Data protection and storage

Researchers at CAPHRI are required to design and conduct their research that deals with sensitive personal (medical) information in a way that privacy is respected. UM has several different providers of advice and solutions on data storage and management. 

European, Dutch and local laws, regulations and guidelines share a commitment to the protection of research subjects’ privacy and require researchers to produce and handle personal data carefully, refrain from sharing it beyond the research team and store and retain the data safely. At the same time, norms prescribing responsible research invite researchers to share data to allow reproduction and verification, and to store data for extended periods, to allow reanalysis or reuse. 

Maastricht University’s Data Management Code of Conduct explains how long you need to store data and where, whose property research data is and who can be granted access under which conditions. As a general rule, retain your data 10 years after the last publication and store it safely on UM servers. Researchers are free to grant other researchers access to their data, provided this does not breach other contractual obligations. Read the full text here. Practically, this means that members of the research team need to live up to a series of requirements, which are listed below. All projects involving data use should have a data management plan, and Datahub provides a template that researchers can use to create one. Some funders, including ZonMw and NWO, require use of this template and approval of plans by a data management specialist.

Responsibilities

All researchers (including students and supporting staff):

• Stimulate awareness among peers and research assistants;
• Remain vigilant. This means:
  • Never share access to accounts (UM or MUMC+), not to new peers or students, etc.;
  • Never leave your computer unlocked when leaving your office (locking your computer can be done by pressing 'windows button-L');
  • At the end of the day, put all sensitive info in secure storage;
  • Store all data on UM servers. Do not use local drives, flash drives

Project leaders:

• Document relevant decisions made regarding sensitive data;
• Ensure compliance to these requirements from peers and research assistants;
• Remain vigilant.

Data permissions

Non-sensitive/anonymous data can be used without any restriction or permissions. Privacy is not a serious concern in this situation. Examples include statistical data from the CBS or number of patients who visited an institution or hospital. Anonymised data is considered anonymous only when identification of a person requires application of unreasonable means or disproportionate time and effort. Anonymous data, however, can be confidential because of agreements in the context of data collection, research prior to filing a patent or for (other) competitive reasons.

Data that contains personal information, data that is not completely anonymised or data that cannot be anonymised (e.g. qualitative research data) is always considered sensitive and needs to be treated accordingly. Collecting personal (medical) data requires informed consent to use or collect data. If consent cannot in all fairness be required or achieved, contact the METC or non-WMO IRB.

Data handling and encryption

• If possible, de-identify data during collection or directly after collection;
• Collect only the variables required to answer your research question;
• Store and process data always on UM/MUMC+ servers. Use data encryption when working outside the network. For info on encryption, see below.
• Data incidents (data loss, hacks, etc.) need to be reported to the Caphri Quality Committee;
• Outsourcing of data handling to third party services require those services to agree (in writing) on secrecy and security issues, incident handling and the destruction of data afterwards. Contracts are often required when sharing data outside UM, and advice on this can be sought from the CAPHRI Management Office.
• To encrypt sensitive data, we advise the open source platform 7zip. Use 265-AES encryption and a long password (recommendation of 12 characters or more). Do not send encrypted files and passwords using the same medium. Online instructions for how to encrypt using 7zip, can be found here.