Disclosure is defined as making personal data accessible to an unrestricted number of people, either on a public website, in a public database or elsewhere. Disclosure is only possible if the confidentiality of the data does not need to be guaranteed. As the security principle generally requires that the confidentiality of personal data must also be protected, derogation concerning the publication of personal data is possible in the case of research.
Disclosure does not concern situations where the person requests a copy of their data or where data are shared between research institutions.
4.2.1. Disclosure of personalised data
As disclosing personalised data is not usually necessary for research purposes, it should be considered as a separate purpose, which also needs an independent, unambiguous and clear legal basis. In the case of research, separate consent of the data subject is appropriate. If disclosure is not based on consent, the requirements of section 6 of the Personal Data Protection Act must be followed.
The disclosure of some personal data may also be necessary if the research has studied the creation of individuals, such as written or oral works (stories, biographies, media texts, etc.). In such cases, publication of the names of the authors of the texts and other works studied may be necessary and justified. The naming of authors and referring to them without their consent is permitted for the purposes of academic, artistic and literary expression (see section 5 of the Personal Data Protection Act).
4.2.2. Disclosure of pseudonymised data
As pseudonymised data are personal data, their disclosure must be based on a clear legal basis and be compatible with the purpose of the processing. Pseudonymisation only provides an additional safeguard against the identification of individuals but does not in itself give the right to disclose the data.
For example, quoting sentences from unpublished texts (e.g. transcripts of interviews) and referring to them with a pseudonym or a phrase that excludes personalisation (e.g. “...according to the doctoral student who participated in the interview...”) can be considered as a disclosure of pseudonymised data. However, when quoting public texts (e.g. social media comments), it should be noted that the authors may be easily identifiable.
The researcher must keep the promises made to the research participants. If the researcher has promised anonymity, it is forbidden to publish pseudonymised data. However, if the researcher promises that the names of the subjects and the data that allow for their personalisation will be kept confidential, pseudonymised data may be disclosed if this is necessary for the purposes of the research. For example, it would not be purposeful for a researcher to publish pseudonymised interview transcripts that they find interesting or strange on a personal social media channel – such processing goes beyond the bounds of research and goes against the expectations of the data subject.
Pseudonymised data can be published in their entirety if there is a legal basis for doing so, data protection principles are respected and anonymisation of the dataset is not possible. However, in such cases, the university is responsible for the consequences of disclosure.
4.2.3. Disclosure of anonymised data
The preferred option is to disclose and share anonymised data, as these are no longer personal data and, therefore, no additional restrictions apply to their use. The GDPR and the Open Data Directive (EU) 2019/1024 favour the availability and wide use of scientific data, and the easiest way to ensure this is to anonymise research containing personal data.