GDPR. Good luck!
SURF also offers e-learning courses about privacy for various other target groups. On this page you will find an overview of all Dutch and English modules in the series.
Ook voor diverse andere doelgroepen biedt SURF een e-learning over privacy aan. Op deze pagina vind je een overzicht van alle Nederlands- en Engelstalige modules in de reeks.
English e-learning modules:
Privacy in Research
target group: English speaking researchers in research and education in The Netherlands
duration: approx. 45 minutes
Privacy in Research Light
target group: English speaking researchers in research and education in The Netherlands
duration: approx. 20 minutes
Privacy in Education
target group: English speaking teachers in research and education in The Netherlands
duration: approx. 45 minutes
Nederlandstalige e-learning modules:
Privacy in Onderzoek
doelgroep: onderzoekers in onderwijs en onderzoek in Nederland
duur: ca. 45 minuten
Privacy in Onderzoek Light
doelgroep: onderzoekers in onderwijs en onderzoek in Nederland
duur: ca. 20 minuten
Privacy in Onderwijs
doelgroep: docenten in onderwijs en onderzoek in Nederland
duur: ca. 45 minuten
Het arrangement Privacy in Research Light is gemaakt met
Wikiwijs van
Kennisnet. Wikiwijs is hét onderwijsplatform waar je leermiddelen zoekt,
maakt en deelt.
Dit lesmateriaal is gepubliceerd onder de Creative Commons Naamsvermelding 4.0 Internationale licentie. Dit houdt in dat je onder de voorwaarde van naamsvermelding vrij bent om:
het werk te delen - te kopiëren, te verspreiden en door te geven via elk medium of bestandsformaat
het werk te bewerken - te remixen, te veranderen en afgeleide werken te maken
voor alle doeleinden, inclusief commerciële doeleinden.
From 25 May 2018, the General Data Protection Regulation (GDPR) applies. This means that from this date the same privacy legislation applies in the entire European Union. The Dutch Data Protection Act (Wbp) will no longer apply from this date.
The GDPR applies to personal data. Therefore, the first question to ask is always: do you process personal data in the study? If this is not the case, then the GDPR does not apply. If you do process personal data, however, there are five points you need to remember to ensure maximum protection of such data in your study.
Privacy filter: a special type of foil that can be used on any laptop or desktop screen. It reduces the viewing angle, safeguarding data from prying eyes, which is useful, especially if you travel extensively for work. Search for ‘privacy filter laptop’ to find a suitable type.
Webcam cover: prevents unauthorised viewing from your webcam. A webcam cover is a 'small lock’ that is easy to install and can cover the webcam completely, if desired, making unauthorised viewing a thing of the past. Search for ‘webcam cover’ to find a suitable type.
Encryption of the hard drive: encryption protects the data on the drive from unauthorised access, as the drive can be easily removed from your laptop and be effortlessly read by a PC. BitLocker Drive Encryption is a good option for Windows, and FileVault will get the job done on Macs.
Terms of service (ToS) reader: many online services have included provisions in their ToS as to what they can do with your data. There are add-ons available for your browser to facilitate assessment of these often lengthy ToS documents. These add-ons provide additional information about the risks you may encounter when using the service.
Anti virus software: good anti-virus software and regular system updates are essential to prevent malicious attacks and unauthorised access to your computer or laptop. This software keeps your computer clean and secure.
Privacy by Design: one of the key starting points for the proper handling of personal data. It means that not only do you clearly describe in your research plan how you will safeguard privacy, but also that you will take the appropriate technical and organisational measures for each step in the research process. Watch the video below before trying to complete the exercise:
How do you, as a researcher, know whether you have taken all possible measures to protect the personal data in your study? By using a Data Protection Impact Assessment (DPIA). The Dutch name of the DPIA is 'gegevensbeschermings-effectbeoordeling'.
