Respecting legal requirements relating to personal and sensitive data

  1. Home
  2. Respecting legal requirements relating to personal and sensitive data

The legal framework for personal data governs how it may be processed and disseminated, though without preventing either. Respecting the GDPR (General Data Protection Regulation) when processing personal data is one of the underpinnings of research ethics.

Personal data includes all information relating to an identified or identifiable physical person, be it directly (e.g., a family name) or indirectly (e.g., a phone number or IP address).

Sensitive data forms a specific category of personal data. It is information revealing “the supposed racial or ethnic origins, political opinions, religious or philosophical beliefs, the fact of belonging to a trade union, together with the processing of genetic data, biometric data in order to uniquely identify a physical person, data relating to health, or data concerning the sex life or sexual orientation of a physical person”.

While the GDPR (General Data Protection Regulation) authorises the use of these data categories in scientific research, it nevertheless imposes particular precautions. Collecting and processing such data is in principle forbidden under article 19 of the GDPR. However, the exception set out in paragraph 2 point j of this article enables a university to collect such data if "its processing is necessary for archiving in the public interest, for scientific or historical research or for statistical purposes,[...] which must be proportionate to the objective pursued, respect the essence of the data protection law, and provide for appropriate and specific measures for safeguarding the fundamental rights and interests of the persons concerned”.

Thus for research purposes, personal and sensitive data may be collected and processed under several conditions:

  • For prior validation of research by an ethics committee

  • You fill out a processing register demonstrating that your data processing respects GDPR, for approval by the university’s data protection delegate

  • You get interviewees to fill out a consent form and provide them with an address should they wish to rescind consent

  • You inform those concerned by giving them an information sheet which clearly and intelligibly summarises how their data will be processed

  • You ensure appropriate security steps are taken, particularly for storage (restricted access to data, for example)

     

When the data is anonymized, the legislation on data protection no longer applies.

The dissemination of this type of data is impossible except if data processing renders identification definitively impossible.

For all personal data, the publication and reuse of data is furthermore subject to the consent of those concerned.