2.1. Where to start when personal data are to be processed in research?

CHECKLIST ON USING PERSONAL DATA IN RESEARCH

1. What is the purpose of the research study?

The purpose must be formulated as precisely and specifically as possible. In the most general terms, the purpose should provide people with information about what is being researched or what the study intends to achieve (see 2.12).

2. Do I need to process personal data?

If it is possible to achieve the purpose of the research study without processing personal data, that option should be preferred. It is useful for several reasons: it reduces the resource costs associated with the collection and proper management of personal data, spares those involved in the survey, reduces the risks arising from the misuse or insecure management of personal data and, in turn, avoids harm to people’s privacy arising from these risks. If the conditions are equal, a solution that requires less processing of personal data should be chosen – this is in line with the minimisation principle (see 1.5.4).

3. What personal data need processing?

One should only collect data necessary to achieve the purpose, i.e. no data should be collected just in case. Personal data required for the research should be documented together with the purpose for which they are used – this helps create a better overview and thereby better assess whether all data are strictly necessary.

The personal data used in a study should be presented by type or category. This information can be used in the data management plan and the overview of processing personal data in research projects.

4. Do I process special categories of personal data?

In the planning stage, it must be clarified whether the data to be collected include special categories of personal data (see 1.3.1). If you plan to process special categories of data, it is necessary to request approval for that from the appropriate ethics committee. (see 2.2.4, 2.8.5 and 2.11).

5. Who are the data subjects of a research study?

An overview of the data subjects should be presented by type or category. In the absence of a general classification of people, the same terms as used for sampling, for example, “50–60-year-olds”, “basic school pupils”, or “minors”, should be preferred. If there is no need to distinguish between data subjects based on specific characteristics, you may use generic terms such as “individuals involved in the study” or “respondents” (see 2.10, 2.15 and 2.16).

6. What is the method of data collection?

The main question is whether data are collected directly from individuals or whether data collected previously for other purposes, or secondary data, are used. For secondary data, it is necessary to determine where the data originate from, what agreements have been made with data holders and how the secure transfer of data to investigators is ensured (see 2.8).

Irrespective of the data collection method, people must be informed of processing their data (see 2.8.2).

7. What is the legal basis for data processing?

One of the legal bases provided in the GDPR (see 1.6) must be present to ensure that the processing of personal data is lawful. Different stages of a research project may have different legal bases, but you cannot choose more than one in the same phase. In most cases, the question is whether the processing of personal data is carried out with the person’s consent (see 2.3) or on another legal basis (see 2.4).

8. Where and how are the data stored?

It is necessary to think about where and how the data is stored, who has access to them and under what conditions. For example, it is necessary to decide whether the data are stored on a university server, staff members’ computers, a cloud service, etc., and whether the environment is located in the European Union or a third country. If archiving of data is planned, one should decide in good time how and where the data will be stored (see 2.2 and 3.1).

9. How long are personal data stored?

It must be agreed beforehand in which form and for how long the personal data used in the research will be stored. There is an exception for scientific data, allowing to keep them beyond the original deadline, but not indefinitely. It is common practice to store data for 5–10 years after the end of a project or research study so that it would be possible to verify the results (see 4.1).

Backing up and long-term storage of data is closely connected with the management of research data. For further information, read the materials published by the University of Tartu Library, Research data management and publishing and Data management plan.

10. What security measures are planned?

Security measures can be technical or organisational. Technical security measures concern data processing equipment and environments. Organisational security measures primarily include work procedures, physical access restrictions (access cards), locking of premises and equipment, data management plans or registration of processing of personal data. Also, encryption, pseudonymisation and anonymisation (see 3.1, 3.3 and 3.4) can be considered security measures.

11. Who are the recipients of personal data?

All recipients of personal data, i.e. the persons to whom personal data are transferred, should be indicated. They may be institutions or individuals involved in the project or external ones (see 4.3).

12. Are personal data transferred to third countries?

Transferring personal data outside the European Union involves the obligation to ensure that the country of destination provides adequate personal data protection. The data management plan and data protection policy should also describe the composition and format of the data to be transferred to third countries (see 3.2).