Legislation

1. Permission of the person concerned.
2. The data processing is necessary for the execution of the agreement.
3. The data processing is necessary for compliance with a legal obligation.
4. The data processing is necessary for the protection of vital interests.
5. Data processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
6. The data processing is necessary for the protection of legitimate interests.

As a researcher, you are responsible for assessing whether you can base the processing of personal data on 1 of the 6 principles.

On the EU GDPR website you can assess when it is allowed to process data according to the GDPR principles.

• Name, address, postal code, town
• Telephone number, email address
• Date of birth, place of birth
• Nationality, gender
• Profession/job title/salary/CVs
• Citizen Service Number (BSN; statutory), identity card (copy)
• Staff/student number/other administrative number
• Financial data (bank account number, credit card number)
• Photographs/audiovisual material/video recordings
• Data obtained from social user profiles (Facebook, Twitter account, etc.)
• Click and surfing behaviour (cookie/pixel data), IP addresses
• Lifestyle characteristics (e.g. family structure, living situation, interests, demographic characteristics)
• Other: ...

• Special personal data concerning a person's religion or belief, race, political opinion, health, sexual life, personal data concerning membership of a trade union, criminal personal data and personal data concerning wrongful or abusive behaviour in connection with a ban imposed as a result of such behaviour
• Uniquely identifying data (e.g. biometrics, fingerprints, DNA)
• Other data for which there is a (derived) increased sensitivity (e.g. credit card information, financial information, inheritance aspects, work or school performance or data subject to a confidentiality obligation)
• Data on vulnerable groups or persons (e.g. minors <16 years old), mentally disabled, prisoners, people under surveillance, people whose physical safety is at risk)
• Systematic and large-scale monitoring (e.g. camera surveillance)
• Other: ...

1. A person has given express consent to the processing of his/her personal data
2. The processing is necessary for the performance of obligations and the exercise of specific rights of you or the person concerned. This concerns labour law and social security and social protection law
3. The processing is necessary in order to protect the vital interests of the person concerned or of another natural person. This only applies when the person is physically or legally incapable of giving his or her consent
4. The processing is carried out by a foundation, an association or another non-profit making body operating in the political, philosophical, religious or trade union field, and that organisation processes data in the course of legitimate activities and with adequate safeguards
5. The processing relates to personal data which are manifestly made public by the data subject
6. The processing is necessary for the establishment, exercise or substantiation of legal claims, or when courts are acting within the scope of their jurisdiction
7. The processing is necessary for an important public interest
8. The processing is necessary for purposes of preventive or (labour) medicine such as assessing employability for work and/or providing health care
9. The processing is necessary for reasons of public interest in the area of public health
10. The processing is necessary for archiving in the public interest, scientific or historical research or statistical purposes

Copyright protects works that demonstrate a certain creativity or originality. In many cases, it is clear that a work is protected by copyright: when someone writes a book or article, there is always some personal creativity involved. With research data, it is not very clear. After all, data are mostly bare facts. In many cases, therefore, research data will not fall under copyright protection.

Nor is copyright there to protect a researcher who makes a discovery, no matter how creative or original that discovery may be. Copyright cannot be used to protect newly discovered data. Copyright can protect the form in which the discoverer wrote down the bare facts. Then that form must be the result of creative choices. If it is, others may not copy it without permission.

To illustrate: if raw, unprocessed data (legally: bare facts) are put in a table, copyright does not apply. Any other researcher could have made a similar table. A selection or ordering of bare facts may be protected under the Databases Act if it is a selection or ordering with a personal stamp.

In the report 'The legal status of raw data: a guide for the research practice' you will find an overview of the state of affairs based on the most important legislation and case law.

The availability or provision of research data is therefore often not about copyright or database law but about having or giving access to data. One can therefore speak of a great sense of ownership. There is usually no obligation to share research data with others. As a researcher, you can always choose not to make your data available to others so that others cannot use it either. Any contractual agreements may be relevant here.

• For example, funders or publishers may demand that you make the data available for consultation by others. THUAS and government subsidy providers support the Open Science ambition. Open Science covers more than the open access policy to share publications/research articles, it mainly focuses on the underlying research data. For more information, view the page of NWO subsidy provider about Open Science.
• With regard to the demands of publishers, it is relevant that The Hague University of Applied Sciences has an open access publication policy in which the copyright law and the Collective Labour Agreement in the area of the copyright of research publications of staff members are followed. 
• Consortium agreements set out agreements between research collaboration partners on the use, reuse and sharing of research data. Visit the section consortium agreements on this page for additional information. 

The page datamanagement archiving and sharing (section data sharing) explains the different options for sharing research data. 

The conditions specified by the external party regarding the utilization, accessibility, and distribution of their data apply. Consider these factors and document them in your data management plan.

A number of basic rules apply to researchers dealing with personal data:

• You do not collect more personal data than you really need for your research.
• Data subjects have given you permission to collect their data (informed consent).
• You do not use the personal data for purposes other than those for which you have received permission.
• You ensure that data subjects can withdraw their consent and that they can easily contact you to do so.
• You ensure that data subjects can exercise their rights to inspect, correct and delete their personal data and that they can easily contact you for this purpose.
• You protect your research data containing personal data properly by separating contact information from research data, exercising caution in determining who has access to the repository of your research data, and anonymising your data as soon as possible before analyzing data.

Personal data are any data that directly or indirectly identify a person. It can therefore be name, e-mail address, telephone number, location, IP address, etc., but also combinations of data that can lead to a person. So-called 'special' personal data are also (extra) protected: for example, sensitive data about a person's race, religion, health or sexual orientation, such as passport photos and Citizen's Service Number.

The processing of (sensitive) personal data is only allowed when there is a legal basis for it. For the processing of 'ordinary' personal data, you must be able to rely on 1 of the 6 GDPR principles. The processing of sensitive personal data is prohibited unless you can rely on 1 of the 6 GDPR principles and 1 of the 10 statutory exceptions to the ban on processing sensitive personal data.

You explain to your respondents what your research entails, what their role in the research will be and what the possible consequences of participating are. Then you ask if they agree to participate in your research. This is done on the basis of an informed consent. An informed consent form consists of two parts, the information part and the consent part.

The information part contains all information about the research including all researchers involved and any collaborating organisations. It also explains the reasons and purposes for collecting this data. In addition, the researcher's contact details are provided in case the participant wishes to withdraw his or her consent. It states that he or she has the right to do so without explanation.

In the consent form, you ask the respondent permission for:

• The collection and processing of his or her data
• Archiving the data
• The possible publication of the data (anonymised)
• Making the data available for reuse by another researcher, if required

Who gives permission?

• The participant, if over 16 years of age and capable of giving informed consent
• A parent or guardian, if the participant is under 12 years of age
• A parent or guardian and the participant, if the participant is between 12 and 16 years of age
• A representative, if the participant is over 16 years of age but legally incapable

Download here the standard Informed Consent form of The Hague University of Applied Sciences.

The conditions specified by the external party regarding the utilization, accessibility, and distribution of their data apply. Consider these factors and document them in your data management plan.  

The GDPR requires The Hague University of Applied Sciences to make a register of all processing of personal data within The Hague University of Applied Sciences. It is therefore mandatory to report any processing of personal data to the Privacy Officer of THUAS. If you have your data processed by a third party, for example if you use an online survey application, draw up a processing agreement. On the Privacy page you will find more information, tools and the procedure for reporting processing operations.

When working with sensitive data, it is necessary to strengthen the security of this data to avoid disclosing personal data when you want to share your data with others. There are two basic methods: pseudonymisation and anonymisation. The main difference between these two methods is that pseudonymisation can be undone and anonymisation is irreversible. Therefore, according to the GDPR, pseudonymised data must still be treated as personal data.

Pseudonymisation is used when you need the participants' data for reasons other than the analysis itself. For example, it may be useful to obtain additional information about a person later in the research, or to warn someone if there are any medical risks. The National Coordination Point Research Data Management (LCRDM) offers a set of 9 basic steps for pseudonymisation.

Anonymised data are data that no longer relate to individuals at all. In other words, no additional data may be available during anonymisation that would allow someone to link it to a specific person. Not only personal data (directly identifiable elements) must be deleted, but also indirectly identifiable elements. How to anonymise your data can be found on the UK Data Service Anonymisation page and in the Bristol University document Keeping Data Confidential – Anonymising Records.

It is strongly recommended to do a GDPR test at the beginning of your research in consultation with the Privacy Officer of THUAS. This ensures that you are GDPR compliant right from the start of your research and data processing. If necessary, a Data Protection Impact Assessment (DPIA) is carried out. If your research involves any of the following activities, a DPIA is mandatory:

• Assessing people on the basis of personal characteristics (evaluation or score assignment)
• Automated decisions having legal effect or similar consequences
• Systematic monitoring
• Large-scale data processing
• Matching or linking data sets
• Processing of data on vulnerable persons
• Use of new technologies or solutions
• The processing of data leads to the blocking of a right, service or contract

Read here how the DPIA process works within THUAS.

More information on privacy in research and careful handling of personal data:

• THUAS privacy policy and the conditions for processing and storing personal data 
• SURF online module 'Privacy in research’
• Guidelines GDPR: WHY? WHAT? HOW?