Data management
GDPR
Procedures before starting the research project
- Determine whether you are using personal data (read more). Be aware that the term “personal data” should be understood very broadly and it includes data that only can identify the person in combination with other data.
- If personal data is included, you are required to document whether you are complying with the rules for data security. It would be a good idea to create a “GDPR” folder within your project where you can save all documents regarding data security (read more).
- Hereafter, you need to consider whether you (AU) are data controller or data processor (read more) and clarify the roles of other participants in the project.
a) If you are using an external data processor (for instance to collect or store data), you need to sign a data processing agreement.
- If you are using personal data, you need to register your project to the record (there is a difference depending on whether you are data processor or data controller). To do this, you need to be clear about:
a) What is your legal basis for processing personal data (scientific research purposes or consent)? (Read more).
Scientific research purposes: You can use the “scientific research purposes” as legal basis for processing personal information if you only have a scientific or statistical purpose and the processing is a necessity for the research. If you are using the scientific research purposes as your legal basis, you need to be aware that you have a duty to inform the participants that you are processing their personal data. AU has two forms for this. Here you clearly need to clarify your purpose. On rare occasions, you do not have the duty to inform the participants (read more). If you want to use the personal data for other things than research (for instance in teaching), you cannot build your legal basis completely on the scientific research purposes, but you also need to ask for consent. You are still allowed to use the scientific research purposes as your legal basis for your research project and at the same time ask for consent, for instance, to share your data with students. However, it is very important that you inform the participants about this in an understandable way when multiple legal bases are used.
Consent: It is important to distinguish between consent to process personal information and consent following other legislation that is not about data protection (for instance ethical consent). Often, it is not desirable to use consent as your legal basis for processing data if you only intend to use the data for research purposes. If you do decide to use consent as your legal basis, you need to make sure to collect and document a valid consent. AU has two forms for this. You still have the duty to inform when using consent.
b) Do you plan to share the personal data with external partners?
c) Will there be a transfer of personal data to a country outside of EU/EØS (if yes, on what grounds?)
d) Do you intend to publish the personal data (without anonymising it first)?
e) Which initiatives have you taken/do you intend to take in order to protect the personal data? (Storage, pseudo anonymising, encryption etc.)
) Which data sources do you use? (Where do you get your data from? Danmarks Statistik, public data, survey data, do you collect it yourself or let others collect it for you etc.?)
g) Will you establish a research database based on your research project? - Before any processing of personal data, you need to make a written risk assessment (read more).
- In some cases, you also need to make an impact assessment. If your risk assessment, for instance, shows that there is a high risk to the participants’ rights or rights of freedom, you might need to make an impact assessment. Find out whether you need to do so by answering AU’s questions on this topic, and see what an impact assessment needs to contain.
Procedures while processing personal data
- During the whole period that you process personal data, you need to store it in a secure place (read more).
- During your research project you need to consider:
a) Are there any changes in number of participants, type of personal data, data source etc.?
b) Are there other external partners involved in the project than first planned?
c) Are there changes in your purpose?
d) Has the project gotten a new contact person?
If any such changes occur, you need to inform the record (fortegnelsen@au.dk).
- Do you need to share or pass on personal data with an external partner not employed at AU (read more)?
- If you receive a request from a participant, the participant has a number of rights with which you need to comply. This depends on your legal basis (read more).
- If you want to use student assistants, you need to be aware that they should also comply with the rules of data protection (e.g., they are not allowed to store personal data on their personal computer).
- If there is a breach of security involving personal data (e.g., publication, personal data sent to a wrong recipient, wrong personal data sent to a right recipient, hacking, theft, or loss), it is very important that you inform AU about this by using this form.
Procedures after the research project has finished
- Find out whether you need to store the personal data according to the rules about responsible research conduct or according to other rules due to special legislation (for instance due to health legislations).
- If yes: Then you still need to comply with the rules of responsible research conduct since storage is also considered a kind of processing of personal data. Hence, you need to make sure that the data is stored in a secure place and that your project remains registered at the record.
- If no: Then you have four options before you remove your project from the record:
a) You can erase the personal data.
b) Anonymise the personal data irrecoverably (read more).
c) Anonymise the personal data irrecoverably (read more).
d) Transfer the personal data to another data processor in a legal way – i.e., an external partner outside of AU (read more).
For more information about what to be aware of when you store and process personal data, see AU's website 'Data protection in particular concerning research'.
Guidelines for purchasing surveys
First, consider whether ethical approval is needed for the project, see the departments guidelines When to apply for a research ethical approval of research studies Guidelines for researchers at Department of Political Science, Aarhus University
Please note that you may be asked to provide material from the survey provider in connection with ethical approval.
The following rules apply to all survey purchases:
- Prior to ordering, please contact Anders (data manager) about data management, GDPR, and possible involvement of TTO (this has nothing to do with ethical approval. These are two different things)
- Depending on the amount involved, you may need to obtain several quotes. See below.
- Once you have decided on a supplier, please place the contract in the head of department's pigeonhole for signature. The contract will only be signed if the guidelines specified here have been followed. In case of special circumstances, you are welcome to contact the head of department.
- Surveys must be purchased and carried out in the same financial year.
- The invoice must be addressed to Aarhus University and not to the purchaser’s name alone, cf. the general accounting rules.
- After the order has been placed, please forward the contract to Olivia, department secretary, for journalling in Workzone.
In addition to the general rules, special conditions apply depending on the amount of the purchase.
For quotes below DKK 50,000, simply state a reason/comment regarding your choice of supplier.
For quotes above DKK 50,000, you should obtain 2-3 quotes before you choose a supplier.
For quotes above DKK 300,000, AU-Procurement will need to assess the purchase before an order is placed.
