Privacy
Privacy is an important quality aspect of research. If you use information about people in research carried out by or on behalf of the HvA, and that information is directly or indirectly traceable to an individual, then you will have to deal with the European Privacy Act or the AVG (General Data Protection Regulation). Before you know it, you are processing personal data, and you will therefore have to deal with the AVG, even if the collection of personal data is not your goal. Data such as IP addresses and also pseudonymous data are personal data and therefore fall under the Privacy Act. Sometimes this seems difficult, but there are clear guidelines and the privacy officer helps and advises you.
What do you have to deal with?
Information traceable to an individual is called "personal information". Everything you do with this information; (collect, store, modify, share, reuse or destroy) is called "processing" or "a processing". You may only process personal information if you can rely on a "legal basis ". So that must first be established.
Before you may start processing, you must also demonstrate that you have taken appropriate measures to protect the privacy of those involved. To determine this, a risk analysis is performed, the so-called IB&P risk analysis. Privacy and security experts from the HvA assess whether the identified risks and the protective measures to be taken are in balance. This ensures that measures are not too light, but also not too heavy. With larger projects that are divided into several work packages, it is sometimes not clear at the start what will happen in the later work packages. Several risk analyses may then be needed. That is not a problem. Progressive insight is then a helping factor. Making risk analyses is also an iterative process. Allow for lead times of 1 to several months, especially when many different parties are involved, or when complex processing is involved. The agendas of the various experts, the privacy officer and of course yours, determine the pace at which progress can be made. For an IB&P and also for a subsequent DPIA an average of 2 to 3 rounds are necessary to achieve the required quality of processing, you must also demonstrate that you have taken appropriate measures to protect the privacy of those involved.
Risk mitigation measures are often technical in nature, such as specially secured systems, multifactor authentication, encryption (cipher), and pseudonymization. But non-technical measures are just as important. Think of data minimization, access restriction, fixed operating procedures (SOPs) and periodic checks of all these measures. Of course, all measures are only effective if everyone applies them. It is important to properly define responsibilities for control of the measures within a project.
Before you are allowed to start processing personal data, there must be clear information for data subjects about the processing of their data. The target group determines what this information will look like. If you work with children, make sure that there is understandable information available not only for the parents, but also for the children.
Once the above preparation is complete, the processing and its documentation are recorded in the HvA Register of Processing . This lists the processing of personal data carried out by all HvA faculties and departments. The register provides an overview of the risks, measures and agreements with any external parties involved for each processing operation. It also states who is responsible for the processing. The Data Protection Officer of the HvA uses the register for reports to the CVB and the Authority for the Protection of Personal Data (AP) can request inspection of the register. The HvA is obliged to comply with such a request by return.
The Privacy Act prohibits the processing of "Special Personal Data." This is necessary to ensure that basic human rights cannot be violated too easily. A violation of those rights can have unexpectedly far-reaching consequences for people. A special personal data is information about someone's:
- Racial or ethnic origin
- Political opinions
- Religion or philosophy of life
- Genetic or biometric data for the purpose of unique identification
- Health information
- Sexual orientation
- Criminal record
Nevertheless, it is possible to use special personal data, but only if, in addition to the basis, a valid exception exists in the law. There are 10 exceptions .
When processing special personal data, there are greater risks for the privacy of the data subjects and there will be more stringent requirements for risk mitigation measures. This is especially true when there are large numbers of data subjects or when people are in some way incapacitated or less able to exercise their will, such as minors, mentally handicapped persons, non-native speakers or people in an unequal position of power. If, with the measures to be taken, considerable risks still remain, a comprehensive risk analysis, or data protection impact assessment (DPIA), is mandatory. This is assessed by the Data Protection Officer (FG) and the Chief Information Security Officer (CISO) of the HvA.
The consequential damage of a privacy breach involving special personal data can be considerable, first and foremost of course for the data subjects themselves, but also for the researchers, the research group or the University of Applied Sciences. It may involve considerable financial damage, but usually the damage to image is experienced as many times worse.
Processing sometimes involves parties other than just the HvA. Think of other institutions, organisations or suppliers. Before personal data can be shared with these parties, it must be established by means of agreements that the other parties are bound by the same security requirements as those imposed by the HvA as the data controller. Large-scale collaborations often involve a consortium agreement, which serves as the basis for the more specific underlying agreements. Often here, in order to properly protect the HvA's rights, the advice of an HvA legal expert is required.Agreements: Processing sometimes involves parties other than just the HvA. Think of other institutions, organisations or suppliers. Before personal data can be shared with these parties, it must be laid down in agreements that the other parties are bound by the same security requirements as those imposed by the HvA as the data controller. Large-scale collaborations often involve a consortium agreement, which serves as the basis for the more specific underlying agreements. This is often where, in order to properly protect the rights of the HvA, the advice of an HvA legal expert is needed.
The faculty's privacy officer will work with you and provide advice when determining the appropriate basis, ensuring proper risk analysis, implementing appropriate security measures, maintaining the HvA register of processing operations, and involving any other experts. However, the privacy officer does not take over the responsibility for privacy compliancy from you.
The information in the Data Management Plan (DMP) is partly good input for the IB&P. The advice and measures from the IB&P risk analysis sometimes lead to adjustments in the DMP.
You will find more information under here.
Note: You may not start collecting data before the risk analysis has been completed and the risk reduction measures have been implemented. If you do, you are in violation of the Privacy Act.