The University of Trento has drafted the Guidelines on personal data protection in scientific research to provide researchers with an overview of the principal concepts and obligations relating to personal data protection, with a specific focus on scientific research.
It is a guiding tool for researchers, from both a theoretical and practical point of view, in the management of personal data in all phases of the research activity and provides a summary with respect to the specific areas of scientific research (please see Useful Documents section).
If the research activity entails a risk to participant’s psychophysical well-being, in addition to the processing of their personal data, a prior approval - which also provides an integrated evaluation of the personal data management issues - from the University Ethics Committee (or the APSS) is required.
- "processing": any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (art. 4, n. 2 GDPR);
- "personal data": any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (art. 4, n. 1 GDPR);
- "special categories": of personal data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation (art. 9, par. 1, GDPR);
- "genetic data personal": data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question (art. 4, n. 13 GDPR);
- "biometric data": personal data resulting from specific technical processing relating to physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopy data (art. 4, n. 14 GDPR);
- "data concerning health": personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status (art. 4, n. 15 GDPR);
- "data relating to criminal convictions and offences": personal data relating to criminal convictions and offences or related to security measures (art.10 GDPR);
- "Data Controller": the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law (art. 4, n. 7 GDPR);
- "Data Processor": a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller (art. 4, n. 8 GDPR);
- "Data Protection Officer": professional figure expert in data protection whose tasks are to assess and organise the processing of personal data processing within each organization (articles 37, 38 and 39 GDPR);
- "Authorised Subject": any person acting under the authority of the Data Controller or under the authority of the Data Processor (art. 29 GDPR; Article 2-ter(4)(a) of the Privacy Code);
- "communication": the act of giving knowledge of the personal data in any form - including by making them available, consulting them or interconnecting them - to one or more specific subjects different from the Data subject, the Data Controller or its representative in the territory of the European Union, the Data Processor or its representative in the territory of the European Union, the Authorised Persons (Article 2-ter(4)(a) of the Privacy Code);
- "diffusion": the act of giving knowledge of the personal data to unspecified persons, in any form, including by making them available or consulting them (Article 2-ter(4)(b) of the Privacy Code);
- "anonymous information": information which does not relate to an identified or identifiable natural person or to personal data anonymised in such a manner that the data subject is not or no longer identifiable (recital 26 of the GDPR).
General requirements for researchers
The University of Trento is the “Data Controller” of the personal data processing carried out in the scope of the execution of its institutional tasks, including scientific research.
The Principal Investigator (PI) acts as “Appointee”. Other subjects involved in the research activity, act as “Authorised Subjects”.
Without prejudice to the provisions of current legislation (in particular, GDPR, Privacy Code, Ethics Rules) and the provisions of the Guidelines on personal data protection in scientific research, these roles are required to comply with the following general requirements:
- personal data shall be processed in accordance with the principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, accountability;
- access to any database dedicated to the project must be specifically authorised by the Principal Investigator (PI);
- storage devices containing personal data may not normally be removed from the University’s servers;
- implementation of the technical and organisational measures by the Controller (art. 32 GDPR);
- where necessary, implementation of a “data protection impact assessment” for the specific research project (ex articles 35-36 GDPR);
- communication of a data breach to the data subject by the Controller, without undue delay (art. 34 GDPR).
Obligations of the Principal investigator of the research project
Prior to starting the research activity it is required to comply with the following requirements in order to demonstrate that personal data will be processed solely for statistical and/or scientific purposes.
- Drafting of a Research Project (see Useful documents) in accordance with the methodological standards of the relevant subject area and documenting that the processing is carried out for appropriate and effective statistical and scientific purposes specified therein.
- Drafting of the information notice pursuant to art. 13 GDPR (if the data are not obtained directly from the data subject, pursuant to art. 14 GDPR) and, when necessary, of the consent to the processing of special categories of personal data, judicial data and within the scope of medical, bio-medical and epidemiological research (see Useful Documents).
- Storage of the Project and of the relative privacy documentation at the Department/Centre, which will provide its confidential storage for five years from the planned completion date of the research.
Disclosure of data to other research partners in the context of joint research
In the context of joint research activities with other research Partners (Universities, research institutes, etc.) it is always preferable anonymous format.
If, however, it is necessary to disclose personal data to another Project Partner for the achievement of the research purposes, this will only be allowed under the following conditions:
- the evidence of the "need" for data communication between Partners for the purposes of the research in the description of the project activities;
- the identification of the role regarding privacy played by each Partner in relation to the processing carried out in the framework of the research project. When a situation of autonomous ownership cannot be identified, it will be required an internal co-ownership agreement (art. 26 GDPR) establishing the respective roles and responsibilities or, depending on the case, an appointment as Data Processor (art. 28 GDPR);
- the identification of appropriate technical and organisational measures in the transmission of data, such as, for example, pseudonymisation, encryption of personal data, the ability to ensure, on a permanent basis, confidentiality, integrity, availability and resilience of processing systems and services, etc.
Dissemination of data
Research results may only be disseminated, including by publication, in aggregate form or in a manner that does not make the persons concerned identifiable, even through indirect identification data, unless the dissemination concerns public variables.
Data obtained from third parties
Before starting research activities involving the receipt of data from external parties or, in general, the sharing of data with other parties (including project partners), please contact the support offices for the joint definition of the privacy role of the University of Trento (autonomous Data Controller, joint Data Controller, Data Processor) and for the required documents.
Processing of special data for medical, biomedical and epidemiological research purposes
Protocols for scientific research in the medical, biomedical and epidemiological fields must be submitted for prior approval to the competent territorial Ethics Committee.
Please refer to the Guidelines for the protection of personal data in scientific research for data processing requirements (see Useful documents).
Security measures in the processing of personal data
Pursuant to Article 32(1) of EU Regulation 2016/676 (GDPR) for any processing of personal data the Data Controller and the Data Processor will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
Research activity involving the processing of personal data (such as the collection of data from volunteers), is subject to the application of data protection legislation. The researcher must therefore identify, for each individual research activity, the appropriate measures to ensure the protection of the data processed, considering the state of the art, the costs of implementation, and the nature, subject, context and purpose of the processing.
The EU Regulation already indicates, by way of example, some measures: pseudonymisation, encryption of personal data, the ability to ensure on a permanent basis the confidentiality, integrity, availability and resilience of processing systems and services; similarly, the AGID Circular No. 2 of 18/04/2017 on Minimum Security Measures suggests some requirements to be adopted in the processing of personal data based on the level of risk identified for each individual processing, such as encryption for portable devices, the installation of local firewalls and antivirus, etc.
It is recommended to consult the document on security measures available to researchers at the University (see Useful Documents).
At Protezione dei dati personali in Infoservizi, Download section, the following documents are available for to the researchers of the University of Trento:
- Linee guida per la protezione dei dati personali nell’ambito della ricerca scientifica
- Misure di sicurezza nel trattamento dei dati personali in ambito dell’attività di ricerca scientifica
- Template of Scheda Privacy di Progetto ai sensi dell’art. 3 delle Regole deontologiche per trattamenti a fini statistici o di ricerca scientifica;
- Template of Informativa sul trattamento dei dati personali per finalità di ricerca scientifica (art. 13 Reg. UE 2016/679).
Templates of Scheda Privacy di Progetto and Informativa sul trattamento dei dati are to be used and adapted from time to time to the peculiarities of the specific research project.
The Agency for the Promotion of European Research in Italy (APRE) to which our University is associated, edited the guidelines (divided in three volumes) which collect the effects of the GDPR in the Horizon 2020 projects life cycle.
Contact for further information: supporto.privacy [at] unitn.it