Security

How reliable is the data processor?

Academic staff are contractually obligated to keep the data confidential and to follow standard procedures for secure data management.

Academic staff staff should have relevant training.

External collaborators or students and interns might need to sign additional agreements to properly determine responsibilities. Students and interns must equally follow institutional rules on data management.

How will you ensure that your project is ethical and only collects data that is necessary for the research?

We refer to the ethical and legal page for more information if you need ethical clearance for research, including human subjects, animals, or dual-use, as well as the contractual and legal issues that might apply due to the (re-)use of third-party data, intellectual property rights, or confidentiality.

When handling or processing personal data, consider the following:

• Data minimization. This means collecting only the information that is essential to answer the research question of the project.
• Storage limitations. This means that as soon as certain data are no longer needed, they should be deleted.
• GDPR register. Before starting your research project, register your research project by completing the GDPR checklist of Hasselt University. Depending on the legal basis of processing, request (additional) informed consent for collecting, processing, sharing, or publishing the data.

More information about the Securing personal data is described in the section below.

Do you use the security measures provided by the organisation? 

Organizational and technical security measures at Hasselt University:

• Research Data Management Policy Plan
• Security consultant/ responsible (Data Protection Officer)
• Information security policy
• Continuity plan
• Notification procedure in case of physical/ technical incidents
• Raising staff GDPR awareness through information and training incidents
• Physical access control to the offices by using keys and badges

When using institutional devices (e.g., laptop) and storage solution (e.g., Google Shared Drive), the following security measures are in place:

Other security measures you can take to mitigate the risks:

• Storing data files or documents on institutional storage, and preservation solutions.
• Clean desk policy
• Use of secure systems for the transfer of data (e.g. Belnet FileSender)
• Use of secure procedures for destroying data

Levels of access control for physical and digital data: 

Physical security

Digital security

Were the most effective techniques used to minimize the potential for identification in data processing and/or unauthorized access?

* Most relevant for personal and confidential data

In addition to data minimization (e.g., only handling data that is required for the project), several de-identification techniques can be applied to secure the data, such as encryption, anonymization, and pseudonymization. These techniques mask personal identifiers from data, partially or completely, reducing the risk of identifying an individual.

More information about the de-identification techniques is described in the section below.

Were the most effective techniques used to prevent the lowest possible chance of identification when sharing data and output openly with the public?

* Most relevant for personal and confidential data

Most funders require you to make your data as open as possible. Making the data open to the public creates visibility for you as a researcher and makes your data findable for reuse (more information on FAIR data vs. open data).

However, there are valuable reasons why you should be cautious or why you should not share your data openly or only after an embargo period:

• Legal issues such as intellectual property rights or valorization potential
• Personal data can be de-identified to such a level that it is possible to share your data: anonymous data can be shared with open access, and pseudonymized data can be shared with restricted access. Importantly, however, additional measures should be considered, such as informed consent from the human subjects and proper registration in the GDPR register. More information about Securing personal data is described in the section below.

Personal data are all information about an identified or identifiable natural person. Identifiable is considered to be a natural person who can be identified directly or indirectly.

Some examples of “normal” personal data include name, address, e-mail address, photo, ID number, IP address, employee number, private or professional telephone number (who’s who), login data, identification cookies, account number, CV, log data (including cafeteria, parking use, web use, surfing), camera images, personnel files, wage data, professional publications, etc.

Data concerning deceased persons or organizations are not personal data according to the GDPR and, therefore, fall outside the scope of the GDPR. Other laws and regulations may, however, apply to these data.

Special categories of personal data (sensitive personal data) are personal data that contain information regarding race, ethnic origin, political views, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, data on a person's sexual behaviour or sexual orientation. If this information becomes publicly available, for example as a result of a data breach, this can have very adverse consequences for the data subjects.

Genetic data are personal data related to the inherited or acquired genetic traits of a natural person that provide unique information about the physiology or health of that natural person, and that come in particular from an analysis of a biological sample of that natural person.

Biometric data are personal data that result from specific technical processing with regard to the physical, physiological or behavioural characteristics of a natural person on the basis of which unambiguous identification of that natural person is possible or confirmed, such as facial images or fingerprint data.

Health data are personal data related to the physical or mental health of a natural person, including data on health services provided that supply information about their health status.

Based on GDPR in research

Health data are a special category of personal data related to the physical or mental health of a natural person, including data on health services provided that supply information about their health status.

Guidelines regarding the processing of medical personal data.

• Required use of an Electronic Data Capturing platform in line with Good Clinical Practices.

The platform available at UHasselt is the web-based Castor Electronic Data Capture (EDC) platform

What is an EDC?
Electronic data capture (EDC) software provides an efficient and safe platform in compliance with Good Clinical Practice (GCP) and GDPR, which can be used to build and manage your electronic case report form, online surveys, and databases. EDC software is mandatory for clinical studies but is not restricted to this type of research.

Castor EDC can easily capture clinical data and manage surveys and your electronic case report forms (eCRFs).

An account for Castor EDC can be created without a license; you can set up a project and test the functionalities. A license is needed when you want to change the type of study from Test (to try study structures, etc.) or Example (used as a reference to be shown) to Production (for real participant data).

More information regarding licensing for Castor EDC is available via The Limburg Clinical Research Centre: lcrc@uhasselt.be  (co-financing for this is possible from UHasselt.

Never preserve raw data (including the direct identifiers, e.g., name and surname, national insurance number, etc.) on a Hasselt University Google Drive (proprietary MyDrive or Shared).

⇒ Solution:

• Always pseudonymize the dataset
• Store the key separately with restricted access
• Limit access to pseudonymized data by restricted access for authorized staff only
• Apply additional password encryption to these datasets

More information about the de-identification techniques is described in the section below.

When processing personal data, consider two parameters to determine which de-identification techniques are most appropriate:

1. Level of sensitivity
2. Probability of re-identification

The extent to which the parameters are present is determined by:

• Type of identifiers: Direct, Indirect, Strong indirect identifiers
• Uniqueness/specificity: How unique is your data?
• Prevalence of the identifier in the population

Quantitative personal data refers to numerical data describing a person's characteristics and is typically collected through surveys, experiments, or observational studies. 

Recommended techniques and tools to de-identify quantitative data:

Qualitative research refers to non-numeric data with data expressed in natural language (e.g., textual or visual form). For example comprehensive interviews, focus groups, personal diaries, observations, field notes, responses to open-ended questionnaires, audio and video recordings, and pictures. This methodology provides in-depth datasets containing information about peoples' perspectives, emotions, motivations, beliefs, and expectations.

Qualitative data often contain various types of personal data and a certain context in which the information is provided, making it difficult to anonymize these types of datasets fully.

Best practice tip: pseudonymizing your qualitative dataset after data collection before starting the data analysis and interpretation, especially before sharing data with collaborators or third parties.

Recommended techniques and tools to de-identify qualitative data:

Must read!

Making qualitative data available for reuse? Read the Making Qualitative Data Reusable - A Short Guidebook For Researchers 

References: 

• KULeuven RDM Anonymisation & pseudonymisation
• Verburg, Maaike, Braukmann, Ricarda, & Mahabier, Widia. (2023). Making Qualitative Data Reusable - A Short Guidebook For Researchers And Data Stewards Working With Qualitative Data (Version 2). Zenodo. https://doi.org/10.5281/zenodo.8160880

Biometric data are a special category of personal data that result from specific technical processing with regard to the physical, physiological or behavioural characteristics of a natural person on the basis of which unambiguous identification of that natural person is possible or confirmed, such as facial images or fingerprint data.

Recommended techniques and tools for neuroimaging and biometric data: