d. Security

You should install state-of-the-art security measures to prevent unauthorised and unnecessary access to your research data. This is to protect the privacy of your study subjects and the scientific integrity of your study.

You can do this by:

  • setting internal and external access policies at the start of your study;
  • protecting your data with passwords;
  • protecting your data from computer viruses;
  • using fire walls, encrypted data transport, backups, etc.;
  • consulting your Chief Information Security Officer;
  • checking the security policy of your UMC.

Frequently Asked Questions

You should always subject your database to a Privacy Impact Assessment (PIA). Recently, BBMRI-NL has developed a data protection impact assessments app to assist researchers in showing they are GDPR compliant.  In addition, make sure that you can log who accesses the system for what purpose and who retrieves which data elements.

Databases connected to the internet are more vulnerable to unauthorised access. They should not contain directly identifiable data unless the infrastructure contains sufficient measures to reduce the risk of access to the identity of a human subject to an extremely low level. Such measures could entail for example:

  • highly secure connections limited by IP address or to VPN connections;
  • encryption of all personal data elements (e.g., name and address);
  • sufficient 'imprecision' in the stored data elements (e.g., year of birth instead of exact date of birth);
  • if the combination of data elements stored on one individual is (in)directly identifying the person, the database system must implement all requirements set forth by the GDPR.

A spreadsheet can be useful to monitor, display and analyse your primary source data. However, Word documents, Excel files and Access files are not appropriate structures to store your primary source data. The scientific quality of the data cannot be ensured in these formats due to the unstructured nature of text editing documents and the lack of data integrity protection in spreadsheets. They do not keep a history of all the steps taken, making it hard to reproduce. Privacy protection is also problematic since it is difficult to restrict and audit access to such simple structures.

Report any (suspicion of a) data leak to your Data Protection officer/Privacy Officer.

Since January 2016, UMCs are obliged to report serious data leaks to the ‘Autoriteit Persoonsgegevens’ within 72 hours. Sometimes, they also have to report the data leak to the persons from whom the data originally were derived. The Meldplicht Datalekken describes the definition of a data leak.

The GDPR imposes stiff fines on failure to report any attempt to unauthorised access to the data as well as failure to report any possible unauthorised access to the data. Failure to report a serious data leak may result in an administrative fine of up to EUR 820,000.

At your UMC, you can get practical help and advice on the use of passwords, protecting your data from computer viruses, etc. Please consult the Toolbox.