Data management is about all data you collect in the context of your research. These include administrative data, e.g. contact lists, Informed Consent forms, Key Files, etc. Some of it might not have analytical value for the research outcome, it is however still data processed in the context of a research project. Be aware as well about by-catches, e.g. in interviews, people might reveal personal data, even if you have not asked for it and has no value for your research; once you’ve recorded it, it is in your data collection and you’ll be responsible  for handling it properly.

Steps to take when dealing with personal data

  1. If you have not done this already, establish for each of the data sets you listed whether it contains personal data and, if so, if there is any special category of personal data involved.
  2. List each data element as specific as possible.
  3. If you process special categories of personal data contact the data manager or privacy officer, you might need a Data Protection Impact Assessment (DPIA), if so he or she will help you out.
  4. Try to anonymize/pseudonymize your data as soon as possible, store the originals somewhere safe and work with the derivatives.
  5. Contact the FETC, as all research with human subjects need to be assessed by this committee.
  6. Register your data in the Processing Registry. Contact the data manager or privacy officer for details. In the registry you’ll document the lawfulness, risk assessment etc.

In more detail:

First you should establish the kind of personal data. Is it personal data, or is it a special category of personal data. If you collect special categories, you are advised to contact the data manager or privacy officer of the faculty. You might be requested to do a DPIA.

Next you should list each data element as specific as possible. In some cases it very obvious, like name, mail address, gender, in other cases less so. E.g. when you’re conducting unstructured interviews. You might end up with qualifications like attitude toward LGBTQ migrants or Facial expression.

In Step 1. Establishing your sources you have listed your sources. If you’ve used the template for listing your datasets provided there, you ended up with an overview of the elements of personal data you will be collecting.

This might, for example, look like this:

Personal elementReason for processingDatasetMethod of anonymizing
NameIdentification participants1 –  Interviews
2 – Surveys
8 – Contact list
Replacement by code – name stored in key-file
GenderAnalytic – for creating subsets1 – Interviews
2 – Surveys
1 – None
2 – Aggregation
Union membershipAnalytic – establishing political activism1 – InterviewsDeletion in transcript, remark in key file
Opinion on agricultural policyAnalytic – establishing political awareness1 – InterviewsNone
Mail addressAdministrative – getting in contact8 – Contact listRemoved after research

Next, consider the proportionality of the data  elements with regards to conducting your research and answering your research questions. Work on the basis of purpose limitation. Ask yourself whether you really need the data you are collecting. E.g. do you really need a video recording, or would audio suffice, do you really need to know someone’s age, or location; it looks nice to plot your data on a map, but if that doesn’t answer your research question, than it is disproportional to process it, in which case, you should not collect it.

C. Establish the lawfulness of processing