Personal rights issues
Personal data is frequently processed in research, particularly in medical or psychological studies. Additionally, the humanities, social sciences, and numerous other scientific disciplines also handle personal data, such as during the conduct of biographical interviews or surveys.
When processing personal data, adherence to data protection regulations is imperative, as the following principle generally applies, even for researchers.
Anyone who processes personal data is subject to data protection law.
The following presents some important aspects of data protection in the research context and points to further sources of information on the topic.
Personal Data is data, information or statements referring to a specific person or a person identifiable by means of the information. Examples for personal data are: name, date of birth, gender, (e-mail) address, AHV number, matriculation number, bank details, photography of a person, genetic data, characteristics that characterise a person (e.g. only woman in the team), license plates, etc.
The data protection law also defines special personal data where particular care is required.Special personal data are personal data for which there is a particular risk of personal injury due to their informative value, the way in which they are processed or because they are suitable for creating a profile of the data subject. Further special data are data on children, persons incapable of making judgements, and other particularly vulnerable persons, such as refugees, members of an ethnic minority, disabled people, homosexuals, elderly people etc. Examples for special personal data: religious, ideological, political or trade union views or activities, data on health, genetic background, personal privacy, ethnic origin, biometric data, information on social security measures, administrative or criminal prosecutions and sanctions.
The term sensitive data is often used in connection with the data protection law. However, this term is ambigous and not legally defined. Sometimes it is used synonymously with the special categories of personal data, in other cases the term includes not only personal data, but also data that is sensitive for other reasons, such as business information or secret information such as government secrets.
Data processing is any operation which is performed on data whether or not by automated processes, that means everything you can do with data, regardless of the technology, regardless of the medium (paper, digital, ...), regardless of the duration (fleeting, forever, etc.). Examples of data processing are collecting, storing, preserving, using, reworking, disclosing (granting access, forwarding or publishing), archiving or destroying data, etc.
In addition to the Federal Act on Data Protection (FADP) and the Ordinance to the FADP, each canton in Switzerland has its own data protection act. This can be confusing, especially since research often takes place across cantonal borders. In such a case it has to be clarified which legal basis applies and we recommend seeking legal advice from the Data Protection Officer. The following is a brief overview of the applicability of data protection laws in Switzerland.
If research is carried out ...
- ... exclusively at one Swiss university, the regulation in cantonal law is applicable, since it applies to processing data by public bodies and municipalities of the cantons. For the canton of Basel-Stadt this is the Law on Information and Data Protection and the Ordinance to the Law on Information and Data Protection : Informations- und Datenschutzgesetz Basel-Stadt und Informations- und Datenschutzverordnung Basel-Stadt
- ... by private individuals, the Regulation in the Federal Act on Data Protection (FADP) and the Ordinance to the FADP apply.
- ... at a federal institution (e.g. ETH), the Regulation in the Federal Act on Data Protection (FADP) and the Ordinance to the FADP apply.
- ... at more than one university or if the data is processed in more than one canton (e.g. data collection takes place in several cantons), several cantonal data protection laws can apply.
- ... internationally and at Swiss universities, several data protection laws could apply, e.g. the EU General Data Protection Regulation (GDPR) when processing personal data of EU individuals based in the EU or in the European Economic Area (EEA). When conducting research internationally, it is recommended to seek advice from the Data Protection Officer of the University.
Research with personal data at a public institution such as a university is possible if certain conditions are met and the necessary precautions are taken (see below). The following is a summary of the principles and requirements for processing personal data at the University of Basel, that are regulated in the sections IDG/BS § 9, 4, 12, 11, 8, 15.
- Lawfulness: The processing of personal data must be based on a legal basis. The University statutes (§ 1.) assign the University of Basel the task of conducting research and, consequently, processing personal data.
- Transparency: Data subjects must be adequately informed about data processing so that they can understand what is done with their data and for what purpose (see informed consent). The data subjects also have the right at any time and without giving reasons to request information about their data.
- Purpose: Data processing must always be carried out for a specific purpose
- Appropriateness/adequacy: Data processing must be necessary for the intended purpose and reasonable in relation to the infringement of privacy.
- Integrity: Whoever processes personal data must ensure that the data is correct.
- Perceptibility of data processing: It must be recognisable for the data subject that personal data relating to him or her are collected and processed.
- Data security: The data processing must comply with technical and organizational security requirements.
According to the principle of proportionality and data economy personal data have to be anonymised or pseudonymised as soon as the processing purpose permits. (Personal data may only be processed with the consent of the person concerned - see below).
Anonymisation means that the reference to a person is irreversibly (= definitively) removed in such a way that it is no longer possible to draw conclusions about persons without disproportionate effort. Anonymised data are no longer regarded as personal data.
Pseudonymisation refers to the removal of personal references, whereby a specific key (i.e. a table with the translation pseudonym to person) is retained for the re-personalisation of the information. If data is pseudonymised, the conditions under which a person may be identified and how the key is stored must be regulated (key management). Unlike anonymised data, pseudonymised data remain personal data.
The so-called "research privilege"1 makes it possible to use personal data collected in a previous research project or provided by a public body if it is anonymised or pseudonymised. No further justification (such as consent) is then necessary for data processing without personal reference. Data protection law privileges non-personal processing of personal data because of the public interest in research and the assumption that the risk of personal injury is low.
Please note: The general principles of data protection must always be observed for the prior collection/processing of data (those relating to individuals)!
Anonymised data is no longer subject to the data protection law. For example, you no longer need consent to process anonymized data. However, caution is required here, as absolute anonymisation often cannot be implemented in practice.
For example, indirect identification by means of additional knowledge through a combination of data sources facilitated by technical progress can now hardly be ruled out.
_________________
1 This refers to IDG/BS, § 10 | FADP, Art. 31 and 39 | EU-GDPR, Art. 89
Helpful Links:
- Ebel, Thomas und Meyermann, Alexia (2015) Hinweise zur Anonymisierung von quantitativen Daten. forschungsdaten bildung informiert, Nr. 3. (German)
- Meyermann, Alexia und Porzelt, Maike (2014) Hinweise zur Anonymisierung von qualitativen Daten. forschungsdaten bildung informiert, Nr. 1. (German)
- FORS guide on quantitative data anonymization
- FORS guide on qualitative data anonymization
Informed consent from the data subject is required for specific processing relating to the individual person, which is typically the case in research.
Informed consent is the linchpin that makes it possible to work with personal data. With informed consent you have a good starting point to do current and future research. If you take care here, you can avoid many difficulties with regard to sharing and re-using data. It is therefore advisable to attach particular importance to completeness and good wording. Legal advice is recommended, since requirements for informed consent may differ depending on the applicable laws for research (e.g. Federal Act on Research involving Human Beings, HRA).
Some typical, but not final, elements for informed consent are…
- clear recognizability as such
- clear and comprehensible language so that the data subject understands it
- declaration of type and scope of the processed data and of the data processing
- reference to the intended use in question (refer to research goals)
- declaration of possible disclosure of the data to third parties
- listing of the rights of the data subject (e.g. cancellation, access and opposition)
- timely collection of the consent, i.e. prior to data collection
- declare voluntariness; the data subject must not suffer any disadvantages as a result of refusing consent.
An exception to consent may exist if data was collected anonymously from the outset.
Sensitive data must in particular be protected against unauthorized access. The IT services of the University of Basel recommend using the university's managed servers and exercising additional caution, for example through access control and encryption. For more information, see the following IT Services website: Data security.
The use of the University's server offers the following advantages:
- Back-up
- Basic access protection via individual/group authorizations
- Firewall between internal network and the internet
A residual risk of unauthorized access cannot be ruled out; for this reason, IT services recommend additional encryption of sensitive data. Also, if you are using your private computer, it is recommended to encrypt this or at least the sensitive data on it.
Encryption is the process by which a clearly readable text (plain text) or other information is converted into a not easily interpretable character string (ciphertext) by means of an encryption procedure (cryptosystem). One or more keys (=codes) are used as crucial parameters for encryption.
If you work with highly sensitive data, you should seek advice from IT Services or sciCORE so that an optimal solution can be found for your data also during your active research. SciCORE provides sciCore+ a secure infrastructure for highly sensitive data, in particular for biomedical research and clinical bioinformatics.
Dealing with personal data in research : recommendations for research projects at the University of Basel and affiliated institutions
The data stewards of the University of Basel and other members of the Research Data Management Network have created a checklist for working with personal data. The purpose of the checklist is to provide researchers from different disciplines at the University of Basel and affiliated institutions with guidance on the handling of personal data in the context of research data management. The checklist has been published in January 2024 and will be updated regularly as legal requirements, funding agencies, infrastructure and tools may change.
Use Cases on working with personal data in qualitative research
These use cases are intended as an aid for researchers. The information in the text is not legally binding. If you have any questions about data protection, copyright and other legal aspects, please contact the relevant departments at your university.
The use cases were developed in collaboration between the Open Science teams of the University Libraries of Basel and Bern and the data protection officer of the University of Basel following a workshop on data protection and anonymisation of qualitative research data. Persons involved were: Silke Bellanger, Christina Besmer, Danielle Kaufmann, Iris Lindenmann, Jennifer Morger, Gero Schreier.
These use cases are available in line with CC BY-SA 4.0.
The use cases were first written in German and later translated to English.