Before starting the research, it is necessary to find out what kind of personal data processing documentation is needed for the planned study. The relevant possible and required documents are listed below. In addition, it may be necessary to describe the personal data processing elsewhere, for example, in applications and reports submitted to funders.
2.1.1. Data management plan
A data management plan is a tool for describing the data and the work done with the data. The planning starts with the most general answers about where and how the data will be obtained, what types of data will be used and how they are related, what data formats will be used, how much data will be stored, what software will be used and where, how and for how long the data will be stored.
The data management plan helps describe data to make them findable, accessible, interoperable and reusable in the interests of open science (FAIR principle). The planning, however, also enables, in good time, to identify the potential problems, obligations and requirements associated with personal data processing. For example, it gives an overview of which part of the data is personal data, whether special categories of personal data are processed, whether data previously collected for other purposes are used, how data confidentiality and integrity are ensured, or with whom the data will be shared.
Although there is no general obligation at the university to draw up a data management plan for every study, systematic data management is becoming common practice. It may also be required by funders of the research, such providers of the Horizon 2020, the European Research Council and the Estonian Research Council grants. As the data management plan provides a systematic overview of all the data to be collected and analysed, it is reasonable to compile it at the same time as writing the review of personal data processing and, if necessary, an application to the ethics committee.
See also:
|
2.1.2. Data protection policy
All institutions that process personal data must publish their data protection conditions. It may also be necessary to draw up separate data protection conditions for more extensive research projects. For example, the university’s data protection policy provides general information, but data processing in the context of a large-scale research project should be described separately. In international research, this is usually done.
Consent-based surveys present many of the data protection conditions on the informed consent form. As the transparency principle requires that data processing information should always be available and easily accessible to individuals, the same information should also be published on the research project’s or the controller’s website (see 2.7).
Read more:
|
2.1.3. Overview of personal data processing
Each controller and processor have the obligation to maintain records of the processing of personal data, according to Article 30 of GDPR3. Generally, making a separate overview for each study or project is not justified or necessary. However, the university may not actually know how exactly personal data are processed in a large-scale study or project. Also, the university may share the responsibility for personal data with numerous other research institutions. Therefore, it may be necessary to write an overview of the processing of personal data for a single research project, especially if it involves the processing of sensitive data or the use of higher-risk processing methods.
2.1.4. Ethics committee’s approval
Several Estonian law acts have tasked ethics committees to assess whether the proposed research study complies with data protection requirements. The ethics committee’s approval is either mandatory or voluntary, depending on the research. In an approval request, the researchers must describe, among other things, what personal data are processed, on what legal basis, and how and for how long (see also 2.13).
2.1.5. Data protection impact assessment
If the research data processing poses a high risk to people’s rights and interests, a data protection impact assessment may be prepared to protect them. The data protection impact assessment is mandatory for the controller. The researcher should contact the data protection officer if they think an impact assessment might be necessary for the planned research.
In the case of collaborative projects, it should be explicitly agreed on which partners are responsible for carrying out the impact assessment and how other partners are involved. In addition, it is worth bearing in mind that impact assessments are carried out in different ways in different EU countries. In the case of international projects, it would therefore be wise to discuss and agree beforehand on how and by whom the impact assessment should be carried out.
A data protection impact assessment is a specific obligation, which does not mean that other types of risk assessment are not necessary. Depending on the situation, a data security or ethical risk assessment may also be necessary (see also 2.14).
2.1.6. Informed consent
Consent is one of the possible legal bases for processing personal data in research. An informed consent sheet must contain the most relevant information on the processing of personal data. Sometimes it is necessary to make several versions of the same information sheet; for example, one for adults and one for children. It may also be necessary to translate the information into different languages.
3 Instead of the term recording of processing activities used in Article 30 of GDPR, the terms personal data processing overview and overview of personal data processing are preferred in Estonia. These have also been used in this guide.
The informed consent form with a person’s consent is an official document that must be appropriately kept. A researcher may need to provide evidence of a data subject’s consent if, for example, the person contests the processing of their data. Also, the ethics committee or funders may request access to the informed consent form to assess its compliance.
The consent can be withdrawn, and such withdrawal must also be documented (see the following subchapter).