When conducting research and the associated data management, there are many things to consider from a legal perspective.

General Data Protection Regulation

From 25 May 2018, the General Data Protection Regulation (GPDR) will apply. This means that, from that date, the same privacy legislation will apply throughout the European Union.

The GDPR provides, among other things:

  • Strengthening and extending privacy rights
  • More responsibilities for organisations
  • The same robust powers for all European privacy regulators, such as the power to impose fines of up to 20 million euros 

The GDPR also has important consequences for working with research data. Read more about this under Data and Privacy. Read more about THUAS privacy policy and the conditions for processing and storing personal data. 

Intellectual Property

Intellectual property is the collective name for rights to intellectual creations, such as texts, pictures, software, inventions, brand names and valuable knowledge. Intellectual property can also play a role in data. You can read more about this under Data and Ownership and THUAS publishing policy.

Consortium Agreement NWO

If you cooperate with other parties in the context of research, a cooperation agreement is highly desirable and sometimes required (e.g. for grant projects). An agreement clearly sets out the rights and obligations of all parties involved, including agreements on the research data, intellectual property rights and liability. In need of a consortium/coopeation agreement? Reach out to [email protected]

Medical Research Involving Human Subjects Act

Research involving human subjects must undergo a medical-ethical review if it falls under the Medical Research Involving Human Subjects Act (WMO). Research falls under the WMO if the following two conditions are met:

  • Medical scientific research is involved
  • Persons are subjected to actions or imposed rules of conduct

Read more about the assessment procedure of the WMO on the website of the Central Committee on Research Involving Human Subjects

For more information contact the datastewards of the library.

The 6 GDPR Principles

The GDPR has 6 principles for the processing of personal data:

The 6 GDPR Principles for Processing Personal Data
  1. Permission of the person concerned.
  2. The data processing is necessary for the execution of the agreement.
  3. The data processing is necessary for compliance with a legal obligation.
  4. The data processing is necessary for the protection of vital interests.
  5. Data processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
  6. The data processing is necessary for the protection of legitimate interests.

As a researcher, you are responsible for assessing whether you can base the processing of personal data on 1 of the 6 principles.

On the EU GDPR website you can assess when it is allowed to process data according to the GDPR principles.

Categories of Personal Data

Categories of 'ordinary' personal data
  • Name, address, postal code, town
  • Telephone number, email address
  • Date of birth, place of birth
  • Nationality, gender
  • Profession/job title/salary/CVs
  • Citizen Service Number (BSN; statutory), identity card (copy)
  • Staff/student number/other administrative number
  • Financial data (bank account number, credit card number)
  • Photographs/audiovisual material/video recordings
  • Data obtained from social user profiles (Facebook, Twitter account, etc.)
  • Click and surfing behaviour (cookie/pixel data), IP addresses
  • Lifestyle characteristics (e.g. family structure, living situation, interests, demographic characteristics)
  • Other: ...
Categories of 'special' personal data
  • Special personal data concerning a person's religion or belief, race, political opinion, health, sexual life, personal data concerning membership of a trade union, criminal personal data and personal data concerning wrongful or abusive behaviour in connection with a ban imposed as a result of such behaviour
  • Uniquely identifying data (e.g. biometrics, fingerprints, DNA)
  • Other data for which there is a (derived) increased sensitivity (e.g. credit card information, financial information, inheritance aspects, work or school performance or data subject to a confidentiality obligation)
  • Data on vulnerable groups or persons (e.g. minors <16 years old), mentally disabled, prisoners, people under surveillance, people whose physical safety is at risk)
  • Systematic and large-scale monitoring (e.g. camera surveillance)
  • Other: ...

The 10 GDPR Legal Exceptions

The GDPR contains 10 exceptions to the ban on processing special personal data. This means that the ban on processing special personal data does not apply if you can rely on 1 of the 6 principles for processing 'ordinary' personal data and:

Data and Privacy

The 10 legal exceptions to the ban on processing special personal data
  1. A person has given express consent to the processing of his/her personal data
  2. The processing is necessary for the performance of obligations and the exercise of specific rights of you or the person concerned. This concerns labour law and social security and social protection law
  3. The processing is necessary in order to protect the vital interests of the person concerned or of another natural person. This only applies when the person is physically or legally incapable of giving his or her consent
  4. The processing is carried out by a foundation, an association or another non-profit making body operating in the political, philosophical, religious or trade union field, and that organisation processes data in the course of legitimate activities and with adequate safeguards
  5. The processing relates to personal data which are manifestly made public by the data subject
  6. The processing is necessary for the establishment, exercise or substantiation of legal claims, or when courts are acting within the scope of their jurisdiction
  7. The processing is necessary for an important public interest
  8. The processing is necessary for purposes of preventive or (labour) medicine such as assessing employability for work and/or providing health care
  9. The processing is necessary for reasons of public interest in the area of public health
  10. The processing is necessary for archiving in the public interest, scientific or historical research or statistical purposes

Data and Ownership

Copyright and Database Right

Copyright protects works that demonstrate a certain creativity or originality. In many cases, it is clear that a work is protected by copyright: when someone writes a book or article, there is always some personal creativity involved. With research data, it is not very clear. After all, data are mostly bare facts. In many cases, therefore, research data will not fall under copyright protection.

Nor is copyright there to protect a researcher who makes a discovery, no matter how creative or original that discovery may be. Copyright cannot be used to protect newly discovered data. Copyright can protect the form in which the discoverer wrote down the bare facts. Then that form must be the result of creative choices. If it is, others may not copy it without permission.

To illustrate: if raw, unprocessed data (legally: bare facts) are put in a table, copyright does not apply. Any other researcher could have made a similar table. A selection or ordering of bare facts may be protected under the Databases Act if it is a selection or ordering with a personal stamp.

In the report 'The legal status of raw data: a guide for the research practice' you will find an overview of the state of affairs based on the most important legislation and case law.

Ownership

The availability or provision of research data is therefore often not about copyright or database law but about having or giving access to data. One can therefore speak of a great sense of ownership. There is usually no obligation to share research data with others. As a researcher, you can always choose not to make your data available to others so that others cannot use it either. Any contractual agreements may be relevant here.

  • For example, funders or publishers may demand that you make the data available for consultation by others. THUAS and government subsidy providers support the Open Science ambition. Open Science covers more than the open access policy to share publications/research articles, it mainly focuses on the underlying research data. For more information, view the page of NWO subsidy provider about Open Science.
  • With regard to the demands of publishers, it is relevant that The Hague University of Applied Sciences has an open access publication policy in which the copyright law and the Collective Labour Agreement in the area of the copyright of research publications of staff members are followed. 
  • Consortium agreements set out agreements between research collaboration partners on the use, reuse and sharing of research data. Visit the section consortium agreements on this page for additional information. 

The page datamanagement archiving and sharing (section data sharing) explains the different options for sharing research data. 

Data from an external party

The conditions specified by the external party regarding the utilization, accessibility, and distribution of their data apply. Consider these factors and document them in your data management plan.

Ground rules

A number of basic rules apply to researchers dealing with personal data:

  • You do not collect more personal data than you really need for your research.
  • Data subjects have given you permission to collect their data (informed consent).
  • You do not use the personal data for purposes other than those for which you have received permission.
  • You ensure that data subjects can withdraw their consent and that they can easily contact you to do so.
  • You ensure that data subjects can exercise their rights to inspect, correct and delete their personal data and that they can easily contact you for this purpose.
  • You protect your research data containing personal data properly by separating contact information from research data, exercising caution in determining who has access to the repository of your research data, and anonymising your data as soon as possible before analyzing data.
Personal Data

Personal data are any data that directly or indirectly identify a person. It can therefore be name, e-mail address, telephone number, location, IP address, etc., but also combinations of data that can lead to a person. So-called 'special' personal data are also (extra) protected: for example, sensitive data about a person's race, religion, health or sexual orientation, such as passport photos and Citizen's Service Number.

Legal basis

The processing of (sensitive) personal data is only allowed when there is a legal basis for it. For the processing of 'ordinary' personal data, you must be able to rely on 1 of the 6 GDPR principles. The processing of sensitive personal data is prohibited unless you can rely on 1 of the 6 GDPR principles and 1 of the 10 statutory exceptions to the ban on processing sensitive personal data.

Informed consent

You explain to your respondents what your research entails, what their role in the research will be and what the possible consequences of participating are. Then you ask if they agree to participate in your research. This is done on the basis of an informed consent. An informed consent form consists of two parts, the information part and the consent part.

The information part contains all information about the research including all researchers involved and any collaborating organisations. It also explains the reasons and purposes for collecting this data. In addition, the researcher's contact details are provided in case the participant wishes to withdraw his or her consent. It states that he or she has the right to do so without explanation.

In the consent form, you ask the respondent permission for:

  • The collection and processing of his or her data
  • Archiving the data
  • The possible publication of the data (anonymised)
  • Making the data available for reuse by another researcher, if required

Who gives permission?

  • The participant, if over 16 years of age and capable of giving informed consent
  • A parent or guardian, if the participant is under 12 years of age
  • A parent or guardian and the participant, if the participant is between 12 and 16 years of age
  • A representative, if the participant is over 16 years of age but legally incapable

Download here the standard Informed Consent form of The Hague University of Applied Sciences.

The conditions specified by the external party regarding the utilization, accessibility, and distribution of their data apply. Consider these factors and document them in your data management plan.  

Processing of personal data

The GDPR requires The Hague University of Applied Sciences to make a register of all processing of personal data within The Hague University of Applied Sciences. It is therefore mandatory to report any processing of personal data to the Privacy Officer of THUAS. If you have your data processed by a third party, for example if you use an online survey application, draw up a processing agreement. On the Privacy page you will find more information, tools and the procedure for reporting processing operations.

Security measures: pseudonymisation and anonymisation

When working with sensitive data, it is necessary to strengthen the security of this data to avoid disclosing personal data when you want to share your data with others. There are two basic methods: pseudonymisation and anonymisation. The main difference between these two methods is that pseudonymisation can be undone and anonymisation is irreversible. Therefore, according to the GDPR, pseudonymised data must still be treated as personal data.

Pseudonymisation is used when you need the participants' data for reasons other than the analysis itself. For example, it may be useful to obtain additional information about a person later in the research, or to warn someone if there are any medical risks. The National Coordination Point Research Data Management (LCRDM) offers a set of 9 basic steps for pseudonymisation.

Anonymised data are data that no longer relate to individuals at all. In other words, no additional data may be available during anonymisation that would allow someone to link it to a specific person. Not only personal data (directly identifiable elements) must be deleted, but also indirectly identifiable elements. How to anonymise your data can be found on the UK Data Service Anonymisation page and in the Bristol University document Keeping Data Confidential – Anonymising Records.

The GDPR test and a DPIA

It is strongly recommended to do a GDPR test at the beginning of your research in consultation with the Privacy Officer of THUAS. This ensures that you are GDPR compliant right from the start of your research and data processing. If necessary, a Data Protection Impact Assessment (DPIA) is carried out. If your research involves any of the following activities, a DPIA is mandatory:

  • Assessing people on the basis of personal characteristics (evaluation or score assignment)
  • Automated decisions having legal effect or similar consequences
  • Systematic monitoring
  • Large-scale data processing
  • Matching or linking data sets
  • Processing of data on vulnerable persons
  • Use of new technologies or solutions
  • The processing of data leads to the blocking of a right, service or contract

Read here how the DPIA process works within THUAS.

More Information

More information on privacy in research and careful handling of personal data:

Consortiumovereenkomst

Indien je in het kader van onderzoek samenwerkt met andere partijen, dan is een samenwerkingsovereenkomst zeer wenselijk en soms ook vereist (bijv. bij subsidieprojecten). In een overeenkomst worden de rechten en plichten van alle betrokken partijen duidelijk vastgelegd. Inclusief de afspraken m.b.t. de onderzoeksdata, intellectuele eigendomsrechten en aansprakelijkheid. Neem contact op met [email protected] voor het inwinnen van advies m.b.t. een consortiumovereenkomst. 

Wet medisch-wetenschappelijk onderzoek met mensen

Onderzoek met mensen moet een medisch-ethische toets ondergaan als het valt onder de Wet medisch-wetenschappelijk onderzoek met mensen (WMO). Onderzoek valt onder de WMO als aan de volgende twee voorwaarden is voldaan:

  • Er is sprake van medisch-wetenschappelijk onderzoek
  • Personen worden aan handelingen onderworpen of hen worden gedragsregels opgelegd.

Je leest meer over de toetsingsprocedure van de WMO op de website van de Centrale Commissie Mensgebonden Onderzoek

Voor meer informatie neem contact op met de datastewards van de bibliotheek.

The Medical Device Regulation (MDR) is a European regulation for medical devices that has been in force since 2021. This legislation ensures the safe use of medical devices.   

A medical device is an article that, either alone or in combination with other articles, is used for medical purposes. Medical devices definition includes, among other things, devices, software, or materials. Medical purposes are, for example, diagnosing, monitoring, predicting, or treating diseases.   

More information about legislation regarding MDR, frameworks, and procedures can be found on the CCMO website."