Sharing your data: privacy concerns

Sharing your data during and after your research is beneficial to you as a researcher. It helps when collaborating with colleagues and can improve the visibility and impact of your research. Moreover, most funding agencies, including the NWO and the EU, require that you share your data. They mention this explicitly in their grants or implicitly in their general regulations. Radboud University has also made open access part of its policy. However, sometimes open access data sharing can raise concerns about privacy that you need to be aware of.

This page highlights some best practices concerning privacy when sharing your collections, both during and at the end of your project. For specific tips on data anonymisation and pseudonymisation, look at our best practice page Data Anonymisation and Pseudonymisation.

Privacy during research

During your research, you might want to share your work with collaborators. Extra care is needed when you have personal data. The following points can help you to make good decisions on sharing personal data during your research.

When working in collaboration with companies, schools, universities or other institutes, be aware that data privacy issues should be discussed at the start of your project, before you start using the Radboud Data Repository (RDR). Discuss and agree on issues like who owns the data, what you can do with the data, who the data can be shared with and where the data should be stored. You might consider setting up a contract with all parties involved. For any questions concerning data ownership and/or setting up a contract, contact the University’s legal department.

Carefully consider who you want to add to your collection as a manager, contributor or viewer. This is relevant for all collections (Data Acquisition Collections; DACs, Research Documentation Collections; RDCs and Data Sharing Collections; DSCs). Be aware that each role has its own restrictions and permissions. Do not blindly add colleagues as managers or contributors: think carefully. Perhaps it is better to add someone as a viewer rather than a contributor: the more people can edit your dataset, the more likely errors become. Importantly, if your collection contains personal data according to the GDPR (see our best practice page on data anonymisation and pseudonymisation for the definition of personal data), you should only share your collection with people that you have mentioned in your informed consent form. For example, if you have not explicitly stated that your data can be shared with researchers outside of Radboud University, make sure that none of the managers, contributors or viewers are external researchers. The same applies for publishing a DSC: do not share if you have not received informed consent to do so.

Be aware that with every person you add to your collection (in any role), the risk of a data breach increases. Make sure that everyone handles the data responsibly. For example, downloading personal data from the RDR and/or saving the data outside of a Radboud University-based storage system should be avoided where possible. Be aware that if collaborators save personal data from your collection outside of the Radboud University, this could constitute a data breach.

Another way to protect personal data during your research is by using encrypted files. This can be useful if you want to share only part of your collection. By encrypting the files that you do not want to share, you can still add colleagues as a contributor or viewer. Radboud employees have several options to encrypt files as explained on the ICT site. Pseudonymisation key files should always be encrypted and never stored in the same collection as the original data. Be aware that including an encrypted key file in a DSC is not recommended, since these become open access after publication and therefore there is a high risk of a privacy breach. Storing a key file in an archived DAC or RDC is less risky, but we generally do not recommend storing key files in the RDR. Each Organisational Unit (OU) has a different policy regarding the storage of encrypted key files, so consult your data steward if you are unsure where you should store your key file.

Privacy when publishing or archiving (after research)

After your research, when you want to close a collection, it is still important to consider privacy. Whether you want to archive a DAC or RDC, or publish a DSC, there are some best practices to take into consideration.

Archiving or publishing personal data in your collection requires extra attention. Try to pseudonymise or fully anonymise identifiable personal data in your collection as much as possible while still allowing scientific integrity checks and reuse of the data. For tips on data pseudonymisation and anonymisation, please take a look at our best practice page. Identifiable personal data can be shared in a published DSC under specific circumstances. You are only allowed to share directly identifiable personal data in a DSC if you have received explicit permission from the participants AND if the data become useless if they are pseudonymised or anonymised. However, we strongly suggest that you contact your research institute's data steward before you place personal data in a DSC. It is good practice to ask a data steward for advice if you have any doubts or questions regarding personal data in your collection. For more information on when and how you are allowed to share or store personal data in the RDR, visit our best practice page on Selecting an appropriate access level and licence for your Data Sharing Collection.

If you are not allowed to share directly identifiable or pseudonymised data in a DSC, you can consider sharing the averaged results at the group level to allow other researchers to validate the claims in your paper.

Note that metadata of published DSCs and -optionally- archived DACs and RDCs are publicly shared. This includes all the fields that are visible under your collection's metadata tab, the list of files visible under your collection's files tab, the automatically generated ABOUT.txt, LICENSE.txt and MANIFEST.txt files and any files that you labelled as documentation files. Do not include any personal data or other sensitive information in your metadata and file and folder names.

The RDR serves to store research data for scientific integrity purposes or for dataset re-use. Files that are administrative in nature (e.g. informed consent forms and payment contracts) do not necessarily belong in your collection. In many cases, these administrative files have very different retention periods and can be deleted earlier than your research data, so consider storing administrative data elsewhere.