The best way to protect your participant's privacy may be not to collect certain identifiable information at all. The second best is anonymisation which allows data to be shared whilst protecting participant’s personal information. Anonymisation should be considered in the context of the whole project and how it can be utilised alongside, informed consent and access controls. For example, if a participant consents to their data being shared then the use of anonymisation may not be required | CESSDA, 2017c
This section is dedicated to the protection of the privacy of persons who are the subject of scientific research. We will focus on (medical) ethical review and will zoom in on the General Data Protection Regulation (GDPR), which has been in force since May 2018. In particular, we look at anonymisation, pseudonymisation and consent as tools for the FAIR publication of privacy-sensitive research data.
Ethics and the law
In research involving human participants, researchers have a (moral) obligation to consider whether the interests of the participants - such as the right to privacy - are not compromised.
Research in the Netherlands that involves people for which the 'Wet medisch-wetenschappelijk onderzoek' applies (WMO, Overheid.nl, 1998), must be tested in advance by the 'Centrale Commissie Mensgebonden Onderzoek' (CCMO, n.d.a) or one of the other 19 recognised Medical Ethics Review Committees (CCMO, n.d.b.). Medical research is also covered by the General Data Protection Regulation (GDPR, European Union, 2016). Conversely, much of the research involving the collection of personal data is not covered by the WMO. Ethical review committees have been set up at many institutions to assess the ethical aspects of research projects of this kind, such as research into socio-cultural changes in society or research into people's behaviour. In all cases, it is useful to apply the 'test of ethics' to a research design. Think, for example, of the impact of new technological developments on everyday life. Where the law is about 'what is allowed', ethics is about 'what is good to do'.
One of the ways to look at data collection and processing with an ethical eye is with the Data Ethics Decision Aid (Utrecht Data School, 2017). DEDA is a tool for researchers to think about ethical dilemmas at an early stage. The tool offers this opportunity by asking a number of open questions that help to think about ethical issues in a constructive way. The DEDA tool does not provide a complete overview of relevant laws, nor does it provide advice. It is a tool for self-evaluation.
The GDPR in a nutshell
The GDPR stipulates that every researcher within the European Economic Area who collects and processes personal data of a citizen of a country, anywhere in the world, must protect the privacy of the research participants. The GDPR places the emphasis on transparency and clear and comprehensible information. In the slideshow below, a number of interesting facts about the GDPR is presented.
Click to open/close
CCMO (n.d.a.). Centrale Commissie Mensgebonden Onderzoek. https://www.ccmo.nl/
CCMO (n.d.a.).Centrale Commissie Mensgebonden Onderzoek. Erkende METC's. https://www.ccmo.nl/metcs/erkende-metcs
CESSDA (2017a). Data Management Expert Guide. Informed consent. https://www.cessda.eu/Training/Training-Resources/Library/Data-Management-Expert-Guide/5.-Protect/Informed-consent
CESSDA (2017b). Data Management Expert Guide. Processing personal data. https://www.cessda.eu/Training/Training-Resources/Library/Data-Management-Expert-Guide/5.-Protect/Processing-personal-data
CESSDA (2017c). Data Management Expert Guide. Anonymisation. https://www.cessda.eu/Training/Training-Resources/Library/Data-Management-Expert-Guide/5.-Protect/Anonymisation
CESSDA (2017d). Data Management Expert Guide. Informed Consent. https://www.cessda.eu/Training/Training-Resources/Library/Data-Management-Expert-Guide/5.-Protect/Informed-consent
DANS (n.d.a.). DANS Datatags Prototype 2. https://zingtree.com/host.php?tree_id=791812481
DANS (n.d.d.). Getuigenverhalen. http://getuigenverhalen.nl/
Delft University of Technology (2018). Template informed consent form. https://www.tudelft.nl/over-tu-delft/strategie/strategiedocumenten-tu-delft/integriteitsbeleid/human-research-ethics/template-informed-consent-form/
European Commission (2018). Ethics and data protection. https://ec.europa.eu/research/participants/data/ref/h2020/grants_manual/hi/ethics/h2020_hi_ethics-data-protection_en.pdf
European Commission (2019). Clinical Trials Regulation. https://ec.europa.eu/health/sites/health/files/files/eudralex/vol-10/regulation5362014_qa_en.pdf
European Union (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance). http://data.europa.eu/eli/reg/2016/679/2016-05-04
Future of Privacy Forum (2017). A visual guide to practical de-identifcation. https://fpf.org/wp-content/uploads/2017/06/FPF_Visual-Guide-to-Practical-Data-DeID.pdf
LCRDM (n.d.a). Informed Consent overeenkomst. https://www.edugroepen.nl/sites/RDM_platform/Juridisch/Informed%20Consent%20overeenkomst.aspx
LCRMD (n.d.b.) Handreikingen privacy. https://www.lcrdm.nl/handreikingen-privacy
Mons et al. (2017). Cloudy, increasingly FAIR; revisiting the FAIR Data guiding principles for the European Open Science Cloud. Information Services & Use, vol. 37, no. 1, pp. 49-56. https://doi.org/10.3233/ISU-170824
OpenAIRE (n.d.). Amnesia. https://amnesia.openaire.eu/
Privacy Analytics (2018). The five safes of risk-based anonymisation. http://privacy-analytics.com/files/5-SAFES-WHITE-PAPER_FINAL_ELECTRONIC.pdf
SURF e.a. (n.d.) Privacy designer. https://www.privacydesigner.nl
SURF, Erasmus University (2019). Privacy in research [Online course]. https://maken.wikiwijs.nl/125518/Privacy_in__Research
University of Twente (n.d.). Personal Data. Research Protocol [Poster]. https://www.utwente.nl/en/cyber-safety/privacy/poster-personal-data-v08-1.pdf
Utrecht Data School (2017). DEDA for Research.https://survey2.hum.uu.nl/index.php/778777?newtest=Y&lang=en
Utrecht University (n.d.). RDM Support. Informed consent for data sharing [Guide]. https://www.uu.nl/en/research/research-data-management/guides/informed-consent-for-data-sharing
University of Groningen (2019). Protecting Health Data in the Modern Age: Getting to Grips with the GDPR [Online course]. https://www.futurelearn.com/courses/protecting-health-data