Special rules apply to the collection, registration, disclosure and storage of personal data in connection with research and statistics, and you need to be aware of these if you are collecting and processing personal data in your research project.
For example, you are generally not allowed to collect nor disclose any ordinary or personal data without consent, and any information used in scientific or statistical studies may be not be used at a later time for other purposes.
Personally sensitive or personally identifiable data?
What is personally sensitive data?
Sensitive information is defined by having to do with peoples’ purely private matters. That means information about ethnic or racial background, political, religious or philosophical conviction, union affiliation and information about health or sexual matters.
Other types of information about purely private matters are also considered sensitive. That means information about illegal matters, significant social problems and similarly sensitive information about private matters, e.g. internal family affairs.
Ordinary personal information does not concern purely private matters. This can be, for instance, information about customer relations or other, similar non-sensitive information.
Personally identifiable data
The Danish Data Protection Act defines personal information as any information relating to an identified or identifiable natural person. The term “identifiable person” means a person who can be identified, directly or indirectly, by one or more specific aspects of the person's physical, physiological, mental, economic, cultural or social identity.
If a piece of information is considered personal information, it is personally identifiable by definition.
As a result, it is important for your collecting and processing of data that you ensure that your informants, if they have been promised anonymity, cannot be identified in other ways.
Sound and video recordings are clearly personally identifiable and, as a result, they quickly become personally sensitive. Therefore, you should make sure to have valid declarations of consent in projects where you are collecting video, audio or images.
Duties of notification and registration
If you are collecting personal information in connection with a research project, it must be registered at the Faculty in order to the meet the requirements of the Danish Data Protection Agency and the GDPR regulation.
You must notify the Faculty that you are collecting personally sensitive and personally identifiable data before you begin collecting.
When collecting personal data, you are still required, even after 25 May 2018 when the GDPR comes into force, to request approval of your data collection. When you have submitted your request, you will receive an approval and confirmation of the registration of your data collection.
Read more and submit your collection here.
After 25 may 2018, when the GDPR comes into force, collections of non-sensitive personal information will also have to be registered.
Contact firstname.lastname@example.org if you are unsure whether you are required to register a collection of data.
Anonymisation of personal data
You should delete or anonymise sensitive and personally identifiable data when you no longer need them in a form that makes it possible to identify the individual person.
In some cases, however, it will be necessary and relevant to keep the data in their original and personally identifiable form. For example, in the case of recordings of language usage.
Storage of personal data
Storage of personal data
As data controller, you are responsible for ensuring that the data remains undisclosed to unauthorised persons.
Primarily, this requires that unauthorised persons cannot gain access to confidential information about other people.
As a result, you have to store your data on a special research drive, the S-drive, which meets the requirements for security, logging information etc. and to which access is limited.
Disclosure of personal data
You are only allowed to disclose information from the study, anonymous information excluded, if the informant has given consent or if the Danish Data Protection Agency has given approval. In both cases, you may only disclose the data for use in other scientific or statistic studies.
What to do when collecting personal data as part of a research project
Before you begin collecting data, you have to notify the Faculty of your collection. The Faculty will handle the registration and approval (with regards to collecting personally sensitive data) of your project. Read more in the above section on duties of notification and registration.
You should anonymise and delete sensitive personal data as soon as possible.
Ethical guidelines for research projects that collect or process personal data
1. Informed consent
Generally, informants may only be involved in research (e.g. via interviews, focus groups, participant observation etc.) based on their informed consent.
The project and its results may not inflict damage on its participants, nor expose them to significant risks of damage. This applies to the way in which you recruit respondents, the study itself and the final product. It also applies to any potential emotional strain caused by the recruitment, the study or the publication of the results.
3. Reasonable purpose
An study should have an academically reasonable purpose, i.e. it should have the potential to produce new and relevant knowledge.
4. Safe storage of data
Data collected in the project must be stored safely, i.e. it should be inaccessible to unauthorised persons and stored in a way that minimises the risk of data loss. Data must be stored for 5 years after the last publication.
5. Anonymised publication
Normally, the results of the research can only published in anonymised form. In this context, anonymisation means removal or modification of names or descriptions that may make it possible for outsiders to identify the individual in question.
6. Restricted use
Data collected in connection with research projects may not be used for anything other than research purposes. Data collected for research purposes may not be used for research purposes that move beyond what respondents have given their consent to.
7. Permission from the Danish Data Protection Agency/Approval and registration at the faculty
Projects that collect and register personally sensitive information must be reported to the Faculty, cf. requirements from the Danish Data Protection Agency and the Faculty’s guidelines. This arrangement still applies and you will still receive confirmation and approval of your collection and processing of personal data after 25 May 2018 when the EU’s GDPR comes into effect.
After 25 May 2018, when the GDPR comes into effect, collecting non-sensitive personal data will also have to be registered. After reporting your data collection, you will receive a confirmation of registration of your data collection.