privacy & Information Security Research Roadmap Amsterdam UMC

Privacy & Information Security

WMO
Non-WMO

The team Privacy Protection and Information Security (in Dutch: Privacybescherming
en Informatiebeveiliging, PB&IB) supports the Executive Board, management and the work floor in safeguarding privacy and information security. The PB&IB team plays an important advisory and supervisory role, ensuring compliance with relevant laws and regulations (including the GDPR and NEN7510).

The following pages provide general information, and the most frequently used forms and documents:

A few key topics are highlighted below.

Team PB&IB can be contacted via the Service Portal: navigate to the ‘Contact & Meldingen – Iets melden’ tab and click the button ‘Privacy Vragen’. You will have insight in the follow-up of your message. Please consult the manual for more information.

Research dataflows

Data processing in research can be complex. A data flow diagram can help by visualizing how data is collected, processed, analyzed or used, along with which organization is responsible for each step. For more information and templates, see Research dataflows Amsterdam UMC.

Data Processing Registry (Verwerkingsregister)

According to the General Data Protection Regulation (GDPR, in Dutch: AVG), Amsterdam UMC must keep a record of all data processing activities involving personal data. This includes the privacy measures taken, engaged suppliers, retention periods and any transfers to third parties. All intended data processing activities must be reported via the Data Processing Registry (in Dutch: Verwerkingsregister). More details on what and why to report, and how your registration is processed can be found in this manual.

Note: to register in the Verwerkingsregister you need an amsterdamumc.nl account.

Start a data processing registration (green thumb)

Data Protection Impact Assessment (DPIA)

In 2023, the shortened DPIA was discontinued, and it is no longer necessary to send it separately to the Data Protection Officer. Since then, only the comprehensive DPIA is used.

The initial assessment of privacy and data protection risks is conducted by the MREC and/or the non-WMO Review Committee. If a study is considered high-risk or it involves the use of a new IT tool (see below), it is advised to contact team PB&IB and complete a comprehensive DPIA together with them.

For more information, refer to this manual.

IT tools

Various IT tools are needed to conduct research, such as electronic questionnaires, applications, websites, wearables and platforms for data sharing and collaboration with external parties. Amsterdam UMC provides a number of tools that already have the necessary security measures, licenses and privacy agreements in place. Team PB&IB recommends using these standard tools as much as possible. For more information, see Research Data Management (RDM).

If you want to use an IT tool that has not yet been authorized by Amsterdam UMC for processing personal data during your research, you must first start a privacy assessment. Refer to ‘Nieuw ICT middel’ in Privacy: Need to Know for researchers for an explanation on the necessary steps.

A DPIA and BIV classification can be part of the privacy assessment.