The following list can be used as a checklist before starting a research project:
1. Do you process personal information?
2. Determine data responsibility
3. Notification to SDU RIO
4. Purpose of the processing of personal information and legal basis
5. Duty to inform and whether data should be shared with others (e.g. third parties)
6. Prepare Data Management Plan
7. To store all relevant project information (record-keeping obligation)
8. SDU’s Research Ethics Committee (only if relevant)
You must first and foremost consider whether personal information is processed in your research project, and if it is, you will be subject to rules on the processing of personal data.
If you process personal data, you can read more about the different types of personal data here.
If you are in doubt as to whether you process personal information in your research project, you can always contact SDU RIO.
A distinction is made between data controllers and data processors. It is important that you know your own role in the processing of personal data, because the requirements for data controllers and data processors are different. Data controllers decide alone or with others for what purposes and by what means may be used to process personal data. Data processors process personal data on behalf of the data controller.
That means, that if you are the one who defines why personal information will be processed (the purpose) and how personal information will be processed (tools), SDU will be the data controller. Therefore, you must notify your research project to SDU RIO, so that your research project will appear from SDU’s internal list of research projects.
If you are in doubt about data responsibility in your research project, you can always contact SDU RIO.
If you process personal data in your research project, and SDU is the data controller, then the project must be notified to SDU RIO. The legal advisers at SDU RIO will receive the notification, review it, ask questions to the project manager, make a risk assessment based on the information in the notification form, register the project and give you an opinion (which includes the requirements for processing personal information and the security of processing).
In addition to registering the projects, the legal advisers maintain an overview (list) of research projects and research databases. In this way, SDU is in control of which research projects are processing personal information. The list can be sent to the Danish Data Protection Agency in case of a possible inspection.
You should expect approximately one week for case processing from the time you notify the project until SDU RIO contacts you. Please note that, generally, you cannot expect projects to be approved within a week as it depends on the complexity of the project (special authorisations, many data subjects, any data processing agreements, etc.).
You must consider for what purpose and on what legal basis you want to process personal information in your research project (you will also be asked to consider this when notifying the research project to SDU RIO).
When processing personal information, you must be aware of the purpose. It is essential, for instance, whether the personal information is to be processed for research purposes only, or whether it is also to be processed for other purposes (e.g. teaching, administration, etc.). In addition, always assess whether the project can be carried out with less or less intrusive personal data. If name, region and age, for example, are sufficient for the purpose of the research project, you should not also process civil registration numbers, trade union affiliations, etc., cf. the principle of data minimisation.
In research contexts, a distinction is primarily made between processing on the basis of consent or processing on the basis of section 10 of the Danish Data Protection Act (research in the public interest). There are pros and cons to both legal bases, and you should therefore consider them carefully before you start collecting and processing personal data. You can read more about the two legal bases here.
SDU RIO can provide guidance on legal basis.
When you collect personal information (e.g. through questionnaire surveys, interviews, video/audio recordings or the like), you must provide the data subject with different kinds of information – and comply with the so-called duty to inform.
It is not sufficient to disclose the content and purpose of the research project; the Data Protection Act also requires you to give information of a purely legal nature. This includes the following: Identity and contact information of the data controller, contact information of the data protection officer (DPO), the purpose of the processing, the legal basis, etc. You can read more about the duty to inform here.
If you are in doubt about the duty to inform, you can always contact SDU RIO.
SDU’s Open Science Policy requires that the project’s handling of the collected or created research data must be planned. The form and scope of the planning vary between different research areas, and the specific requirements for the planning are determined in the individual departments’ Open Science policies. In many cases, it would be a good idea or a requirement to make a formal Data Management Plan.
Your department may be working with a specific template, and otherwise you can find inspiration at DMP online.
If you need specific guidance or feedback on your Data Management Plan, you can contact the Research Data Management Support.
Your research project must be created in a record-keeping and financial management system if:
- An agreement is entered into with an external party
- You have received an external grant
- SDU is responsible for something in connection with your research project
If in doubt, ask your department for help. SDU RIO creates Acadre cases for all notified research projects (including those without an external grant or collaboration with an external party). You are welcome to use this Acadre case number for storing project documentation.
You are also recommended to create a folder in e.g. SharePoint for storage of all relevant project documentation (e.g. the Data Management Plan, the text for the duty to inform, RIO’s approval of the notified research project, etc.). If you use consent as a legal basis for your processing of personal data, it is particularly important that the declarations of consent are stored in an accessible place as this is your and SDU’s only documentation that you have permission to process information. It is also relevant in the event that a respondent withdraws his or her consent.