Data Management and General Data Protection Regulation (GDPR)

TiSEM 25-08-2020

• Formal document, drawn up at the start of the research project, but

dynamic;

• Outlines what you will do with your data during and after your research;

• Describes how you are planning to keep your data safe for the present

and the future.

The Tilburg University Research Data Office provides support.

What is a data management plan (DMP)?

• Administrative information;

• Description of roles and responsibilities;

• Description of the data;

• Handling (privacy) sensitive data;

• Data storage during and after the research;

• Metadata and documentation;

• Sharing and re-use (incl. ethical and legal issues).

Components of a DMP

Tips for writing a Data management Plan

• Storage and back-up: See https://www.tilburguniversity.edu/intranet/research-support/management/data-storage;

• Access: Think about privacy sensitive data → access limited?

IRB Submission Part 2B: DMP

Which phase

of the

research?

1. Storage Location:

Where are the data stored?

2. Storage Format:

Is the storage format in the list

above

3. Access to Data:

Can others than members of the

research team access the data in this

phase of the research?

A. Data

Collection

and Analysis

O TiU-a: <add

information>

O No, <add

information>

O No

O Other: <add

information>

O Yes O Yes, <add

information>

B. Data

Archiving

(min. period:

ten years)

O TiU-a: <add

information>

O No, <add

information>

O No

O Other: <add

information>

O Yes O Yes, <add

information>

B2 Meta data

What will be included in the metadata, and how it will be documented?

If you use a metadata standard, indicate which one.

→ What should be included:

1. Documentation = All information that is needed to enable reuse: administrative, descriptive, structural.

– E.g., methodology, analytical and procedural information, definitions of variables, units of measurement, reasons for missing values, etc.;

– How? E.g., README files, codebooks, text files, information included in data files or syntaxes.

2. Metadata = Machine readable data documentation.

– Help others identify and discover the data: Explain e.g., the purpose, creators, time, origin, location and access conditions of research data;

– Added when data are deposited in a repository;

– Metadata standard: For Dataverse: the Data Documentation Initiative (DDI): a widely used, international standard for describing data from the social, behavioral and economic sciences.

E.g., Title, author, description, subject, keywords, date of collection, etc.

IRB Submission Part 2B: DMP

B3. Sharing Data

Findable, Accessible, Interoperable and Reusable (FAIR):

• Findable: others can find your data (it is in a repository, with metadata and a persistent identifier);

• Accessible: others can access (part of) your data set, if issues such as privacy do not hinder this;

• Interoperable: people and machines can open the files and can combine this data set with other data sets through common (metadata) standards;

• Reusable: the above three, plus: others can understand the data and know how they can reuse it (e.g., the data is documented and licensed).

Data should be ‘open as possible, closed if necessary’;

B4. Storage of non-digital data

location, form, access

IRB Submission Part 2B: DMP

General Data Protection Regulation (GDPR) – Principles

LAWFULNESS

Tilburg University shall only process Personal Data if it is

lawful

PURPOSE LIMITATION

Tilburg University shall only process Personal Data if there is a

legitimate purpose

DATA MINIMIZATION

Tilburg University guarantees that Personal Data are relevant,

adequate and not excessive in relation to the purpose(s) for which they were collected.

ACCURACY

Tilburg University guarantees on the basis of reasonableness that the Personal Data are accurate.

SECURITY

Tilburg University shall take appropriate technical and

organizational measures against unauthorized and unlawful

processing of Personal Data and against accidental loss, erasure

or damage of Personal Data.

RIGHTS OF PARTICIPANTS

Tilburg University guarantees that action will be taken in line with the

rights of the individual whose Personal Data TiU processes.

ACCOUNTABILITY

Tilburg University can demonstrate that it meets the

above obligations.

Theme Policy Research

• The theme policy research provides researchers with insights on the

effects of the GDPR on Scientific Research

• Document and website about the GDPR and Scientific Research

• Offers guidelines and concrete support

• Data representatives

• TiSEM: Pam Dupont

Personal Data (IRB part 2C: C1 and C2 )

Any information relating to an identified or identifiable

natural person (‘data subject’);

Name

Online

IdentifierPicture

Identification

Number Combination

of data

PseudonymizationAnonymization

Special

personal data

IRB submission form 2 C3 – legal ground

• Lawfulness of processing

Processing shall be lawful only if and to the extent that at least one of the

following applies:

• Data sets: new, re-used (secondary use), public, web scraping

the data subject has given consent to the

processing of his or her personal data for

one or more specific purposes.

Implications of GDPR prior to starting the research

• Data can only be processed if there is a previously established goal

• Data minimization

IRB Submission form 2C (C3-C7)

• Data Agreements

• Programs and software: data processor agreements

Data Processing Register & DPIA (C9 & C10)

• Record of all personal data that is being processed at TiU, specified per

study, internal process and other activities;

• Integrated form for research for Institutional review, Data Management

and the Data Processing Register;

• Data Protection Impact Assessment (DPIA) – 2 out of 9 categories

Rights of Data Subjects

• Informed

• Access*

• Rectification*

• Erasure*

• Restriction*

• Data portability

• Object

• Automated Decision Making

* These can be restricted for scientific research

Implications while performing scientific research

• Collecting, analyzing and storing data

Access has to be limited

Safe storage

Data leaks

Sharing data with peers, translators, transcribers, etc.

Through a secure medium;

Outside of the university? A processor agreement might be required.

Solo research Internal collaborations

(within TiU)

External collaborations

Standard data TiU Network drive TiU Network drive

SURFdrive (up to 250 GB) SURFdrive (up to 250 GB) SURFdrive (up to 250 GB)

TiU Google Drive (up to 30 GB) TiU Google Drive (up to 30 GB) TiU Google Drive (up to 30 GB)

SharePoint teamsite (up to 1 GB) SharePoint teamsite* (up to 1 GB)

Confidential dataTiU Network drive

Protect your data

TiU Network drive

Protect your data

SURFdrive (up to 250 GB)

Protect your data

SURFdrive (up to 250 GB)

Protect your data

SURFdrive (up to 250 GB)

Protect your data

Secret dataTiU Network drive

Protect your data

TiU Network drive

Protect your data

Contact Research Data Office

Recommended storage facilities

* External researchers need a guest account. The access rights have to be renewed every year.

• Everybody as the right to correct and ethical use of their personal

data

• Thinking about your data in an early phase saves time later;

stimulates data documentation → helps you and others to

understand your data in the future;

• Correct and ethical use of data can improve reliability of results

and general trust in science

• Breach of regulations can lead to negative publicity, reputation

damage and fines

• Requirement of the university and funders – scientific integrity

includes responsible data management

Why comply? Be a trustworthy and responsible researcher!