Welcome

Welcome to
'Privacy in Research'

How will the GDPR affect your work as a researcher?

This online module constitutes the abridged version of the standard online module ‘Privacy in Research'. The standard online module can be accessed from this link. If you have any questions about this course, please contact us at: info@cybersaveyourself.nl.

Purpose and overview

From 25 May 2018, the General Data Protection Regulation (GDPR) applies. This means that from this date the same privacy legislation applies in the entire European Union. The Dutch Data Protection Act (Wbp) will no longer apply from this date.

What will change?

The GDPR will, among other things:

strengthen and expand privacy rights;
expand the scope of responsibilities for organisations;
provide the same robust powers for all European privacy regulators, such as the power to impose fines of up to € 20 million.

The GDPR also has significant consequences for the work of researchers. This abridged online module tells you about the changes in about 20 minutes.

Purpose

The purpose of this module is threefold:

to learn how to work safely as researcher;
to become familiar with the steps you can take to comply with the GDPR;
to know where you can get more training or information if you want to learn more.

Target audience

This module has been developed for researchers who are associated with a university or a university of applied sciences.

Summary

In this abridged module, you will learn what you can do as a researcher to increase the privacy of data subjects involved in a study and how to do that. More detailed information about the topics covered here can be found in the standard online module 'Privacy in Research'.

Duration

The entire module takes about 20 minutes to complete.

1: What should you do?

Five points

What are the most important issues you need to remember  concerning privacy in research?

The GDPR applies to personal data. Therefore, the first question to ask is always: do you process personal data in the study? If this is not the case, then the GDPR does not apply. If you do process personal data, however, there are five points you need to remember to ensure maximum protection of such data in your study.

WORK SAFELY

There are various (often simple) measures you can take to maximise the privacy of data subjects involved in your research. An overview of these measures is available on the 'Quick wins' page.

LEGAL BASIS

A legal basis, such as consent or a legitimate interest, must exist in order for personal data to be processed in a study. You can view the six possible legal bases in this figure.

PRIVACY BY DESIGN & PRIVACY BY DEFAULT

Build maximum privacy and data protection safeguards into your research plan from the earliest stages of development. This is referred to as 'Privacy by design'. And where possible, set all default settings to the most privacy-friendly option. This is referred to as 'Privacy by default'.

COMPLY WITH THE PRIVACY PRINCIPLES

Comply with the six privacy principles, such as 'data minimisation' and 'transparency’, when processing personal data before, during and after the study. You can view the six privacy principles in this figure.

GENERAL DATA PROTECTION REGULATION (GDPR)

If you want to know exactly what technical and organisational measures you need to take to ensure the proper handling of personal data in a study, conduct a DPIA together with an internal privacy expert. A DPIA is a questionnaire that quickly maps out all possible privacy risks in a research plan. We will cover this in more detail on the 'DPIA' page.

Would you like more information?

If you would like to learn more about the GDPR, we recommend you visit hulpbijprivacy.nl. This is the website of the Dutch Data Protection Authority and it provides clear and accurate general information about the GDPR.

2: How do you do it?

Working safely

What useful actions can you take right away to increase privacy during your research?

There are a number of general quick wins for you as a researcher; simple adjustments to your working method that ensure a great deal of added security. Below, you will find six relatively simple actions that significantly reduce the risk of data breaches. We advise every researcher to implement them where possible.

Privacy filter: a special type of foil that can be used on any laptop or desktop screen. It reduces the viewing angle, safeguarding data from prying eyes, which is useful, especially if you travel extensively for work. Search for ‘privacy filter laptop’ to find a suitable type.

Webcam cover: prevents unauthorised viewing from your webcam. A webcam cover is a 'small lock’ that is easy to install and can cover the webcam completely, if desired, making unauthorised viewing a thing of the past. Search for ‘webcam cover’ to find a suitable type.

Encryption of the hard drive: encryption protects the data on the drive from unauthorised access, as the drive can be easily removed from your laptop and be effortlessly read by a PC. BitLocker Drive Encryption is a good option for Windows, and FileVault will get the job done on Macs.

Terms of service (ToS) reader: many online services have included provisions in their ToS as to what they can do with your data. There are add-ons available for your browser to facilitate assessment of these often lengthy ToS documents. These add-ons provide additional information about the risks you may encounter when using the service.

Anti virus software: good anti-virus software and regular system updates are essential to prevent malicious attacks and unauthorised access to your computer or laptop. This software keeps your computer clean and secure.

Anti tracking and anti cookie software: web browser software that analyses cookies and provides information on what these cookies do and blocks harmful cookies. This software also checks whether a party is ‘tracking’ and collecting information about you, which it may pass on to third parties.

Privacy by Design

What does 'Privacy by Design' mean for your work as a researcher?

Privacy by Design: one of the key starting points for the proper handling of personal data. It means that not only do you clearly describe in your research plan how you will safeguard privacy, but also that you will take the appropriate technical and organisational measures for each step in the research process. Watch the video below before trying to complete the exercise:

Privacy by Design exercise

Every study is different, so the exact measures to be taken for each step in your research will differ as well. It mainly involves cultivating a mindset of focusing on privacy throughout the entire study.

Below, you will find a study divided into six steps. Try to discover the technical and organisational measures that you could take with every step.

Context

The specific organisational and technological measures you have to take in each step of your study depend on the context in which you perform the study. This involves such questions as:

Does the study involve collaboration among public or private parties?
Are multiple countries involved in the study and if so, which countries?
Is the study based on existing datasets or does it only create a new dataset?
Do the researchers use new technologies or very extensive datasets within the study?

To know which measures apply in your individual or collective situation, conduct a DPIA – i.e. a data protection impact assessment – prior to your study. We will cover this in greater detail on the next page.

A DPIA

What’s the use of a DPIA, how much time does it take and how do you conduct one?

How do you, as a researcher, know whether you have taken all possible measures to protect the personal data in your study? By using a Data Protection Impact Assessment (DPIA). The Dutch name of the DPIA is 'gegevensbeschermings-effectbeoordeling'.

A DPIA can best be compared to traffic lights. It contains a series of questions that show at which points in your study the light is green, orange or red in terms of handling personal data.

Why?

Within the GDPR, a DPIA serves as a risk assessment. It is a structured way of identifying risks with regard to the handling of personal data within a study. Answering all of the questions in the DPIA together with a privacy expert in your organisation will give you an overview of the potential risks, allowing you to take effective measures early on to save yourself a lot of time, and prevent the risk of data breaches, later on in your study.

How?

Always conduct a DPIA when you have outlined the study. Complete the questionnaire together with a privacy expert within the organisation. This usually takes sixty to ninety minutes. The questionnaire will result in a risk assessment that will usually constitute the basis for adjusting parts of your research plan. Another DPIA might need to be performed to check your adjusted research proposal for risks.

The framework of the process is as follows:

Example

As mentioned above, a DPIA is a questionnaire. If you would like to see the questions covered in a DPIA, view an example here. Note: the questionnaire used by your organisation may differ from this example. Contact your internal privacy expert for the DPIA used by your organisation.

3: Summary and practice