You should install state-of-the-art security measures to prevent unauthorised and unnecessary access to your research data. This is to protect the privacy of your study subjects and the scientific integrity of your study.
You can do this by:
You should always subject your database to a Privacy Impact Assessment (PIA). Recently, BBMRI-NL has developed a data protection impact assessments app to assist researchers in showing they are GDPR compliant. In addition, make sure that you can log who accesses the system for what purpose and who retrieves which data elements.
Databases connected to the internet are more vulnerable to unauthorised access. They should not contain directly identifiable data unless the infrastructure contains sufficient measures to reduce the risk of access to the identity of a human subject to an extremely low level. Such measures could entail for example:
A spreadsheet can be useful to monitor, display and analyse your primary source data. However, Word documents, Excel files and Access files are not appropriate structures to store your primary source data. The scientific quality of the data cannot be ensured in these formats due to the unstructured nature of text editing documents and the lack of data integrity protection in spreadsheets. They do not keep a history of all the steps taken, making it hard to reproduce. Privacy protection is also problematic since it is difficult to restrict and audit access to such simple structures.
Report any (suspicion of a) data leak to your Data Protection officer/Privacy Officer.
Since January 2016, UMCs are obliged to report serious data leaks to the ‘Autoriteit Persoonsgegevens’ within 72 hours. Sometimes, they also have to report the data leak to the persons from whom the data originally were derived. The Meldplicht Datalekken describes the definition of a data leak.
The GDPR imposes stiff fines on failure to report any attempt to unauthorised access to the data as well as failure to report any possible unauthorised access to the data. Failure to report a serious data leak may result in an administrative fine of up to EUR 820,000.