A privacy officer will have many conversations with researchers about how they handle personal data within their research. Such a conversation might go as follows:

Researcher: “As part of a conference I’m organising about my research, I would like to take pictures of the visitors and conduct some interviews. Is that allowed under the GDPR?”

Privacy officer: “Yes, that’s not a problem, as long as the visitors can say whether they want to be photographed or not. And that they know where and when the interviews will be published, so they can give you permission via a consent form for this.”

Researcher: “Yes, all right, I had already received such a form from a colleague. I’m not yet sure how long I want to store the interviews, since they might come in use in a few years’ time as well.”

Privacy officer: “Hmm, that’s going to be tricky, because perhaps then the conference participants won’t want to take part in the interviews anymore.”

Researcher: “But... why would they not want to participate anymore? After all, I’m asking them for permission in advance, aren’t I?”

Check boxes?

The above conversation shows that while the researcher is aware that a consent form is required for obtaining permission, the researcher has not given further thought to the retention possibilities and the retention period of the data. After all, in a few years’ time the participants may think very differently than they did at the time of the interview. And maybe, in a few years’ time, they will look very different than they did in the pictures taken at the conference.

Another relevant example is the storage of personal data by restaurants during the Covid-19 pandemic. At several restaurants, personal data were not only retained for possible contact tracing, but visitors were subsequently confronted with marketing messages from these eateries. In other words, these restaurants dutifully fulfilled the obligation to keep records of all their guests, but afterwards they used the data for purposes other than those communicated to the guests in advance.

The above examples show that both the researcher and the restaurant owner see personal data protection primarily as a series of ‘check boxes’, where a few actions ensure that their practices are GDPR-compliant. Performing a DPIA, preparing a consent form, and pseudonymising personal data are the most common actions taken by researchers to ensure compliance with the GDPR. But the reason for performing these actions is often less well known.


 

The seven Article 5 principles

All actions to protect personal data originate from the seven principles described in Article 5 of the GDPR. We therefore refer to these principles as the ‘Article 5 principles’. These principles give a general indication of the actions to be taken to protect personal data; this is what makes the GDPR a normative rather than a descriptive law.

The GDPR only provides the framework – the researchers must fill in these frameworks themselves with the necessary technical and organisational measures within the context of the research. Therefore, the measures required within a particular research project may differ greatly from those required in another project. But the principles underlying both sets of measures are always the same.

So what exactly do these seven principles entail? Below you can read about all the principles, with a brief example for each principle to demonstrate how it works:

The 'Article 5 Principles'


The '1972 Principles'

The Article 5 principles form the basis of the GDPR. And not just of the GDPR; indeed, these principles were being applied from as early as the Privacy and Recording of Personal Data report of 1972 (pages 103 and 104). However, these principles were then somewhat hidden away in Article 44, which indicates when a permit for a recording system can be denied. But the similarities are striking:

a. If the purpose or expected efficacy of the recording system is contrary to law, public order, or morality [compare with the lawfulness and fairness principle]

b. If the regulations are not in accordance with the requirements imposed by law or a general order in council [compare with the lawfulness principle]

c. If insufficient measures have been taken to prevent the data to be recorded from falling into the wrong hands [compare with the integrity and confidentiality principle]

d. and e. If there are insufficient safeguards for ensuring the accuracy of the data to be recorded and provided [compare with the accuracy principle]

f. If, in accordance with the regulations, the personal data present in the recording system are not relevant enough in relation to the purpose of the recording system [compare with purpose limitation and data minimisation principles]

h. If the rights of the registered persons relating to inspection, access and rectification are more limited than is necessary from the point of view of the detection of criminal offences or proper taxation [compare with the accuracy principle]

Knowledge of these principles will ensure that a researcher is fully committed to protecting the privacy rights of the participants and advocates this in the research project. They will realise that defining measures for the proper protection of personal data is not only a must, but also that following these principles will be accompanied by significant benefits for themselves as well as for the data subjects, as outlined below:

  • Protection of personal data, thereby safeguarding the fundamental right to privacy of research participants
  • Being a demonstrably reliable research partner for research participants and other research institutes
  • Limiting liability for the institution
  • Preventing reputational damage for the researcher, the research, and the institution.
  • Conducting research in accordance with applicable laws and regulations
  • Being able to meet the requirements of external funders (contract funding)
  • Having a proper understanding of the nature of the processed personal data and the de-identification measures applied makes it easier to assess whether these data can be shared for research purposes in accordance with the FAIR principles or Open Data principles

These benefits are also visualised on a Privacy Reference Card (source: Domingus, M. (2016). A Researcher’s Privacy Reference Card. Why?).