There is some divergence between the principles of data protection and those of open science when it comes to storing personal data. The principles of minimisation and storage limitation imply that personal data should be processed for as short a period as possible and deleted or anonymised after the purposes for which they were collected have been fulfilled. However, it is in the interest of open science to ensure access to scientific data for as long as possible, at least as long as they are of value to researchers or society. Since it is also important for research to study historical events and trends, to compare past phenomena with those of today, or to understand processes more generally, there is no single time limit after which data lose their scientific value.
According to Article 5 (1) (e) of the GDPR, personal data may be kept in a personalised form beyond the purpose for which they were originally collected, provided that this is done solely for scientific research and that technical and organisational measures are taken to ensure the protection of individuals’ privacy. The GDPR, therefore, offers more flexibility in storing personal data relating to research. At the same time, the European Data Protection Supervisor stresses in his preliminary opinion on data protection and scientific research (p. 18) that this special regime cannot be applied in such a way that the essence of the right to data protection is emptied out. For example, the privileges related to research are abused if personal data are retained indefinitely (derogation to the storage limitation principle), and at the same time, individuals’ rights to their own information are limited (derogation to data subject rights). The research-related derogation can, therefore, only be invoked if the continued retention of personal data is legitimate, necessary and proportionate.
Therefore, the following conditions must be met to store personal data beyond the original purpose.
- For research purposes only: the derogation is granted for research purposes only and should not be used for the unlimited retention of personal data for other purposes which are of a private or commercial nature. A derogation is also made for archiving in the public interest and for statistics, which means that personal data of archival value or relevant for statistical purposes may also be kept for a longer period. It is not always easy to draw a clear dividing line between research, archiving and statistics, so that both derogations may cover research.
- Technical and organisational measures: longer retention requires the secure storage of personal data. While during research, data availability is important, during storage, availability becomes less important and more secure storage solutions may be considered. For example, access to personal data by members of the research group may be restricted.
- Data anonymisation should be considered. Anonymised data could be stored indefinitely and also shared in an open data repository. However, anonymisation for storage purposes should be agreed upon at an early stage, and this intention should be clearly stated in the data management plan and in the information provided to research participants. If anonymisation is not possible, personal data should be pseudonymised, but in this case, the GDPR applies.
- Only valuable data should be retained. Data should be stored in accordance with the principle of minimisation, i.e. only the most relevant data should be retained, where it is necessary and justified to keep them in a personalised form for a long time. Since the research-related derogation always requires a balancing of different interests and needs, it may be helpful to delimit the data to be retained within the dataset, either to those of high long-term scientific value or those necessary for the validation of results. The GDPR does not allow storing data ‘just in case’.
- Storage must be transparent and fair. Reliance on the derogation for the storage of personal data should be known already at the planning stage of the study. It would not be transparent and fair if only at the end of the study the research team decides to retain certain personal data for a longer period. The promises made to the data subject must also be respected: if the person is told that the data will be destroyed after the end of the study, it is not allowed to retain them. A difficult situation arises when, in the course of the research, it turns out that the data collected are much more valuable than expected, but the plan was to destroy all the data. Further use of personal data in new research and longer retention is possible under the GDPR, but the change to the original decision must be fair and transparent for the people.
- Wherever possible, the storage of personal data should be considered as a separate purpose. An appropriate legal basis for the new purpose must be found in this case.
4.1. In what form may personal data be disclosed?
Disclosure is defined as making personal data accessible to an unrestricted number of people, either on a public website, in a public database or elsewhere. Disclosure is only possible if the confidentiality of the data does not need to be guaranteed. As the security principle generally requires that the confidentiality of personal data must also be protected, derogation concerning the publication of personal data is possible in the case of research.
Disclosure does not concern situations where the person requests a copy of their data or where data are shared between research institutions.