Protecting your data

You should protect both the privacy of your study subjects and the scientific integrity of your study by preventing unauthorized and unnecessary access to your data. You should implement state-of-the-art standard safety measures.

You can do this by:

Apply the FAIR principle both during and after completion of your research project. You should think of these safety measures to protect your data:

  • Storage of research data has to be safeguarded primarily under NEN7510 regulations. NEN7510 is the standard for information security management in healthcare adopted by the Netherlands Standards Organisation. If you want to use data storage services of a party external to the NFU-associated UMCs, that party should proof that it is certified under NEN7510 or an equivalent norm.
  • A database manager should shield the data per field and per individual role via accounts.
  • Storage that could legally be traced back to a non-EU owner or any non-EU party with access to the data or its physical location should not be used.

Frequently Asked Questions

Having access policies for your data is an important part of data stewardship. Your access policies should establish:

  • who gets access to your data (e.g., researchers, data managers, ICT staff, administrative staff);
  • to which data these people get access.

This includes:

  • internal access policies (i.e., for yourself and your colleagues, for instance when you need remote access to your data);
  • external access policies (e.g., in case you are sharing files with others as part of a new research project).

Access policies are part of your data management plan. It is your responsibility to describe them before you start collecting data. In case of a clinical trial, a substantial change in access policies should lead to an amendment of your ethical protocol.

Important aspects are:

  • never allowing access to personal or clinical data to unauthorized people;
  • under no circumstances granting access to (in)directly identifiable data via accounts that allow several people to access the data;
  • verifying the identity of the user logging into a database with (in)directly identifiable data preferably by at least one other method than just password security;
  • not providing more information in a data extraction than needed for a particular analysis;
  • making sure that access to the database is logged properly.

Make sure that you log who accesses the system for what purpose and who retrieves which data elements. Any access outside the authorisations in the access policies should be considered unauthorised access. You should be able to detect unauthorised access timely, whether from inside or outside.

In cohort studies, contact data is usually registered for study subjects. Access rules should differentiate between those having access to research data and those having access to contact data. In principle one should not have access to both, unless the researcher is also the treating physician. An exception can only be made for smaller projects that have a limited period in which data is created, processed, and analysed. You will have to argue why this exception applies to your research project in your research protocol (i.e., explain why it is necessary for staff members to access both research data and contact data).

In principle, your access policies should be described at the start of your project. One reason for this is that, in many cases, patients have to give informed consent on data sharing before you start collecting data. Yet, there should be sufficient room for change, following from the principle of responsible data sharing.

Although you describe it at the start, it may be adapted later on. New funders may require new access and sharing conditions. Your project may lead to unforeseen data, which generate unforeseen requests for those data. A recipient of the data, agreed upon at the start of the project, may have had a serious data breach or infringed scientific integrity. This should lead to reconsidering the original agreement.

Yes, most UMCs make all personnel that work with data in the care environment sign a

 'geheimhoudingsverklaring' as a standard procedure.

According to current legislation, you need to distinguish the notions of 'the responsible entity' and 'the executor'.

The responsible entity:

  • defines purpose and use of the data management infrastructure;
  • informs the executor of any changing roles in the organisation (e.g., end of employment) to be effectuated in the data management infrastructure.

The executor:

  • cannot independently decide how to use the data collected, nor what data should be collected;
  • has an independent responsibility as to the security and quality of the data;
  • needs to provide all reasonable information to the responsible entity so the latter can take his responsibility (e.g., the executor needs to inform the responsible entity periodically which accounts are currently active and able to access the database).

New European legislation will place heavy fines on failure to report not only any attempt to unauthorized access to the data but also failure to report any possible unauthorized use of the data. For example, if the executor was aware of a major flaw in the protection mechanism of the data, this vulnerability should be reported to the authorities.

This topic is currently under debate. In the near future, an obligation to report data leaks is expected.

Databases connected to the internet are more vulnerable to unauthorized access. They should not contain identifiable data unless the infrastructure has taken sufficient measures to reduce the risk of access to the identity of a human subject to an extremely low level. Such measures could entail for example:

  • highly secure connections limited by IP address or to VPN connections;
  • encryption of all personal data elements (e.g., name and address);
  • sufficient 'imprecision' in the data elements stored (e.g., only year of birth instead of exact date);
  • if the total amount of data elements stored on one individual is (in)directly identifying one person, the database system must implement all requirements set forth by the WBP. On top of that, the NFU requires that such systems can demonstrate an extremely low probability of breaching the privacy of the study subjects. Such low probability can be achieved by encryption, strong authentication for access to the system, and proper intrusion detection methodology.

Also make sure that you can log who accesses the system for what purpose and who retrieves which data elements.

Don't. Use a proper password management system.

Text in preparation