First and foremost, you need to take a position on whether your research project processes personal data, and if you do, you will be subject to the rules on processing personal data.

If you are processing personal data, you can read more about the different types of personal data.

If you are unsure whether you are processing personal data in your research project, you can always contact SDU RIO.

A distinction is made between data controllers and data processors. It is important that you know your own role in the processing of personal data because the requirements for controllers and processors are different. Controllers decide alone or together with others for what purposes and with what means personal data may be processed. Processors process personal data on behalf of the controller.

This means that if you are the one who defines why personal data is to be processed (purpose) and how personal data is to be processed (means), SDU will be the data controller. Therefore, you must notify your research project to SDU RIO so that your research project appears in SDU's internal list of research projects.

If you are in doubt about data responsibility in your research project, you can always contact SDU RIO.

If you process personal data in your research project and SDU is the data controller, the project must be notified to SDU RIO. The lawyers at SDU RIO receive the notification, review it, ask the data controller questions, perform a risk assessment based on the information in the notification form, register the project and provide you with a statement (which includes the requirements for processing personal data and processing security).

In addition to registering projects, the lawyers maintain an overview (inventory) of research projects and research databases. In this way, SDU keeps track of which research projects process personal data. The inventory can be sent to the Danish Data Protection Agency in the event of an inspection.

You should expect a week's processing time from the time you report the project until SDU RIO contacts you.

Please note that projects cannot generally be expected to be approved within a week, as it depends on the complexity of the project (special authorisations, many data subjects, any data processing agreements or other).

You must take a position on the purpose and legal basis for processing personal data in your research project. You will also be asked to take a position on this when reporting the research project to SDU RIO.

When you process personal data, you must be aware of the purpose. It is important, for example, whether the personal data will only be processed for research purposes or whether it will also be processed for other purposes (e.g. teaching, administration or other).

Always consider whether the project can be carried out with less or less intrusive personal data. For example, if name, region and age are sufficient for the purpose of the research project, you should not also process social security numbers, trade union affiliations or other data according to the principle of data minimisation.

In research contexts, a distinction is primarily made between processing based on consent or processing based on section 10 of the Data Protection Act (research in the public interest). There are advantages and disadvantages to both legal bases, so you should consider them carefully before you start collecting and processing personal data.

Read about the two legal bases.

SDU RIO can provide guidance on legal bases.

When you collect personal data (e.g. through surveys, interviews, video/audio recordings or similar), you must provide the data subject with certain information - and comply with the so-called duty of disclosure.

It is not enough to disclose the content and purpose of the research project; the Data Protection Act also requires you to provide a number of information of a purely legal grade. This includes the following: identity and contact details of the data controller, contact details of the data protection officer (DPO), purpose of the processing, legal basis, etc.

Read about the obligation to provide information (docx)

If you are in doubt about the duty of disclosure, you can always contact SDU RIO.

SDU's Open Science policy requires that the project's handling of the collected data or created research data must be planned. The form and scope of the planning varies between different research areas, and the specific requirements for planning are defined in the individual departments' Open Science policies. In many cases, it will be a good idea or a requirement to create a formal Data Management Plan.

Your department may work with a specific template, or you can find inspiration at  DeiC DMP.

If you need specific guidance or sparring about your Data Management Plan, you can contact Research Data Management support. 

Your research project must be set up in a journal and financial system if:

• an agreement is made with an external party
• you have received an external grant
• SDU is liable for something in connection with your research project.

Ask your department for help if you are in doubt. SDU RIO creates cases for all notified research projects (including those where there is no external grant or collaboration with an external party). You are welcome to use the case number to store project documentation.

You are also recommended to create a folder on e.g. SharePoint to store all relevant project documentation (e.g. Data Management Plan, the text of the duty of disclosure, SDU RIO's approval of the notified research project, etc.)

If you use consent as the legal basis for your processing of personal data, it is particularly important that this is stored in an accessible place, as it is your and SDU's only documentation that you are authorised to process data. It is also relevant in the event that a respondent withdraws their consent.

Research projects involving the processing of human biological material must be notified to the scientific ethics committee system. This is particularly relevant for research projects affiliated with  the Faculty of Health Sciences.

If your research project is not subject to notification, but you would like an ethical approval of your research project, you can apply to SDU’s Research Ethics Committee (REC) for an ethical approval.

Please note that you must request approval from the committee before you start your research project. The REC has fixed meeting dates and deadlines for applications.

When collecting, storing and analysing research data, it is important that these are stored on SDU's approved systems for the individual purposes. In your daily processing of data, you must ensure that unauthorised persons do not gain access to data. This applies internally at SDU (offices, meeting rooms, etc.) as well as at external locations (home office, public transport, conference rooms, etc.).

SDU has the following approved solutions for storing and processing research data: OneDrive, SharePoint, Nextcloud, S4 og Ucloud.

If, during your research project, you wish to use a different storage solution or a system for transcription, translation or other purposes, you must always ensure that it is an approved system at SDU. You do this by contacting RDM-support, so that SDU RIO can check whether a data processing agreement has been entered into and SDU IT can check whether a licence has been taken out, if one is required.

If there are changes to the project along the way, you need to update your Data Management Plan.

You must also update your notification to SDU RIO if you have started using a new data processor, collected new types of information, expanded the number of participants, etc. since the first notification. You do this via a change request. 

You are encouraged to keep the updated Data Management Plan, approved change requests or other relevant documentation that arises during the research project in the same place as your other project documentation.

During the course of the research project, unintentional incidents may occur in the processing of information and thus also personal data.

Examples of unintentional incidents:

• Unauthorised access to the personal data included in the research project.
• The power has gone out to a freezer containing biological material or something else.

Such incidents are considered security incidents and should be registered as security breaches. If you are unsure whether a security incident has occurred, you can always contact your local information security coordinator.

In connection with publication, you may find that you need to take a position on whether your research project has processed personal data in accordance with the rules. In such cases, you can use a standard passage, prepared by SDU RIO.

Please also note that the publication of research data containing personal data can only be done with the explicit and informed consent of the data subjects. If you need to publish research articles containing personal data, please contact SDU RIO for guidance. You may consider whether it makes sense to publish metadata for the project data without publishing the data itself. In this way, data is made searchable and you have the opportunity to make other researchers aware that data exists. If you need guidance on this, please contact RDM-support.

When conducting peer review of other researchers' articles, you should pay special attention if the material contains personal data. These must be stored and processed securely and must always be deleted after the review has been completed. SDU recommends Nextcloud in this regard.

At the end of the research project, you should revisit your Data Management Plan. In particular, check the end date and what will happen to the data at the end of the project - for example, will the data be deleted, transferred to the National Archives or anonymised?

If data is to be anonymised, it is important that it is anonymised in the sense of data protection law.

Read more about pseudonymisation, de-identification and anonymisation of data.

If you are in doubt whether data is anonymised in the sense of data protection law, you can get guidance from SDU RIO.

In March 2018, the executive board adopted an Open Science Policy at SDU. The policy includes Data Management Plans, open research data and Open Access to scientific publications. Sharing research data is central to Open Science, and thus also the Open Science policy, and aims to benefit other researchers, society and contribute to making research transparent.

Anonymised data can be made available to other researchers, for example in a data repository.

Please note that data where CPR numbers have been removed or encrypted is not considered anonymised in the sense of data protection law and therefore cannot be published.

Normally, you will be authorised to store the personal data for 5 years after the end of the project so that you can document your results afterwards. The five years follows the recommendation in the Danish Code of Conduct for Research Integrity. The fact that you are allowed to store the data does not mean that you can actively use the data (e.g. for new research) during the storage period. SDU RIO will contact you 3 months and again 1 month before the 5 years have expired. After that, the personal data will be deleted unless it has been handed over to the Danish National Archives or anonymised beforehand.

If you wish to reuse the personal data in a new project, you must notify SDU RIO of the new project and obtain authorisation to reuse the personal data processed at an earlier time.