You will often hear the term 'processing' when discussing personal data. This is an umbrella term which refers to anything you do to the the data. This can include collecting data, reusing data, cleaning data, (long term) storage, sharing data, and even deleting data.
When processing personal data, we must first have a 'legal ground'. We touched a little on this in the last section, but now we will learn what this means in practice. In research the most common legal ground for processing personal data is 'informed consent'. It is a researchers responsibility to appropriately inform their participants on what will happen to their data, what is will be used for and how they can report issues or concerns relating to data privacy. This is typically done within 2-3 documents:
Informed consent:
This form clearly describes the data you will collect and for what purpose. It should include an outline of what is expected during participation. If you intend to make data available for reuse, this should also be addressed. The language and terminology used in the form should be comprehensible and tailored to the participant considering the target audiences age, capability and language skills. Consent should always be voluntary and participants should always be allowed to cease their participation at any stage of the research.
Information letter:
This letter describes what the data is being collected for and gives additional insight into the research project. This should also be understandable and participants should have time to ask questions and raise any concerns they have. Participants should get a copy of the information letter to keep so they can refer back to at a later stage.
Privacy statement (sometimes not required):
This statement should clearly outline all processing activities that will occur with the data, who can access the data, and inform participants on how to report concerns of data misuse/ data protection.
There are other legal grounds to process personal data within the GDPR. It is required for a member of the VU privacy team to evaluate whether they are suitable. So, do not make this decision for yourself. If you think they may apply to your project, reach out to the faculty Privacy Champion.
Templates are available for all the documents listed above, contact either your supervisor or Data steward to access these.