FSS Starting a new project: Ethics, Data Management and Privacy
When working with data from human respondents it is important to consider matters around ethics, data management and privacy before collecting (or analysing) any data. So when starting a new project or study – or significantly updating or expanding and existing one – it’s good to check whether the following things are in order:
Ethics Review: the Research Ethics Review Committee provides a self-check that consists of a list of Yes/No questions that takes less than five minutes to complete. This scans for ethics issues, and advises on next steps. More information on Ethics Review can be found here.
Research Data Management (RDM): you will need to consider what you do with your research data before you collect it, because you need to tell your respondents what you’re doing with it. Read the FSS RDM Guidelines for an overview of all Research Data Management requirements. The faculty advises you to use Yoda for storing, archiving and/or publishing your research data. Other options are available, check out the tools overview and/or the storage finder to find out more.
Privacy: all data that can be linked in any way to living persons is considered personal data under GDPR. For most researchers this means:
- You must take appropriate technical and organization measures to secure data. For most data (including sensitive data, such as data on health, sexual preferences, political opinions etc.), Yoda and VU-managed devices offer sufficient protection. If you have sensitive data and want to use other storage solutions, it’s best to check in with the Faculty Data Steward or the RDM Support Desk to find what would work best for your needs.
- You should ensure that you have unambiguous informed consent of your research participants. Note that informed really means informed: you have to provide your participants with information about what you will do with the data, and what their rights are and how to excercise them. You can find templates for informing your particpants on the FSS Templates page.
- If you cannot obtain consent, you should contact the Faculty Data Steward to see how you can still legally work with your data.
- You must ensure that all data processing activities (collection, analysis, publishing, archiving, etc.) are entered in the VU’s central data processing registry. Currently, DMPs created using the VU template in DMP Online are linked automatically to this registry, meaning the researcher does not need to take additional action for this. If your DMP does not use the VU template (for example because your funder doesn’t accept it), there is a GDPR Registration Form on DMP Online that you should use to just enter the legally required information.
- If personal data is handled by third parties (e.g. a survey firm or data collection platform), you need to make sure the proper agreements are place to do this securely, for example Data Processing Agreements. The VU has these agreements in place for the use of VU-provided tools such as Yoda and Qualtrics. The Faculty Data Steward is there to help you with templates and getting legal advice for getting these agreements with other service providers and partners.
Data Management Plan (DMP): all data collection done at the faculty should be covered by a Data Managment Plan (DMP). So once you have given all of the above some thought, you should start writing one, or adapt an existing one, by going to DMP Online. DMPs are living documents: you are encouraged to change them if what you plan to do with the data changes.