You will often hear the term 'processing' when discussing personal data. This is an umbrella term which refers to anything you do to the data. This can include collecting data, reusing data, cleaning data, (long term) storage, sharing data, and even deleting data.
When processing personal data, we must first have a 'legal ground'. We touched briefly on this in the last section, but now we will learn what this means in practice. In research, the most common legal ground for processing personal data is 'informed consent'. It is a researcher's responsibility to appropriately inform their participants on what will happen to their data, what it will be used for, and how they can report issues or concerns relating to data privacy. This is typically done within 2-3 documents:
Informed consent:
This form clearly describes the data you will collect and for what purpose. It should include an outline of what is expected during participation. If you intend to make data available for reuse, this should also be addressed. The language and terminology used in the form should be comprehensible and tailored to the participant, considering the target audience's age, capability, and language skills. Consent should always be voluntary, and participants should always be allowed to cease their participation at any stage of the research.
Participant information letter:
This information letter outlines the purpose of the data being collected and provides additional context about the research project. It should be written in clear and accessible language so that participants can easily understand it. Participants must be given sufficient time to ask questions and express any concerns they may have. A copy of the information letter should be provided for participants to keep and refer to at any time during or after the study.
This statement should clearly outline all processing activities that will occur with the data, list all parties who can access the data, and inform participants on how to report concerns of data misuse/ data protection.
This statement should be available to participants both during and after the research project. If your project has a dedicated website, you can publish it here. Alternatively, you can upload it to the Open Science Framework (OSF) and generate a persistent identifier (PID) link for long-term access.
There are other legal grounds to process personal data within the GDPR. It is required for a member of the VU privacy team to evaluate whether they are suitable, so do not make this decision for yourself. If you think they may apply to your project, reach out to the faculty Privacy Champion.
Templates are available for all the documents listed above; contact either your supervisor or Data steward to access these.