Go to content (click on Intro)
UdG Home UdG Home
Close
Menu

Data protection

Research and data protection

Ethics and data protection

Guidelines on research and the processing of personal data

Many research projects require the processing of personal data, in both in the conception and implementation of the project, and the rights of individuals with regard to data processing must be guaranteed, as indicated in the regulations governing this fundamental right.

In all cases, whenever possible, and whenever it does not hinder the proper implementation of the project, it is preferable to process anonymised, or at least, pseudonymised, data from the outset.

Can personal data be processed in research projects?

Yes, as long as the requirements of data protection regulations are met.Research is an activity of interest to society, and should be encouraged, but it must be carried out in a way that respects the rights of individuals.Article 5 of the General Data Protection Regulation (GDPR) indicates that research purposes are compatible with the processing of personal data, which is important when considering the use of existing data (not obtained directly from the data subject).Article 89 of the GDPR regulates the processing of personal data for scientific research purposes, and establishes a number of safeguards.

If tests on personal data are to be carried out before the start of the work, these tests must be carried out using dummy data.

What data may be processed for the research project?

Personal data may be collected and processed if it is appropriate, relevant and not excessive for the purpose of the project.No unnecessary data should be collected.

Certain data requires the adoption of specific security measures and may only be processed when absolutely necessary.This is what is known as special category data: on ethnic or racial origin, political opinions, religious or philosophical convictions or trade union membership, genetic data, biometric data intended to uniquely identify a natural person, health, sex life or sexual orientation.

Whenever possible, it should be anonymised or at least processed in pseudonymised form, depending on the requirements of the project.

What is pseudonymised data?

Pseudonymised data is personal data processed in such a way that it cannot be attributed to a specific person without the use of additional information.When conducting research work, it is highly advisable to assign an identification code to each person to whom the data corresponds, and to keep a separate correspondence table between the code and the person's identity data.This correspondence table should only be accessible to the principal researcher, and should be deleted when no longer needed.

Pseudonymised data is still personal data, until the correspondence table is deleted.

What is anonymised data?

It is information that is specific to natural persons, but that cannot be linked to any individual, e.g. because the document linking the name to the code of each reporter has been removed.Anonymisation is successful when the information cannot be attributed to a person, and it is not possible to deduce to whom it relates.Anonymised data is no longer personal data, so the requirements for confidentiality and security measures no longer apply.

What security measures should be applied when processing data?

Data that permits direct or indirect identification, and data recorded with identification codes or pseudonyms may only appear in the University's own computer systems or those contracted by the University (UdG systems).Exceptionally, on an ad hoc basis, when the dynamics of the work require it, pseudonymised data may be stored on other systems, devices or supports. As soon as possible, they will be transferred to UdG systems and deleted from all other systems, devices or media.While held in the latter, the information should be protected to prevent unauthorised access.

Extraction of data should be prevented for as long as individuals are identifiable.When held on paper documents, data should be stored in a secure manner, inaccessible to unauthorised persons.

How long can data be kept?

As a general criterion, personal data must be kept only for as long as is necessary for the proper implementation of the project.When obtaining the consent of informants, this information on retention time must be provided. It may coincide with the duration of the project, but an additional period may be foreseen if verification or audits of the project should be necessary.In all cases, whenever possible, and whenever it does not hinder the proper implementation of the project, it is preferable to process anonymised, or at least, pseudonymised, data from the outset.

Choose which types of cookies you accept which the University of Girona can store in your browser.

Those that are essential for enabling your connection.There is no option for disabling them, as they are necessary for the functioning of the website.

These enable your options to be remembered (for example language or region you are accessing from), to provide you with advanced services.

They provide statistical information and enable improved services.We use Google Analytics cookies which you can deactivate by installing this plugin.

To offer advertising contents relating to the interests of users, either directly, or through third parties (“adservers”). These must be activated if you wish to see the YouTube videos uploaded to the University of Girona’s website.

The University of Girona website uses its own and third-party cookies for technical and analytical purposes.To manage them use the manager.If you would like further information, please access our Cookies Policy.