Section A

General items

A.1. All research projects must have the necessary project documentation (see items 1.a-1.g below) and must be named and saved on one of the shared network drives, e.g. Sharepoint (for more information, see Section C), so that the research data can be linked to the project documentation. Data collection must NOT be initiated until the necessary project documentation has been completed and the mandatory approvals have been granted. The project documentation varies according to project type and contains the following items:

A.1.a. Project description

A.1.b. The basic information of the project (for more information, please see the notes)
A.1.b.i. Projects numbers (internal registration number, Acadre number, RIO record number)
A.1.b.ii. Project name and abbreviation, if any
A.1.b.iii. Department- and Faculty affiliation
A.1.b.iv. Name of the project controller
A.1.b.v. Name of Principal Investigator(s) and researcher ID (e.g. ORCID)
A.1.b.vi. Name of contact person (plus phone number and email-address)
A.1.b.vii. Project period including storage period (with regard to published articles)

A.1.c. Regarding projects with external financing (see also Section B):
A.1.c.i. Application/grant letter
A.1.c.ii. Name of the funding authority
A.1.c.iii. Budget
A.1.c.iv. Budget approvals from the Head of Department (all projects) and FSØ (projects above 200,000 DKK), respectively
A.1.c.v. The SDU project account number

A.1.d. Data management plan (for more information, please see the notes). All new projects must include a data management plan. The Head of Research and/or the person responsible for data management must be involved in this plan. For each project/umbrella project it must be considered whether it would be good to have several data management plans, e.g. one plan for each subproject, or a data management plan covering the entire project.

A.1.e.  It is a requirement for ALL projects that personal data are not stored or handled until the project has been notified to RIO (if you are the data controller) or until a data management agreement has been made through RIO (if you are the data processor) (for more information, please see the notes).
A.1.e.i.  The project needs a RIO notification and a RIO approval if SDU is the data controller (for more information, please see the notes). - A data processing agreement must be made if the project uses external collaborators to handle the data (e.g. researchers, students or IT systems). - The project needs an approval for transfer of data if the data originate from another project.
A.1.e.ii. A data processing agreement must be made if SDU is the data processor and if an external collaborator (e.g. the Region of Southern Denmark) is the data controller. The data processing agreement must be signed by RIO (more information in the notes).

A.1.f. Other relevant notifications and approvals from e.g. The Regional Committees on Health Research Ethics for Southern Denmark, The Danish Patient Safety Authority, The National Health Data Authority, Statistics Denmark, other research registers/clinical quality databases (for more information see the notes).

A.1.g. Data collection plans (for all projects that include data collection) (for more information, please see the notes)
A.1.g.i. Templates for informed consent letters/confidentiality letter. Regarding filing of these letters, please see Section C.
A.1.g.ii. Information to respondents.
A.1.g.iii. Data collection flow.
A.1.g.iv. Method of collecting data and samples, setup and instructions (e.g. for interviewers, respondents, project nurses and lab technicians).

A.2. The project documentation should accurately reflect the research project. Therefore, any changes to the original project plan must appear from the documentation. Changes to projects that include personal data must be notified to RIO (for more information, please see the notes).

A.3.  All personal information used in project applications (e.g. applicants’ personal information used for administrative purposes) must be handled and stored according to Section B on handling and storage of documentation regarding grant applications, funding documentation and rejection letters.

A.4. All research data that are used in research projects must be handled and stored according to Section C. on handling and storage of research data.

A.5. Project folders and files must be named in a systematic way that is easily understandable, also to third parties. For instance, a folder name may begin with the project number, followed by a low line _ (e.g.: 2018-025_).

A.6. Anonymization of personal data used in research projects must be in accordance with Section D on anonymization and pseudonymization of personal data.

A.7. Publication of research data must follow IST’s instruction, Section E, on publishing.

A.8. Deletion and filing of research data must be in accordance with IST’s instruction, Section C, on data.

A.9. If a respondent or someone else whose data are registered in the research project requires document access, objection, deletion, data portability, limitation and/or correction, this request must, within 48 hours, be forwarded to the legal office of the Rector’s secretariat via email to jura@sdu.dk. The matter with be dealt with here. More information about this below

A.10. In case of breach of personal data security, you must at once contact IT-Helpdesk and follow the instruction in "Vejledning til håndtering af brud på persondatasikkerheden" from IT-service.

A.11. At least two people at IST/SDU must have access to all project documentation and they must know where the data are located. In each research unit, at least one person must be responsible for data management. This person will have access to projects with only one researcher. Also, the data management responsible will have the necessary overview over the projects and will introduce new employees to the instruction.

A.12. Dispensation from the rules in the instruction requires approval from the Head of Institute. Request for dispensation must be sent via email to: IST-sekretariatet@health.sdu.dk.

Section B

Treatment and storage of applications, refusals, and grant funding letters

(only in Danish – see the Danish instruction).

Section C

Treatment and storage of research data

As you are the data controller, all items must be completed

For purely register-based projects using data from Statistics Denmark or the National Health Data Authority (DST/SDS), you must follow their storage and treatment rules. If you have to send SDU research data to the DST/SDS, you must follow the rules in the instruction regarding the data storage at SDU.

General information

C.1. Research data must be treated as sensitive personal data.

C.2. Research data must be stored on a secure server at SDU.
C.2.a. During data collection, data may be stored on OneDrive, SharePoint, Nextcloud or PF-Share (but only as long as it is necessary).

C.3. Research data must be de-identified (encrypted) as soon as possible.
C.3.a. If person-identifiable data (CPR-number, name, and telephone number, among others) are to be stored, this must be done separately from the encrypted data, separated either technically or administratively.
C.3.b. File names must not contain person-identifiable information

C.4. Two people from SDU who are affiliated to the project or to the research unit must have access to the research data (one of them could e.g. be the person at the unit who is responsible for data management).

C.5. Students, guest researchers, and PhD-students that are not employed at SDU are considered external researchers, and RIO must be contacted before they can be granted access to personal data. They must only analyze SDU-data on secure servers.

C.6. When you are working with research data outside SDU and at your remote workplace (including trains, airports etc.) you need to use a VPN (virtual private network) connection and you must make sure that other people cannot see your screen. Data collection (in general)

C.7. If you choose to communicate with respondents electronically, it should be by means of e-Boks (SDU e-Boks), or, alternatively, via encrypted mail.

C.8. Handling of personal data on paper must be in accordance with the SDU Guidance for handling of data on paper.

C.9. Exchange of research data must only occur by means of an SDU-approved method.

C.10. Each respondent must be assigned a project-specific serial number (ID-number). You must use this number when you search for a respondent, both when you search electronically, in paper format or in devices.

C.11. Data collection management files (files with names, addresses, phone numbers etc.) that are used for managing the collection of information) must also be treated as sensitive personal data. For more information, see the SDU Guidance on Local Databases.

Data collection (Consent and Duty of Disclosure)

C.12. You have a duty of disclosure towards the respondents, i.e. you must make sure that the respondents are given the following information: The name of the Data Controller and the name of the Data Protection Officer, including contact information, the purpose of the data collection, the legal basis (the Danish Data Protection Act, Section 10, or consent), how their personal information is treated, and their right to complain and to withdraw their consent.

C.13. You can ask RIO whether it is necessary to use consent or whether the data collection falls under the Danish Data Protection Act, Section 10 (about research). In both cases you need to inform RIO about the purpose of the data collection and how the data will be handled. This you have done already when you submitted your application to RIO, cf. A.1.e., and you have to refer to the RIO number when communicating with RIO.

C.14. The letter of consent must not include CPR-numbers. Consent and information letters must either:
C.14.a. be sent to respondents via SDU’s e-Boks/encrypted mail, or
C.14.b. be sent by ordinary mail, or
C.14.c. be handed over by the interviewer.

C.15. If consents are in paper format, they must be scanned and saved in Acadre as soon as possible. Each consent file must include the ID-number/numbers of the respondent in the file name. The consent in paper format must be handled according to the SDU Guidance on handling of data on paper, i.e. the consent must be destructed or stored according to the instructions.

C.16. Regarding all electronic consents, the respondents or their proxies are responsible for checking the consent box themselves. Electronic consents must be saved at the same place as the data, and the consent information must be registered in Acadre.

Data collection (use of electronic devices and instruments)

C.17. Electronic devices (cameras, dictating machines, lung function measuring instruments, ultrasound scanners etc.) should, if possible, be encrypted and password-protected. If they can automatically transfer data to an SDU-approved system in a secure way, this function must be used.

C.18. If you have to enter a respondent number into a device during data collection, only the ID-number of the respondent must be used. The respondent’s initials can be included as an extra linkage safety.

C.19. Data stored in electronic devices must as soon as possible be deleted from the device. Data files that are retrieved from the devices must be named in an appropriate way. Names and CPR-numbers must not be used in the file names, only the ID-numbers of the respondents.

Data analysis

C.20. Data analysis must take place by use of SDU’s secure server system.

C.21. Preparation of data for analysis must be documented in such a way that the original information can be reconstructed. This should follow the data management plan. For further explanation, please see the requirements of the Danish National Archives.

C.22. It must be possible to reconstruct prepared data. Therefore, code and log files for the data generation must be saved on the same server as the data, with a suitable file structure and file naming.

C.23. It is mandatory that research results can be reconstructed. Therefore, code and log files for analysis and reporting must be saved together with the data, with a suitable file structure and file naming.

Section D

Anonymization and pseudonymization of personal data

Please first consult the definitions of the different terms regarding personal data, “anonymization” and “pseudonymization” in the List of Words and Terms.

Qualitative research

Anonymization of qualitative research data is considered practically impossible, as the respondents will be able to recognize themselves in the data. However, nobody else must be able to identify the respondent. Data must be encrypted as soon as possible as described in Section C above.

Quantitative research

Anonymization of quantitative research is considered practically impossible if the data set is to be used for research analysis. It is mandatory to be able to document the anonymization process, which is a requirement from the Danish Data Protection Agency.

Pseudonymization is equivalent to anonymization, only there is a code that traces back to the original person information. Pseudonymization is therefore just as difficult to carry out, and the pseudonymization process must also be documented.

There may still be cases in which anonymization is desirable:
Data sets for development of scripts which will subsequently be run on real data
Data sets for teaching purposes
Research using anonymous data Scientific journals’ publication requirements
Handling of data, e.g. in the public domain

D.1. All use of anonymized/pseudonymized research data outside SDU’s secure IT-systems (SDU’s secure server system) as well as the documentation for the anonymization/pseudonymization are to be approved by the research unit’s Head of Research or by the data management responsible.

D.2. An anonymization document must be drawn up that describes the anonymization/pseudonymization. This document should contain:
D.2.a.i. Information on the project (RIO-approved), and which data are to be anonymized/pseudonymized.
D.2.a.ii. Which methods are used for the anonymization/pseudonymization, see notes for further info (in Danish).
D.2.a.iii. The script (may be the anonymization document) used for the anonymization.
D.2.a.iv. Information about recipients for the anonymized/pseudonymized data set.
D.2.a.v. List of variables for the anonymized/pseudonymized data set.

D.3. Anonymization/pseudonymization must comply with IST’s technical requirements for anonymization.

D.4. The anonymization document must be saved together with the anonymized data set in the project documentation directory.

D.5. During pseudonymization, the key file must be stored in an SDU-approved system, e.g. OneDrive, and kept separately from the pseudonymized data.

Section E

Publication of research data

E.1. Publication of research data at IST must be in accordance with the Danish Codex for Research Integrity (both the summary and the full version) and with the rules of good scientific practice at SDU.

E.2. Publication of research data should apply ORCID (Open Research Contributor ID), which is a digital identifier that distinguishes one researcher and scientific author from every other researcher and scientific author. It is recommended that each researcher links to their ORCID on their PURE-profile.

E.3. It is recommended that published articles on your PURE-profile are linked to their DOI (Digital Object Identifier).

E.4. Research publications must be recorded in SDU’s research database, PURE. It is recommended that research articles are recorded as “Open Access” if this is possible according to ethical, legal, contractual regulations and intellectual rights of property.
E.4.a. IST does not grant financial support for publications with Open Access. However, SDU has an Open Access Foundation.
E.4.b. If finances allows it, Open Access with per-article charge is recommended (either as “Full” Open Access or “Gold” Open access).
E.4.c. If this is not possible, “Green” Open Access is recommended. This means that the author has been granted permission to file a copy of his/her work in a digital archive.

E.5. You may check whether you ought to have a copyright license such as a Creative Commons. Presentation of research results in written form

E.6. Research results must be published in such a way that individuals cannot be recognized. If you publish transcribed interviews, you must check these for person-identifiable information such as person names, place names, details on health information, photos and dates. However, you may use word-for-word- quotations from respondents. Availability of raw data

E.7. Most of IST’s research data cannot be made available in raw form. Metadata, i.e. data management plan, codes etc. must made available according to SDU’s Open Science Policy and the principles of FAIR.

E.8. Research data must be anonymized before being made available (see Section D). Storage of raw data and corresponding analysis files

E.9. Research data (raw data) must be recorded or deleted according to the permission from RIO. E.10. You must make sure that the results can be reconstructed for a certain time after publication. E.g. for a DST-project, you must keep the retrieval description and the analysis files.