Aarhus BSS Cognition and Behavior Lab For researchers Checklist for new research projects Data Protection Registration

Data Protection Registration

When conducting research in COBE Lab you must follow the Danish Act on Processing of Personal Data, which has been in force since 2000. The 25th of May 2018 the rules were tightened, when the new General Data Protection Regulation (GDPR) became effective. The new regulation makes it easier for the individual to control their own data, and how they are treated by others.
 
On this site you find recommendations for storing and protecting data when conducting research in COBE Lab. Aarhus University's Technology Transfer Office (TTO) also offers a lot of information about data protection on their website. If you cannot find what you are looking for, please contact COBE Lab Management or the data team of Aarhus University (TTO). 

We recommend that you especially reflect upon these aspects: 

  • How participants' anonymity are ensured before, during and after data collection
  • Storage and protection of CPR-numbers for payment and when they are to be destroyed
  • How personal data are kept safe 
  • How participants have the possibility to withdraw their consent and request deletion of their data
  • How collected consent forms are stored and when they are to be destroyed
  • How to ensure a data processing agreement if external persons, who are not AU staff, are processing data
  • How and when data is completely anonymised

Notification to the Danish Data Protection Agency

Research activities including personal information must be registered internally at Aarhus University. You must fill out and submit a notification form found under "1. Do you process personal data?" here. There are two forms to choose from, one if you are the data controller and one if you are the data processor. You can read more about each kind on TTO's website, but under normal circumstances you will need to fill out the data controller form for projects in COBE Lab. 

Every research project must have a data controller, which is a contact person who is responsible for data internally. This means that this person is responsible for compliance with the Danish Act on Processing of Personal Data (Persondataloven), any related rules and regulations including the Executive Order on Security (Sikkerhedsbekendtgørelsen) for every data processing action.

E-learning course about the rules for personal data

An e-learning course about the new general data protection regulation is now available at AU. The course can be accessed any time and takes approximately 1 hour. We recommend that all data controllers and data handlers for studies at COBE Lab complete this course.

What is personal data?

If there is any way that the individual participant can be connected to data from an experiment then it should be considered personal data. We advise that if in doubt, it’s better to treat it as if personal data were collected.

The law contains a series of rules concerning how personal data should be collected, handled, registered and stored. How the law should be applied within COBE Lab depends upon the nature of the information and the purpose of data treatment required for a particular study. 

Sensitive data

  • Race and ethnic origin
  • Political orientation
  • Religious and philosophical orientation
  • Union membership
  • Genetical data
  • Biometric data with a view to identification
  • Health information
  • Sexual relations and sexual orientation
  • Previous convictions, social problems or other sensitive private information;

For sensitive data there is a requirement for logging, which means that all use of sensitive data need to be registered. The registration must contain information about time, user, type of use and state which person the used information concerned.

CPR-numbers

CPR-numbers are information that requires a high protection even though it is not classified as sensitive information in itself. You are expected to take the necessary technical and organisational measures to protect the information and not let unauthorized persons get access to participants' CPR-numbers. 

When collecting CPR-numbers for payment please make sure that they are kept separate from the data collected as they can be used to link personal and sensitive information to the individual participant. 

Normal personal information

  • Any information which may identify or contribute to identify an individual, but which is not classified as 'sensitive data', e.g., economic situation, tax details, family, residence, job position, name, etc. 

Any organisation cannot simply collect and store normal or sensitive personal information, rather to do such a thing, the law states categorically that certain conditions must be fulfilled. With regards to COBE Lab's work, it is most likely the following considerations that must be fulfilled:

  • The registered individual gives their expressed written consent. Oral consent is not sufficient.
  • The treatment is necessary to carry out an assignment in the name of society’s interest.
  • The treatment is part of the legal obligations the data responsible must fulfil. For example, in Denmark an employer is required by law to register employees income details and send them on to the Danish tax authorities.

 

Learn more about the Danish Act on Processing of Personal Data and the General Data Protection Regulation

Security measures for processing personal information

When treating and storing personal information you are responsible for following the Executive Order on Security Measures for Protection of Personal Data that is Processed for the Public Administration and Aarhus University's information security policy.

Here you find a selection of important requirements, which are not exhaustive for the regulations:

  • Access to personal data is limited to as few people as possible and rooms for storage need to be out of access for unauthorised persons
  • All use of personal data must be subject to automated registration (logging). The registration must at least contain details of the time, user, type of use and an indication of the person the utilised data referred to, or the search criterion used. The log must be stored for six months, after which time it must be erased
  • Personal information must not be kept with the possibility to identify individual persons longer than necessary
  • Identification information must be encrypted or replaced with a code. As an alternative all information can be kept encrypted. The encryption key must be kept secure and separate from the personal information
  • Equipment and devices which do not belong to AU must not be used for storing or processing information and data which are classified as confidential or sensitive
  • Access to personal data must only take place by providing a secure password. The password must be changed once per year, and whenever it is necessary
  • If data need to be transferred, they need to be encrypted
  • If shared with an external collaborator, you must enter a data processing agreement
  • CPR-numbers for payment need to be stored separate of the data collected and destroyed as soon as the payments has been processed. If CPR-numbers are stored digitally, they need to be encrypted. If stored in paper, they need to be behind a lock

COBE Lab provides locked storage space for consent forms and payment receipts during data collection. Contact cobelab@au.dk to get access to a locker. 

Anonymisation of data

The Danish Act on Processing of Personal Data applies to the processing of personal information. The act does not apply to information which is anonymous in such a way that the registered can no longer be identified.

  • Anonymising data is about eliminating the possibility to identify individual persons in a data set. The detachment of identification needs to be irreversible
  • All possible tools that reasonably can be used to identify the individual person should be considered when judging if a person is identifiable
  • An identifiable person is defined by a direct or indirect identification e.g. by an identification number. SONA ID is as an example of an indirect identification of a person and is thereby not anonymous. This is also the case with distinctive features of a person as physiological, psychological, cultural or social identity. 

If for example name, adress or personal number is replaced by a code that can lead back to the original individual personal information, it is still defined as a personal information. This is true even if the person who has the data does not have access to the list or key that can show the connection between the code and the personal information. 

Information such as pictures, voice recordings, and finger prints are also covered by the regulation if it is possible to connect the information to a particular person.

Research and technology are in constant development. It is not possible to give a textbook answer to when identifying people is no longer possible.

Pseudonymisation 

Pseudonymisation is not the same as anonymisation. Pseudonymisation is when directly identifying information is replaced with pseudynoms ("codes") that are unique identification measures. As an example, CPR-numbers can be replaced by a code, in which case you need to create and safeguard a document which links the CPR-numbers and the codes, so the pseudonymisation can be reversed if needed.

Unlike anonymous information, pseudonomised information is covered by the Act on Processing Personal Data. However, the pseudonymisation offers better protection of the individual, as it is not immediately possible to recognise the person or misappropriate their information.

Encrypted information

Encrypted information are covered by the Act on Processing Personal Data. Encrypting data is a safety measure that can be used to secure confidence in communication between a sender and a receiver. 

Source: This content is from the Danish Data Protection Agency and translated by COBE Lab management

Learn more

You can learn more about personal information and anonymisation in Article 29 Working Party udtalelse nr. 4/2007 om begrebet personoplysninger and udtalelse nr. 05/2014 om anonymiseringsteknikker.

Withdrawal of consent and deletion of data

A participant can at any time withdraw her or his consent. It is the researcher's responsibility to make sure this can be done in an easy and simple way and without consequences for the participant. It is not required that a participant provide a reason for withdrawing from a research before, during, or after the study. 

If a participant withdraws his or her consent, the data collected from the participant until this point should be deleted as soon as possible. It should be clear from which point the data is anonymised, as participants will not be able to request that their data is deleted after this point.

Disclosure of data outside Denmark

Any disclosure of data to data controllers outside Denmark is subject to separate, prior authorisation by the Danish Data Protection Agency.

This authorisation is obtained from the Secretariat and Legal Support office.

Please send an email to:

Rector’s Office
Secretariat and Legal Support
legal@au.dk

Notification to the Danish Data Protection Agency

It is important that research projects which involve personal data are registered internally at Aarhus University.

Data Protection at Aarhus University

Find information about data protection at Aarhus University

Contact information on AU's datateam

Handling email

Find information on the general precautions when sending sensitive information in emails
Revised 20.12.2023