The Acadre number
The Acadre number is SDU’s internal registration number. At SDU, registration of projects is compulsory.
Encrypted personal data
Encrypted personal data are personal data devoid of any formal and personally identifiable information such as personal identification number, name, address, phone number, and e-mail address. Encrypted personal data must still be handled according to the instruction.
This means that, for example, the personal identification number (the CPR-number) is coded, or the name is removed or changed in order to hide information that can be used to directly identify a person. Encrypted data must still be handled according to the instruction. Encrypted data is NOT the same as pseudonymized data (see section D for details).
General personal data
General personal data comprise name, gender, address, phone number, date of birth and other information used for administrative purposes.
Anonymization eliminates the possibility to identify a respondent. Anonymized data are pseudonymized data without any identification key. The procedure required for anonymization of data is the same as the one required for pseudonymization of data, but identification of an individual is not possible, either directly or indirectly, and no information can be traced back to the person it refers to. As the information can no longer be traced back to an identifiable and physical person, it is not regarded as personal information, and, therefore, anonymized data fall outside the scope of the Danish Data Protection Act/The General Data Protection Regulation. The anonymization must be irrevocable.
The data controller is person or institution responsible for complying with legislation.
The researcher/SDU is either data controller or data processor (see below). If the data controlling lies with SDU, SDU is the data controller.
The data processor is a physical or legal person, a public institution, an institution or an agency that handles personal information on behalf of the data controller. When you are handling personal data, it must be clear whether you have a role as controller or processor of the personal data. In some case these roles are easy to define, in other cases they are less obvious. If in doubt, please contact RIO for clarification and see Datatilsynets vejledning om dataansvarlig og databehandler. RIO approves and signs the processor agreements.
Data processing agreement
The data processing agreement is a mandatory agreement between the data controller and external collaborators. If you are the data processor, you need to have a data processing agreement between the data controller and SDU. If you are the data controller and use external data processors, the data processors must make a data processing agreement. The data processing agreement must be signed by RIO.
Each research unit at IST must have a person responsible for data management. This person will make sure that each researcher in the unit is familiar with the Instruction. The researchers in each unit decide among themselves how to divide the tasks.
Research data are all forms of data used for research, not only personal data.
Confidential personal data
CPR-numbers are confidential personal data.
Sensitive research data
Sensitive research data are any kind of data that include sensitive personal information, such as health information.
Sensitive personal data
Sensitive personal data require much more security than do general data. Please note that at IST, all research data involving personal data are handled as sensitive data, as e.g. health information.
Legal basis means permission. You always need to have a legal basis for handling personal information. Research projects have a legal basis founded in either the Data Danish Protection Act, Article 10 (research), or in the General Data Protection Regulation, Article 6 (consent).
Identifiable personal data
A person can be identified directly or indirectly through, e.g., his/her personal identification number, name, address, phone number, or email address, or through a combination of different personal information.
Handing over data/transfer of data
Handing over data means that data are handed over from one research project to another research project, of which SDU is the data controller of both. Handing over data can also occur when the data controller hands over personal data to a data processor. In both cases, RIO should be involved.
Personal data means any information that can be related to an identified person either directly or indirectly. The GDPR distinguishes between general and sensitive personal data.
The project manager is the person at SDU who is responsible for the research project. They will be responsible for notifying RIO.
The person at SDU who is responsible for the research project. If SDU is data controller, the project-responsible person will be the person who notifies the research project to RIO. If SDU is data processor, the project-responsible person will be the person who has the main contact to the data controller.
Pseudonymization substitutes the identity of the respondent in such a way that additional information (an ID-list) is required to re-identify the respondent. A data set with many variables may allow the identification of an individual, and such a dataset is therefore not pseudonymized. Pseudonymization of data is a complicated and time-consuming task. If you have a very small or specific dataset, you will have to remove several variables, reduce the information in your variables, and remove outliers. Pseudonymization corresponds to anonymization; only, for pseudonymization you still have a key that can identify the respondent: The CPR-number is, e.g., replaced by an artificial identifier such as a serial number, or the information may be encrypted. Information that is pseudonymized still falls under the protection of the Data Protection Act/The General Data Protection Regulation, i.e. it is still considered personal information.
RIO record number
Your project is assigned a RIO record number after it has been notified to RIO.
RIO: SDU’s legal department
Acadre: SDU’s registration system
SDUpro: SDU’s system to deal with external funding
GDPR: EU’s Data Protection Regulation, which is existing law together with the Danish Data Protection Act.
SDU project number
Externally financed projects are assigned an SDU project number (e.g. 95-103-99999). This number is generated via the SDUpro system and is NOT the same as the Acadre number.
This means transfer of project data between a data controller at SDU and a data controller at another authority.