Data protection
Protection of the privacy of human subjects in scientific research is of utmost importance. All data that can be traced back to an individual are personal data. Also encrypted or coded data are personal as they can be traced back to individuals. The processing (collecting, using and retaining) of personal data for medical research is subject to the GDPR and the Medical Treatment Contracts Act (WGBO). Research involving human subjects involves explicit procedures for this purpose and must be submitted for ethical review (see Chapter 'Dealing with humans involved in research'). Amsterdam UMC keeps records of every occurrence of personal data processing, including research projects, in the Central Registration of Personal Data registers.
Personal data can only be used by researchers if there is a sound legal reason to do so. Personal data may, in principle, only be used for research if the subjects have been fully informed and have actively given consent for the use of their data (see CCMO Template Subject Information). Permission is also required if other researchers (at Amsterdam UMC or elsewhere) wish to use the data.
The use of personal data without the subject’s consent is only permitted if the following grounds for an exception apply: it is not reasonably possible or desirable to obtain permission, the privacy of the subjects is guaranteed, and the subjects were informed in the past about the use of their data for scientific research and did not object to this use. The applicability of this exception has to be assessed by a dedicated review board under the responsibility of the MREC, as part of the process in which in principle all nWMO research is evaluated (see Chapter 'Dealing with humans involved in research').
Another key requirement regarding data protection is that researchers can explain and justify the use of personal data. All variables to be used must be essential for answering the research question or questions. Data not strictly necessary for answering the research question or questions cannot be processed.
Data protection impact assessment
The privacy of subjects must be guaranteed during all phases of data handling. Before the start of every research project that will involve the processing of personal health data, a data protection impact assessment (DPIA) has to be conducted. This is a structured evaluation of the risks for data subjects and how to mitigate them. In Amsterdam UMC, DPIAs can be conducted in various ways; the evaluation can be done together with a privacy officer, a data protection officer or a legal officer from the Legal Research Support department, or the various aspects of the DPIA are incorporated into the assessment that is, in principle, performed for all nWMO research.
- The infringement of a subject’s privacy must be minimized. For instance, traceable data must not be used if coded data can be used.
- Prior to data analysis, data must be converted into the least identifiable form without losing the analytical value of the data (for example the conversion of birth dates to ages).
- The whole process of data collection, processing, sharing and storage must be properly protected against loss, theft, and unauthorised viewing and use.
- Data access authorizations must be limited to the staff members involved in the study, and are dependent on the phase of the research process.
- After the study has been finalised, temporary files and other non-essential data must be destroyed, and the remaining essential data must be archived in a secure way.
- Collaboration with third parties in data collection, management and storage requires data protection agreements between Amsterdam UMC and the third party. See Chapter 'Research collaboration agreements'.
Organizational and technical measures taken by Amsterdam UMC alone are not sufficient to mitigate all privacy risks for research participants. The individual researchers have to make sure they are familiar with the laws, regulations (such as the National Knowledge Safety Guidelines) and local procedures and guidelines that are applicable to their research projects, including the data breach procedure.