Legal and ethical issues

! On this page you will find information and contact points on relevant legal and ethical topics. Please note that the information in the following is not legally binding, it should serve as an overview and provide you with guidance.

Legal issues can arise in every phase of a research project. The data protection and intellectual property rights regulations are of particular relevance here. Sensitive data projects, especially those involving humans, may also be subject to an assessment by an ethics committee. This applies commonly to projects in medical or psychological research, but also in research projects in the humanities and social sciences.

Taking into account the legal aspects in the planning phase, appropriate clarifications and measures can be taken at an early stage and any additional costs incurred can be budgeted in the project application.


Personal rights issues

shield icon

In research, data relating to persons are often used, for example in medical or psychological research, when test persons test products or when examination values of patients are evaluated. We also deal with personal data in particular in the humanities and social sciences, for example when working on biographies or conducting empirical studies. 
If this is the case, data protection regulations must be adhered to, because in general, the following principle applies:

"Anyone who processes personal data is subject to data protection law."

This principle also applies to researchers. But what exactly is personal data and what does the term data processing cover?

Definitions

Personal Data is data, information or statements referring to a specific person or a person identifiable by means of the information. Examples for personal data are: name, date of birth, gender, (e-mail) address, AHV number, matriculation number, bank details, photography of a person, genetic data, characteristics that characterise a person (e.g. only woman in the team), license plates, etc.

The data protection law also defines special categories of personal data where particular care is required.Special categories of personal data are personal data for which there is a particular risk of personal injury due to their informative value, the way in which they are processed or because they are suitable for creating a profile of the data subject. Further sensitive data are data on children, persons incapable of making judgements, and other particularly vulnerable persons, such as refugees, members of an ethnic minority, disabled people, homosexuals, elderly people etc. Examples for such data: religious, philosophical, political or trade union views or activities, data on health, privacy or racial origin, genetic and biometric data, information on social assistance measures, administrative or criminal prosecutions and sanctions.

The term sensitive data is often used in connection with the data protection law. However, this term is ambigous and not legally defined. Sometimes it is used synonymously with the special categories of personal data, in other cases the term includes not only personal data, but also data that is sensitive for other reasons, such as business information or secret information such as government secrets.

Data processing is any operation which is performed on data whether or not by automated, that means everything you can do with data, regardless of the technology, regardless of the medium (paper, digital, ...), regardless of the duration (fleeting, forever, etc.).  Examples of data processing are collecting, storing, preserving, using, reworking, disclosing (granting access, forwarding or publishing), archiving or destroying data, etc.

Data protection law in Switzerland

In addition to the Federal Act on Data Protection, each canton in Switzerland has its own data protection act. This can be confusing, especially since research often takes place across borders. In such a case it has to be clarified which legal basis applies and we recommend seeking legal advice from the Data Protection Officer. The following is a brief overview of the applicability of data protection laws in Switzerland.

If research is carried out ...

  • ... exclusively at one swiss university, the regulation in cantonal law is applicable, since it applies to processing data by public bodies of the cantons and municipalities. For Basel this is the law on information and data protection: Informations- und Datenschutzgesetz Basel-Stadt.
  • ... by private individuals, the Regulation in the Federal Act on Data Protection (FADP) and the Ordinance to the FADP apply.
  • ... at a federal institution (e.g. ETH), the Regulation in the Federal Act on Data Protection (FADP) and the Ordinance to the FADP apply.
  • ... at more then one universityor the data is processed in more than one canton (e.g. data collection takes place in several cantons), several cantonal data protection laws apply. In general: The data protection law of the canton in which the processing appears is applicable (e.g. collect, store, revision, disclose), so more than one cantonal data protection law can apply.
  • internationally, the cantonal law is applicable when data processing take place in the respective canton or the Swiss law in case of private research or research at a federal institution. In addition, the data protection law at the foreign research location is also applicable. If you process personal data of EU individuals or monitor the online behavior of users based in the EU, the General Data Protection Regulation (GDPR) is applicable.

On the right you find links to the relevant data protection laws as well as a link to fact sheets with more detailed information on the legal basis (only available in German).

What to be aware of ...

Research with personal data is possible if the certain conditions are met and the necessary precautions are taken (see below). The following is a summary of the conditions for processing of personal data, that are exactly regulated in the sections FADP Art. 4 , 5 | IDG/BS §9, 4, 11, 12, 15 | EU-GDPR, Art. 5, 6.

  • Lawfulness: either on the basis of a legal regulation and/or with the consent of the data subject or due to an overriding legitimate interest of the processing person.
  • Purpose: Data processing must always be carried out for a specific purpose
  • appropriateness/adequacy: Data processing must be necessary for the intended purpose and reasonable in relation to the infringement of privacy.
  • Integrity: Whoever processes personal data must ensure that the data is correct.
  • Perceptibility of data processing: It must be recognisable for the data subject that personal data relating to him or her are collected and processed.
  • Transparency: Data subjects must be adequately informed about data processing so that they can understand what is done with their data and for what purpose (see informed consent). The data subjects also have the right at any time and without giving reasons to request information about their data.
  • Data security: The data processing must comply with technical and organizational security requirements.

The processing of personal data for public research is subject to these general rules. Public research with personal questions is permitted without special basis, if ...

  • the research question is not personal,
  • the data is anonymised or pseudonymised as soon as the research purpose permits, and
  • a publication does not allow conclusions to be drawn about data subjects.
icon anonymous

According to the principle of proportionality and data economy personal data have to be anonymised or pseudonymised as soon as the processing purpose permits. (Personal data may only be processed with the consent of the person concerned - see below).

Anonymisation means that the reference to a person is irreversibly (= definitively) removed in such a way that it is no longer possible to draw conclusions about persons without disproportionate effort. Anonymised data are no longer regarded as personal data.

Pseudonymisation refers to the removal of personal references, whereby a specific key (i.e. a table with the translation pseudonym to person) is retained for the re-personalisation of the information. If data is pseudonymised, the conditions under which a person may be identified and how the key is stored must be regulated (key management). Unlike anonymised data, pseudonymised data remain personal data.

The so-called "research privilege"1 makes it possible to use personal data collected in a previous research project or provided by a public body if it is anonymised or pseudonymised. No further justification (such as consent) is then necessary for data processing without personal reference.
Data protection law privileges non-personal processing of personal data because of the public interest in research and the assumption that the risk of personal injury is low.
Please note: The general principles of data protection must always be observed for the prior collection/processing of data (those relating to individuals)!

Completely anonymous data is no longer subject to the data protection law. For example, you no longer need consent to process anonymous data. However, caution is required here, as absolute anonymisation often cannot be implemented in practice.
For example, indirect identification by means of additional knowledge through a combination of data sources facilitated by technical progress can now hardly be ruled out.
_________________

1 This refers to FADP, Art. 22 and 13 | IDG/BS §10 | EU-GDPR, Art. 89

For concrete data processing, the consent of the persons concerned is additionally required, stating the concrete purpose. A consent serves purposes, such as the provision of information (principle of transparency) to the data subjects.

Informed consent is the linchpin that makes it possible to work with personal data. With informed consent you have a good starting point to do current and future research. If you take care here, you can avoid many difficulties with regard to sharing and re-using data. It is therefore advisable to attach particular importance to completeness and good wording and possibly to seek legal advice. 

The declaration of consent must …

  • be clearly recognizable as such
  • be expressed in a clear and comprehensible manner so that the data subject understands it
  • contain type and scope of the processed data and of the data processing
  • contain a reference to the intended use in question (refer to research goals)
  • clarify any possible disclosure of the data to third parties
  • list the rights of the data subject to cancellation, access and opposition
  • be obtained prior to data collection
  • be voluntary; the data subject must not suffer any disadvantages as a result of refusing consent.

Whether consent is mandatory or, if necessary, supplementary to a legal basis or sufficient as a justification depends on the applicable data protection law. The applicable law also determines whether consent can be given orally or written.

 

Sensitive data must in particular be protected against unauthorized access. The IT services of the University of Basel recommend using the university's managed servers and exercising additional caution, for example through access control and encryption. For more information, see the following IT Services website:Datensicherheit.

The use of the University's server offers the following advantages:

  • Back-up
  • Basic access protection via individual/group authorizations
  • Firewall between internal network and the internet

A residual risk of unauthorized access cannot be ruled out; for this reason, IT services recommend additional encryption of sensitive data. Also, if you are using your private computer, it is recommended to encrypt this or at least the sensitive data on it.

Encryption is the process by which a clearly readable text (plain text) or other information is converted into a not easily interpretable character string (ciphertext) by means of an encryption procedure (cryptosystem). One or more keys (=codes) are used as crucial parameters for encryption.

If you work with highly sensitive data, you should seek advice from IT Services or sciCORE so that an optimal solution can be found for your data also during your active research. SciCORE provides a secure infrastructure for highly sensitive data, in particular from biomedical research and clinical bioinformatics (more information).



Intellectual Property Rights

This section deals in particular with Swiss copyright law and related topics such as licenses, patents and plagiarism. Copyright law and the related issues play a role in research in two aspects:

  • When re-using data that is or has been protected by copyright,
  • When your own research work is protected by copyright.

Copyright

The Federal Act on Copyright and Related Rights (Copyright Act, CopA) regulates that works which are intellectual creations, are perceptible to the senses and have a certain amount of individuality are protected by copyright (CopA Art 2).

Definition of "work"

A work is only protected by copyright when all of the  following three conditions are fulfilled:

The work must ...

  •  be an intellectual creation, that means that it must be created by a human being
  •  have an individual character.
  • be expressed in one form or the other

This definition is elaborated with a list of examples of everything that can be considered as a protected work (Art. 2, 2-4): "literary, scientific and other linguistic works; musical works and other acoustic works; works of art, in particular paintings, sculptures and graphic works; works with scientific or technical content such as drawings, plans, maps or three-dimensional representations; works of architecture; works of applied art; photographic, cinematographic and other visual or audio-visual works; choreographic works and works of mime. Computer programs are also works. Drafts, titles and parts of works, insofar as they are intellectual creations with an individual character, are also protected."

Research data cannot necessarily be considered to be copyrighted works. For example, if data are collected systematically, they are not the result of intellectual creation and do not have an individual character.
For example, in a survey, the survey questionnaire may be protected by copyright because a person has considered the questions and answer options needed to collect the data for his research.
However, the data collected through the survey are not works of intellectual creation and therefore do not fall under copyright law.

Rights of the author

Copyright means that the author(s) have the right to acknowledge authorship. Furthermore, he/she has the right to determine ...

  • whether, when, how and under which copyright designation the own work is to be first published.
  • whether, when and how the work will be used.
  • whether, when and how the work may be changed;
  • whether, when and how the work may be used to create a second-hand work or included in a collective work.

The author may oppose any distortion of the work that violates his or her personality. Existing works may be parodied and published works quoted if the quotation serves as an explanation, reference or illustration and the scope of the quotation is justified by this purpose and the quotation is designated as such and the source.

Term of protection

A work is protected by copyright as soon as it is created. This protection generally expires 70 years after the death of the author of the work. Computer programs are excluded, here the term of protection is only 50 years after the death of the author. If the author of a work is unknown, respectively the author cannot be found with reasonable effort, the protection of the work expires 70 years after its publication. However, this assumption may not be made lightly.

Authors may grant other persons the rights to use their works, without assigning their copyrights. Authors give their consent that their work may be used in a certain way and clarify in the license agreement the conditions for the use of their work.

Licenses are very important for the reusability of research data. Others can only use published data if they know under which conditions they are allowed to use it.

For research data and its metadata, the use of Creative Commons licenses (CC licenses) is very common. Creative Commons are various standard license agreements with which authors can determine how other people may use, distribute and edit their work by marking it with simple icons. The licenses are applicable to any copyrighted work and are not tailored to specific types of work.

 For software the use of CC licenses is unusual. There are a lot of own licenses for free and open source software (FOSS), that can be used by programmers to license the usage rights to their computer programs and to make the editable source code accessible. CC Digital Law has compiled extensive information about FOSS licenses.

Sometimes research results can satisfy an economically significant customer need.  They can form the basis for the development of a new product that will find a market. This applies in particular to research results from Faculties of Medicine, Psychology and Science and can be new technologies, newly discovered or newly manufactured substances, or any refinement or novel application of an existing product.

A patent is an industrial property right for a technical invention. The owner of a patent is entitled to prohibit others from using the invention. It grants him the exclusive right to make, use or sell an invention. The term of protection is generally 20 years.
Inventions must meet certain conditions in order to be patented. They must be new, not obvious and useful. Scientific theories without a specific application are not patentable. Before a patent application is filed, the invention may not be disclosed through publication or presentation.
Companies often try to gain a competitive advantage by applying for a patent for products and processes that lead to a technical, economic or marketing advantage. This is because the patent protects their development from imitation by competing companies. In particular, inventions that require high investments for their economic implementation are only of interest to industrial partners if they are protected by a patent.

For more information on the topic and services, please visit the unitectra website.

The term plagiarism refers to the assumption of a third party's intellectual achievement, such as the output of third party texts or ideas as one's own. Plagiarism violates the law; in particular, not marking quotations is a violation of copyright. In any case, however, it violates good scientific practice and according to the student regulations of the University of Basel (§ 11,e), plagiarism is a disciplinary error.

If research data are re-used, they must be quoted in the same way as publications. The following citation is common: Author, Data Set Title, Repository, Version, Persistent Identifier.

 


Research Ethics

Research interests may conflict with compliance, with generally accepted standards and values. Questions about the responsibility and accountability of research and its possible effects on society or individuals are central. Some funders therefore require the consent of an ethics committee when ethically relevant research questions are at stake.

Ethical aspects are particularly relevant in certain fields of research, e.g. ...

  • Human experiments with test persons
  • Stem cell research
  • Genetic engineering
  • Research for armament purposes
  • Resource consumption by research
  • Data protection
  • Animal testing

There are 3 commissions which are responsible for the University of Basel to examine research projects for their ethical justifiability. The commissions have different priorities, see below. The ethics committees work together in the sense that they, if they are not responsible, pass on a project to the relevant committee.

Research on humans is indispensable for medical and scientific progress. However, such investigations are only ethically justifiable if the inviolability of the human dignity of the persons involved is guaranteed.

It is the task of the Ethics Commission of Northwestern and Central Switzerland (EKNZ) to assess the compatibility of individual research projects with the applicable national and international guidelines for research investigations on humans and to prevent the implementation of ethically unacceptable projects. The protection and rights of the study participants always have the highest priority.

The Ethics Committee of the Faculty of Psychology reviews and evaluates planned research projects in the field of psychological research at the Faculty of Psychology for ethical harmlessness with the aim of ensuring the protection of the study participants and the balance between the risks and benefits of the research investigations. Research projects which are evaluated by the cantonal ethics committees in accordance with the Human Research Act are exempt from this requirement.

The Ethics Commission of the University is a permanent expert committee of the Regenz, that is currently being established. It gives advice on questions about ethically relevant research if it's not governed by the Human Research Act.