NB. These notes apply across the Research Instructions
Re item A.1.b.:
It is important that the key basic information regarding a project is assembled in one document, so it is easy to get an overview of the project and to extract information from the different SDU-systems when needed. Under this item it is stated that you may register for an ORCID as a possible researcher-ID.
Re item A.1.c.:
This item is implied in SDU’s guidelines and is described in the process description under Externally Financed Projects – Pre-award.
Link: Alle procesbeskrivelser vedrørende forskning - in Danish only
Re item A.1.d.:
This item is implied in SDUs open science policy. A data management plan for all projects must be drawn up. This plan gives a thorough overview of all aspects of the data processing, i.e. how the research data are to be collected, transferred, saved, structured, named, shared, and, possibly, published. A data management plan is a working paper that may be changed continuously with changes to the project regarding different aspects of the data. Support for drawing up a data management plan is available by SDUs RDM support. Here you can also find more links with information and directions. Several large funding agencies require a data management plan and they have their own templates which you have to use. Read more here: DMPonline. Your unit may have their own DMP template. Ask your data manager.
Re item A1.e.:
You must not store or handle data without having notified RIO (if you are the data controller) or made a data controller agreement through RIO (if you are the data processor).
Re item A1.e.i:
Link: Anmeldelsesskema SDU-RIO
Research that uses personal data and of which SDU is the data controller must be part of a research project that is notified to RIO. RIO must, at the request of the Danish Data Protection Agency, be able to present a list of SDU’s ongoing research projects, which is why all research projects using personal data must be approved by RIO. After RIO has approved the project, you will receive a confirmation that your project has been registered. You can only start the data collection when your project has been approved. Your research project will appear from the registration list when the approval has been granted. This also applies to projects that were not previously notified to RIO, but instead to the Danish Data Protection Agency as private research projects. For such projects, the person behind the project (and not SDU) will be legally responsible if anything goes wrong. These projects should be transferred to SDU (please contact RIO about this transfer). All of the above is implied in SDU’s guidelines: Vejledning til fortegnelse over behandlingsaktiviteter. Please also see the process descriptions for research data, e.g. health data, here: procesbeskrivelser. - in Danish.
Regarding sub-item about data controllers, under Item 1.e.i.:
Following the introduction of GDPR, it will be mandatory that you keep records of persons who have and have had access to your data. This means that if external data controllers (non-SDU-employees) are working with the project data, this must be indicated in the notification, and a data controller agreement must be made via RIO. The DMP is a good place to keep record of this.
RIO must sign the data controller agreement before you can initiate the collaboration with the partner.
Regarding sub-item about transfer of data, under Item 1.e.i.:
RIO is responsible for SDU’s electronic list of research activities and RIO must therefore be informed about any transfer of data (to SDU-projects) and handing over of data (to external projects). Transfer of data controllership is also part of this item. Note that you can transfer data/controllership while still keeping them.
Please see RIO’s procedures for transfer/handing over of data.
Transfer of personal information:
Personal information in one project at SDU must not simply be linked to personal information in another project at SDU. This action requires a transfer agreement between the project that transfers the data and the project that receives the data. You need to fill in a request for data transfer. A form can be found under the following link: (http://web.fortegnelse.sdu.dk/cn/ajb7h/overladelsesanmod)
You must not begin the transfer until you have received a permission from RIO.
Transfer of personal data:
SDU’s list must also contain information about transfer of data or data controllership to another data controller in EU or third country. Therefore, you must only transfer data from your own research project/research database to third party if this has been notified to and approved by RIO. Transfer outside EU/EØS must be approved by The Danish Data Protection Agency via RIO.
Please see the below link on how to request for permission to transfer data: (https://www.sdu.dk/da/forskning/service_til_forskere/juridiske_spoergsmaal/anmeldelse_til_datatilsynet/videregivelse).
You must only transfer data for use in other scientific or statistical investigations. Transfer of data must NOT be initiated until you have received permission from the Danish Data Protection Agency or RIO.
Re item A1.e.ii.:
As a new measure, the General Data Protection Regulation has introduced a requirement that the data processor makes a list of who they are data processors for. So, if you (SDU) are the data processor on a research project, a data processor agreement between SDU and the data controlling authority must be made. This data processor agreement must be signed by RIO. You have to contact RIO (https://www.sdu.dk/da/forskning/service_til_forskere/juridiske_spoergsmaal) if you are going to be data processor on a research project.
Re item A1.f.:
This item is relevant for projects that include biological material and that fall under the Committee Act (Komitéloven) and the National Committee on Health Research Ethics (Den Nationale Videnskabsetiske komité (VEK)). It is recommended that VEK is consulted in case of doubt. If your project includes biological material from a biobank, it must be checked out whether the project is covered by former dispensations. If not, you need to apply for a new dispensation with the VEK. The application must be sent to The Regional Committees on Health Research Ethics for Southern Denmark (De Videnskabsetiske Komitéer for Region Syddanmark). Requirements for the application can be found on their website, including default letters of consent.
This item is also relevant for projects that use patient chart information.
According to the Danish Health Act (Sundhedsloven), the Danish Patient Safety Authority (Styrelsen for Patientsikkerhed) must approve certain cases of transfer of patient chart information. Link to the application forms can be found on their website.
For all projects that use data from The Danish Health Data Authority (Sundhedsdatastyrelsen (SDS)), from Statistics Denmark (Danmarks Statistik (DST)) or from other health registers/clinical quality databases, the required permissions must be obtained from these authorities.
On the Danish Health Authority (Sundhedsstyrelsen) website, you can find the requirements for the application.
Please be aware that research including data from the national health registers must henceforth be carried out on Danish Health Data Authority and Statistics Denmark research computers.
On the Statistics Denmark website you can read about how to access data.
Research using data from DST must only take place on DST research computers.
SDU has a data processor agreement with DST and SDS.
If you need data from other registers, you must apply for permission to get access to these data with the relevant authority.
Re item A1.g.:
When you collect personal data it has become even more important to get a consent if the data are to be shared with others, used in other research projects or for teaching purposes. Also, the wording in the consent form and the participant information letter is very important as this is vital for the data processing and, thus, the research that is carried out on the collected data. Please ask RIO for advice.
You can find more information on how to draw up a consent form at the websites of the National Committee on Health Research Ethics and of the regional committees on health research ethics. Also, we recommend that you contact RIO and SDU’s RDM support. A detailed and thorough data management plan will help you ensure that your consent forms and participant information letters are correct, so that your project can be carried out without problems.
Therefore, it is also important to make a description of how you are going to collect your data, as this may be relevant for the wording of your consent forms and the participant information letter.
Re item A2.:
It is not unusual that more or less important changes are made to the project after the RIO permission has been obtained.
Important changes are, e.g., changes of the aim of the project, change of contact person or person group, collection of new types of personal information or an extension of the project period. These changes must always be notified to SDU RIO before they are implemented, as they require permission.
Less important changes are, e.g., changes in project name. These changes only need to be notified to SDU RIO within 4 weeks after the change.
All requests for changes should apply RIO’s form for request of change.
Please find out if the changes require renewed consent from the project participants.
This item is implied in “Vejledning til fortegnelse over behandlingsaktiviteter.docx”
Re item A9.:
This item is implied in SDU’s legal guidelines on insight, complaint, deletion, data portability, limitation, and rectification, which arise from the data protection regulation, which can be found on this page. Individuals, whose data are used in most research activities are exempt from these rights, if data are only used for research purposes, according to SDU’s legal guidelines. This relates to the legal basis of the project. See section C of the instruction for more information. The DPO/the vice chancellor’s office must be contacted regarding requests for deletion etc. at email@example.com.
Re item A10.:
As SDU must be ready to report a breach on the personal data security to the Danish Data Protection Agency, and, if necessary, also inform the research participants, within 72 hours, it is important that there is no doubt about which projects and which project participants are affected by the breach.
A prompt linkage can be assured if the name of the research data folder starts with the project number.
Furthermore, please see SDU’ legal guidelines:
“Guidance on how to record processing activities.docx”, and
”Guidance for handling of breach of the personal data security, 27.03.2018.docx”.
Both documents can be found under SDU process descriptions.
Re item B.:
This part of the Instruction has been made based on the “Process Description for Faculties and Departments at SDU, Externally Financed Projects – Pre-Award”; “Process Description for Faculties and Departments at SDU, Externally Financed Projects – At-Award”, and “Process Description for Faculties and Departments at SDU, Externally Financed Projects – Post-Award”.
The working procedures in connection with application for/granting of external funding are dealt with in the Accounting Guidance, Appendix 14, and as a short outline at the end of the Instruction.
Re item C1.:
As it can be difficult, based on the GDPR and SDU’s guidelines and instructions, to determine whether a dataset contains sensitive and/or confidential personal information or merely general information, it is easier for the researcher to treat all information as sensitive personal data.
An exception from this is, of course, datasets that have been classified as being anonymous datasets. Please see the Instruction regarding anonymization of research data.
Re item C3.:
De-identification means that all immediate and obvious sources of identification, such as CPR-number, name, address, email, or contact information are removed. Please consult the List of Words and Terms.
Re item C4.:
This is to ensure that research data can always be accessed, for instance in case of resignation, dismissal, or death.
Re item C6.:
This follows from SDU’s process description about data processing in public, section 3.3., which describes how you protect data against unauthorized access: It is not allowed to process person-identifiable, sensitive/confident information in a public area without making sure that the information can be seen by no one else than you. If such precautions are not possible, you should not be processing the data.
If you need to process data on a journey or at other public places where there is a risk that you may disclose personal data in a public area, you must protect against unauthorized access: You should avoid transporting data on paper, because documents might be lost due to theft or negligence. Lost documents are immediately accessible to other people. Data on a computer can be processed only if the computer is encrypted and password protected. This protects against misuse of data in case of, for instance, theft of the computer.
If you are sitting close to other people when you are working with personal information, as you might do e.g. on a train or a plane, there is a risk of other people seeing your data. Therefore, you should not be processing person-identifiable data on a train or similar. It is preferable to use only pseudonymized or anonymized data. A privacy filter for your computer can protect your data from other people. It can be obtained from Servicedesk.
If you use the internet, you must only use secured wifi-networks, not the open, public networks. Moreover, you must use VPN (AnyConnect).
Re item C7.:
Communication with participants regarding a data collection should be secured, because this communication may easily result in the exchange of sensitive data. Furthermore, it sends a positive message to the participants.
Re item C12.:
A template for what to tell respondents about duty of disclosure can be obtained from The Danish Data Protection Agency: https://www.datatilsynet.dk/media/6889/bilag_a_og_b_-_skabeloner_til_oplysningspligt_og_indsigtsret.docx
Or contact RIO for validity check.
Re item C14.:
This is implied in SDU’s legal guidelines for drawing up of consent letters:
and for the data controller’s duty of disclosure:
Re item D.:
There is a description from the UK of how qualitative data can be handled with regard to anonymization:
Anonymisation is possible, but may destroy the data, so it’s better to use a reasonable level of anonymisation, alongside other regulations - for example in data access - to ensure that the assurances of confidentiality and anonymity that you gave to participants can realistically be maintained. Read more.: https://www.ukdataservice.ac.uk/manage-data/legal-ethical/anonymisation/qualitative
Re item E.:
Research data must be Findable, Accessible, Interoperable og Reusable (FAIR). SDU supports free access of research data in compliance with ethical rules, legal and contractual obligations, the data protection legislation, and intellectual property rights.
Information that provides the basis for publications should be made publicly accessible in relevant “data repositories” in compliance with any legal, ethical, or commercial restrictions.
If data cannot be made publicly accessible, at least the meta data should be published. Access to original data can be provided upon request.
To enable Open Science by making data Findable, Accessible, Interoperable (accessible and usable across disciplines and methods) and Reusable (FAIR, see: https://www.force11.org/group/fairgroup/fairprinciples and https://www.nature.com/articles/sdata201618). Open science includes transparent methods and public access to results, including publications, data, codebooks and statistical software syntax(e.g. SPSS syntaxes, STATA do-files, R code) for programming, data management and analysis.
Re item E7.:
Data exempt from the Open Science Policy
- Administrative data
- Data from third parties, data repositories and administrative registers with conditions limiting reuse, publication and dissemination.
Publicly available data.
- Studies included in systematic reviews and meta-analyses. The exemption does not apply to documentation of searches, selection of studies for review and analyses in tables, figures and similar supplementary material routinely published online with reviews.
Re items E9 and E10.:
How to preserve the data after the project has ended (particularly relevant for PhDs)
- Document the data, using guidelines from the Danish National Archives (Rigsarkivet).
- Archive or permanently delete sensitive data before the permissions expire (Rigsarkivet)
- Provide data to the Danish National Archives (Rigsarkivet) and assure have the least restrictive conditions for access possible.
- View guidelines of the Danish National Archives (Rigsarkivet) for documenting, re-porting and archiving research data in Danish at: https://www.sa.dk/da/forskning/for-forskere/anmeldelse-aflevering-forskningsdata/.
- Long-term preservation/archiving
- All data should be stored for a minimum of five years after publication of the research (re-quired permissions should be obtained or extended, including from the Danish Data Pro-tection Agency). Beyond this minimum requirement, several types of research data should be preserved for long term access and reuse, including (the list is not exhaustive):
- If it would be unethical to subject humans or animals to unnecessary repetition of experiments, trials, observations or other research activities.
- If it would be unethical or indefensible to waste research funds and human resources that could be put to better use (i.e. prevention and cure of disease) on unnecessary repetition of experiments, clinical trials and observational research.
- Data and materials that is impossible or hard to reproduce.
- Data and materials that is costly to produce, in terms of funding, time or human re-sources.
- Data and materials that can be reused in new projects, serve as benchmarks, as reference or are of public interest.
- Data and materials underlying publications.
- Archiving as an alternative to deletion
- Valuable data and materials should be preserved by archiving in the Danish National Archives (Rigsarkivet). Preserving your data and materials in this archive fulfils legal requirements of deletion when a data processing permission expires.
- Documentation of archived data is required, using guidelines from the Danish National Ar-chives (Rigsarkivet) (in Danish). See: https://www.sa.dk/da/forskning/for-forskere/anmeldelse-aflevering-forskningsdata/.