Section A
Please note that most of the information under this section is already in the Data Management Plan. Therefore it is easiest to make the Data Management Plan first and then complete this section
General items
A.1. All research projects must have the necessary project documentation (see items 1.a-1.g below) and must be named and saved on one of the shared network drives, e.g. Sharepoint (for more information, see Section C), so that the research data can be linked to the project documentation. Remember to check if your research unit has specific guidelines, e.g. about where to store project documentation. Data collection must NOT be initiated until the necessary project documentation has been completed and the mandatory approvals have been granted.
Masters thesis students who have an affiliation with IST, must also comply with the research instruction, because SDU is the data controller. For masters thesis students, a Data Management Plan, application to and approval from SDU-RIO, and a project description are sufficient project documentation.
If you have made a Data Management Plan, you have already covered most items of A.1 below.
The project documentation varies according to project type and contains the following items (please note that this is a check list and most are covered by the Data Management Plan):
A.1.a. Project description
A.1.b. The basic information of the project (for more information, please see the notes)
A.1.b.i. Projects numbers (internal registration number, Acadre number, RIO record number)
A.1.b.ii. Project name and abbreviation, if any
A.1.b.iii. Department- and Faculty affiliation
A.1.b.iv. Name of the project controller
A.1.b.v. Name of Principal Investigator(s) and researcher ID (e.g. ORCID)
A.1.b.vi. Name of contact person (plus phone number and email-address)
A.1.b.vii. Project period including storage period (with regard to published articles)
A.1.c. Regarding projects with external financing (see also Section B):
A.1.c.i. Application/grant letter
A.1.c.ii. Name of the funding authority
A.1.c.iii. Budget
A.1.c.iv. Budget approvals from the Head of Department (all projects) and FSØ (projects above 1,000,000 DKK), respectively
A.1.c.v. The SDU project account number
A.1.d. Data management plan (for more information, please see the notes). All new projects must include a data management plan. The Head of Research and/or the person responsible for data management must be involved in this plan. For each project/umbrella project it must be considered whether it would be good to have several data management plans, e.g. one plan for each subproject, or a data management plan covering the entire project.
A.1.e. It is a requirement for ALL projects that personal data are not stored or handled until the project has been notified to RIO (if you are the data controller) or until a data management agreement has been made through RIO (if you are the data processor) (for more information, please see the notes).
A.1.e.i. The project needs a RIO notification and a RIO approval if SDU is the data controller (for more information, please see the notes).
- A data processing agreement must be made if the project uses external collaborators to handle the data (e.g. researchers, students or IT systems).
- The project needs an approval for transfer of data if the data originate from another project.
A.1.e.ii. A data processing agreement must be made if SDU is the data processor and if an external collaborator (e.g. the Region of Southern Denmark) is the data controller. The data processing agreement must be signed by RIO (more information in the notes).
A.1.f. Other relevant notifications and approvals from e.g. The Regional Committees on Health Research Ethics for Southern Denmark, The Danish Patient Safety Authority, The National Health Data Authority, Statistics Denmark, other research registers/clinical quality databases (for more information see the notes).
A.1.g. Data collection plans (for all projects that include data collection) (for more information, please see the notes)
A.1.g.i. Templates for informed consent letters/confidentiality letter. Regarding filing of these letters, please see Section C.
A.1.g.ii. Information to respondents.
A.1.g.iii. Data collection flow.
A.1.g.iv. Method of collecting data and samples, setup and instructions (e.g. for interviewers, respondents, project nurses and lab technicians).
A.2. The project documentation should accurately reflect the research project. Therefore, any changes to the original project plan must appear from the documentation. Changes to projects that include personal data must be notified to RIO (for more information, please see the notes).
A.3. All personal information used in project applications (e.g. applicants’ personal information used for administrative purposes) must be handled and stored according to Section B on handling and storage of documentation regarding grant applications, funding documentation and rejection letters.
A.4. All research data that are used in research projects must be handled and stored according to Section C. on handling and storage of research data.
A.5. Project folders and files must be named in a systematic way that is easily understandable, also to third parties. For instance, a folder name may begin with the project number, followed by a low line _ (e.g.: 2018-025_).
A.6. Anonymization of personal data used in research projects must be in accordance with Section D on anonymization and pseudonymization of personal data.
A.7. Publication of research data must follow IST’s instruction, Section E, on publishing.
A.8. Deletion and filing of research data must be in accordance with IST’s instruction, Section C, on data.
A.9. If a respondent or someone else whose data are registered in the research project requires document access, objection, deletion, data portability, limitation and/or correction, this request must, within 48 hours, be forwarded to the legal office of the Rector’s secretariat via email to jura@sdu.dk. The matter with be dealt with here. More information about this below.
A.10. In case of breach of personal data security, you must at once contact IT-Helpdesk and report the violation at SDU-net here.
A.11. At least two people at IST/SDU must have access to all project documentation and they must know where the data are located. In each research unit, at least one person must be responsible for data management. This person will have access to projects with only one researcher. Also, the data management responsible will have the necessary overview over the projects and will introduce new employees to the instruction.
A.12. Dispensation from the rules in the instruction requires approval from the Head of Institute. Request for dispensation must be sent via email to: IST-sekretariatet@health.sdu.dk.
Section B
Treatment and storage of applications, rejections, and grant funding letters
Applications
B.1. Application for funding, including the application, protocol, CV’s and budget, as well as documentation for approved budget with FSØ, should be saved in a project-specific folder. Remember that applications should be approved by the head of department, and applications exceeding 200,000 DKK should also be approved by FSØ. The secretariat can help with this. Ask the secretariat where the folder should be located. Remember to also make sure information is stored in Acadre (internal archiving system)
B.2. Make sure to delete sensitive and confidential information in the documentation mentioned under B1., e.g. delete the last four digits of CPR-numbers.
B.3. Documents relating to your application can be communicated internally at SDU via two means: Sharepoint or SDU-mail.
B.4. If you use external consultancy firms or similar, make sure that SDU has a data processor agreement with the external firm or person. Ask RIO for help if there are no data processor agreement.
B.5. Documents relating to the application can be communicated externally via Sharepoint – your external collaborators should get access to the Sharepoint site, if SDU is the PI. If your collaborator is the PI, they can establish the means of communication. Regardless of the PI, note that external e-mails should be encrypted if they contain sensitive or confidential information.
B.6. All e-mail containing sensitive or confidential information should be saved in a secure place (cf B1) and be deleted from Outlook as soon as possible
B.7. Printed copies of applications containing personal data should be destroyed as soon as possible. Please refer to SDU guidelines for personal information on paper.
B.8. The secretariat should receive a copy of the final application for achiving in Acadre and SDUpro.
B.9. After submitted application and successful archiving, please state this in the folder.
B.10. Messages from the recipient, e.g. receipt of application should be archived as well.
Rejections
B.11. In the event of rejection, the documentation (e-mail) should be forwarded to the secretariat who will archive it in Acadre.
B.12. The rejection should also be stored in the project specific folder.
Grants
B.13. If you receive a grant, the acceptance letter should be forwarded to the secretariat, who will create a new Acadre file for grant documentation.
B.14. Regardless if the grant covers 100% or less of the applied funds, the budget will be part of the documentation, and should also be forwarded to the secretariat. They will convert it into a template for ”A-budgets”, and they know what that means. Everything is archived in Acadre and approved by the head of department.
Section C
Treatment and storage of research data
SDU is the data controller, therefore all items of this chapter must be observed and adhered to.
For purely register-based projects using data from Statistics Denmark or the National Health Data Authority (DST/SDS), you must follow their storage and treatment rules. If you have to send SDU research data to the DST/SDS, you must follow the rules in the instruction regarding the data storage at SDU.
General information
C.1. Research data must be treated as sensitive personal data.
C.2. Research data must be processed, that is, analysed or looked at, on a secure server at SDU, or on UCloud. Preferably use a SDU-computer, if possible.
C.2.a. During data collection, data may be stored on OneDrive, SharePoint, Nextcloud or PF-Share (but only as long as it is necessary). If you are not using a secure server or UCloud for storage, please use a SDU-computer.
C.3. Research data must be pseudonymounised as soon as possible.
C.3.a. If directly - or indirectly - person-identifiable data (CPR-number, name, and telephone number, among others) are to be stored, this must be done separately from the pseudonymounised data, in a SDU-approved solution (e.g. NextCloud), and separated either technically or administratively, e.g. stored by another person or in another location.
C.3.b. File names must not contain directly - or indirectly - person-identifiable information, e.g. respondent name.
C.4. At least two people from SDU who are affiliated to the project or to the research unit must have access to the research data (one of them could e.g. be the person at the unit who is responsible for data management).
C.5. Students, guest researchers, and PhD-students without affiliation with SDU are considered external researchers, and RIO must be contacted before they can be granted access to personal data. They must only analyze SDU-data on secure servers.
C.6. When you are working with research data outside SDU or your remote workplace (outside SDU could be in public areas such as trains, airports etc.) you need to use a VPN (virtual private network) connection and you must make sure that other people cannot see your screen.
Data collection (in general)
C.7. If you choose to communicate with respondents electronically, it should be by means of the recommended SDU solution, or, alternatively, via encrypted mail.
C.8. Handling of personal data on paper must be in accordance with the SDU Guidance for handling of data on paper.
C.9. Exchange of research data must only occur by means of an SDU-approved method.
C.10. Each respondent must be assigned a project-specific serial number (ID-number). You must use this number when you search for a respondent, both when you search electronically, in paper format or in devices.
C.11. Data collection management files (files with names, addresses, phone numbers etc.) that are used for managing the collection of information) must also be treated as sensitive personal data. For more information, see the SDU Guidance on Local Databases.
Data collection (Consent and Duty of Disclosure)
C.12. You have a duty of disclosure towards the respondents, i.e. you must make sure that the respondents are given the following information: The name of the Data Controller and the name of the Data Protection Officer, including contact information, the purpose of the data collection, the legal basis (the Danish Data Protection Act, Section 10, or consent), how their personal information is treated, and their right to complain and to withdraw their consent.
C.13. You can ask RIO whether it is necessary to use consent or whether the data collection falls under the Danish Data Protection Act, Section 10 (about research). In both cases you need to inform RIO about the purpose of the data collection and how the data will be handled. This you have done already when you submitted your application to RIO, cf. A.1.e., and you have to refer to the RIO number when communicating with RIO.
C.14. The letter of consent must not include CPR-numbers. Consent and information letters must either:
C.14.a. be sent to respondents via SDU’s recommended solution or encrypted mail, or
C.14.b. be sent by ordinary mail, or
C.14.c. be handed over by the interviewer.
C.15. If consents are in paper format, they must be scanned and saved in Acadre as soon as possible. Each consent file must include the ID-number/numbers of the respondent in the file name. The consent in paper format must be handled according to the SDU Guidance on handling of data on paper, i.e. the consent must be destructed or stored according to the instructions.
C.16. Regarding all electronic consents (GDPR-consent, the respondents or their proxies are responsible for checking the consent box themselves. Electronic consents must be saved at the same place as the data, and the consent information must be registered in Acadre.
Data collection (use of electronic devices and instruments)
C.17. Electronic devices (cameras, dictating machines, lung function measuring instruments, ultrasound scanners etc.) should, if possible, be encrypted and password-protected. If they can automatically transfer data to an SDU-approved system in a secure way, this function must be used.
C.18. If you have to enter a respondent number into a device during data collection, only the ID-number of the respondent must be used. The respondent’s initials can be included as an extra linkage safety.
C.19. Data stored in electronic devices must as soon as possible be deleted from the device. Data files that are retrieved from the devices must be named in an appropriate way. Names and CPR-numbers must not be used in the file names, only the ID-numbers of the respondents.
Data analysis
C.20. Data analysis must take place at a SDU’s secure server, that is, S4 or UCloud, alternatively at a data processor such as Statistics Denmark; based on the notion that data should be stored in the same place as the analysis software.
C.21. Preparation of data for analysis must be documented in such a way that the original information can be reconstructed. This should follow the data management plan. For further explanation, please see the requirements of the Danish National Archives.
C.22. It must be possible to reconstruct prepared data. Therefore, code and log files for the data generation must be saved on the same server as the data, with a suitable file structure and file naming.
C.23. It is mandatory that research results can be reconstructed. Therefore, code and log files for analysis and reporting must be saved together with the data, with a suitable file structure and file naming.
Project documentation
C.24. SDU offers a number of solutions enabling access for more than one researcher to project documentation, cf A.11. Nextcloud, PF-share, OneDrive and Sharepoint can be used for project documentation and sharing thereof with colleagues. Set-up of Nextcloud and OneDrive can be done by the researchers themselves, while Sharepoint and PF-share requires help from SDU-IT. All four solutions enable differentiated access, such that, e.g., the project leader has editing rights and others only read access.
Specifically for qualitative analyses
C.25. Data collection using sound or video recordings. It is recommended to use a SDU computer and to record using an online meeting (zoom or MS Teams) for recording. Save the recording directly in a place that is approved for storage of data , e.g. Nextcloud, or transfer the file as soon as possible to this location.
C.26. If you wish to use automatic transcribing, you can use Amberscript. SDU has a data processor agreement with Amberscript. You have to document the software you are using, as well as the corresponding data processor agreements, in the Data Management Plan and in your RIO application. Following the automatic transcription, you should save both the original recording as well as the transcribed file in a place that is approved for storage of data, e.g. Nextcloud.
C.27. Your software for analysis should be in the same place as your data during the entire analysis. If this is not possible or feasible, you have to seek dispensation Din software til analyse skal ligge samme sted som data under al analyse af data. Er dette ikke muligt eller hensigtsmæssig, skal der søges dispensation with the head of department, and you have to complete a security course. Upon dispensation and security course, you are allowed to put your data in Nextcloud, also during analysis.
Section D
Anonymization of personal data
Please first consult the definitions of the different terms regarding personal data, “anonymization” and “pseudonymisation” in the List of Words and Terms.
Qualitative research
Anonymization of qualitative research data is considered practically impossible, as the respondents will be able to recognize themselves in the data. However, nobody else must be able to identify the respondent. Data must be pseudonymounised as soon as possible as described in Section C above.
Quantitative research
Anonymization of quantitative research is considered practically impossible if the data set is to be used for research analysis. It is mandatory to be able to document the anonymization process, which is a requirement from the Danish Data Protection Agency.
There may still be cases in which anonymization is desirable:
Data sets for development of scripts which will subsequently be run on real data
Data sets for teaching purposes
Research using anonymous data
Scientific journals’ publication requirements
Handling of data, e.g. in the public domain
D.1. All use of anonymized research data outside SDU’s secure IT-systems (SDU’s secure server system) as well as the documentation for the anonymization are to be approved by the research unit’s Head of Research or by the data management responsible.
D.2. An anonymization document must be drawn up that describes the anonymization. This document should contain:
D.2.a.i. Information on the project (RIO-approved), and which data are to be anonymized.
D.2.a.ii. Which methods are used for the anonymization, see notes for further info (in Danish).
D.2.a.iii. The script (may be the anonymization document) used for the anonymization.
D.2.a.iv. Information about recipients for the anonymized data set.
D.2.a.v. List of variables for the anonymized data set.
D.3. Anonymization must comply with IST’s technical requirements for anonymization.
D.4. The anonymization document must be saved together with the anonymized data set in the project documentation directory.
Section E
Publication of research data
E.1. Publication of research data at IST must be in accordance with the Danish Codex for Research Integrity (both the summary and the full version are in Danish).
E.2. Publication of research data should apply ORCID (Open Research Contributor ID), which is a digital identifier that distinguishes one researcher and scientific author from every other researcher and scientific author. It is recommended that each researcher links to their ORCID on their PURE-profile.
E.3. It is recommended that published articles on your PURE-profile are linked to their DOI (Digital Object Identifier).
E.4. Open Access publications will be evaluated as all other peer reviewed publications in decisions regarding hiring, tenure and promotion, as recommended by the San Fransisco Declaration on Research Assessment (DORA). The department strives to be explicit about the criteria used to reach decisions in such contexts.
E.5. Research publications must be recorded in SDU’s research database, PURE. It is recommended that research articles are recorded as “Open Access” if this is possible according to ethical, legal, contractual regulations and intellectual rights of property.
E.5.a. IST does not grant financial support for publications with Open Access.
E.5.b. If finances allows it, Open Access with per-article charge is recommended (either as “Full” Open Access or “Gold” Open access).
E.5.c. If this is not possible, “Green” Open Access is recommended. This means that the author has been granted permission to file a copy of his/her work in a digital archive.
E.6. You may check whether you ought to have a copyright license such as a Creative Commons.
Presentation of research results in written form
E.7. Research results must be published in such a way that individuals cannot be recognized. If you publish transcribed interviews, you must check these for person-identifiable information such as person names, place names, details on health information, photos and dates. However, you may use word-for-word- quotations from respondents.In such cases, the respondent can recognize themself, but others should not be able to identify the respondent. If in doubt, ask the respondent.
Availability of raw data
E.8. Most of IST’s research data cannot be made available in raw form. Metadata, i.e. data management plan, codes etc. must made available according to SDU’s Open Science Policy and the principles of FAIR.
E.9. Research data must be anonymized before being made publicly available (see Section D).
Storage of raw data and corresponding analysis files
E.10. Research data (raw data) must be recorded or deleted according to the permission from RIO.
E.11. You must make sure that the results can be reconstructed for a certain time after publication. E.g. for a DST-project, you must keep the retrieval description and the analysis files.