Destruction, anonymisation or archiving of data at the conclusion of research
When a study ends, the controller must ensure that data is appropriately destroyed, anonymised or archived.
Data protection regulations specify a lifespan for personal data, with a defined beginning and end to the processing of personal data.
Research projects must specifically consider
- how long personal data needs to be processed for the study;
- how long the data needs to be stored after the completion of the study, for example to ensure the reliability of research results; and
- what to do with the research data when storing it is no longer required for the completed research project.
The duration of the study should be defined as precisely as possible in the planning phase. If a precise end date is impossible to specify, the duration should be expressed in another verifiable way (such as by defining the research sample and a limited follow-up period). The team should also decide in the planning phase whether the project will be a cross-sectional or follow-up study.
The GDPR emphasises the protection of personal data and the principle of data minimisation in scientific research. Throughout the duration of the study, and especially at its conclusion, the controller must ensure that personal data is not processed more extensively than necessary. Necessity must be evaluated in relation to the purposes for which the data was collected.
At the end of the personal data’s lifespan, the data can be destroyed, anonymised, or archived if there are appropriate grounds for doing so. The processing of personal data must nevertheless serve the primary purpose for which it was collected, and only in exceptional cases is data considered so valuable that its storage for other purposes would be justified.
The most effective way of destroying research data depends on the storage medium. Paper materials can be destroyed effectively by shredding or burning. Data stored on a USB stick can be destroyed by destroying the stick. Electronic data can be overwritten, for example. Merely deleting electronic data and moving it to the computer’s recycle bin does not erase the data permanently. A data security expert should be consulted on the destruction of personal data if possible.
Anonymisation alters the data in a manner that permanently prevents the identification of individuals. The possibility of identification must be assessed from the perspectives of the controller and other parties that may possess information that could be used to render the anonymised data back into identifiable form.
If the data can be returned to identifiable form with the original source data (such as by comparing the file to patient records), it still constitutes personal data because it can be connected to specific individuals with the help of other information.
If you intend to anonymise your research data, the objective should be considered already when planning the collection and processing of research data. You can then implement data collection and organisation solutions to facilitate the anonymisation of the data when compiling the data for your study.
The identifying information of research subjects are located on a part of the form that is easy to cut off and destroy. Data on the research subjects is collected at a less detailed level, such as by age bracket (20–24 years and 25–29 years).
If you are not familiar with anonymisation, you should request assistance from someone with sufficient experience and information on the anonymisation of research data. Depending on the data, anonymisation can be expensive or even impossible to implement for certain research data. You should also consider the objective value and reuse potential of the research data before undertaking its anonymisation.
Further information on anonymisation is available from the Article 29 Working Party’s opinion 5/2014 on anonymisation techniques.
According to the General Data Protection Regulation, the controller remains responsible for archived materials containing personal data. Research data can only be archived when it is no longer in active use. Archived data can be used later to check or confirm the findings and methods of the study.
Research data files can be archived on various processing bases. Authorities can archive data on the basis of statutory obligations (GDPR, Article 6, paragraph 1(c); Archive Act (831/1994)). In other cases, the archiving of research data can be possible if processing for archiving purposes is necessary and proportionate to the aim of public interest pursued and to the rights of the data subject (GDPR, Article 6, paragraph 1(e); Data Protection Act, section 4, paragraph 4).
The authority’s archiving plan may contain an explicit time limit for the storage of research data generated in the course of the authority’s duties.
Other parties must assess the conditions for archiving on the basis of general data protection regulations. The requirement of necessary and proportionate processing means that the justification for storing each item or category of personal data should be assessed on a regular basis with regard to the need to archive data in the public interest. The value and possible research applications of the data have a particular bearing on the need for archiving. The assessment should pay particular attention to the principles for the processing of personal data laid out in the General Data Protection Regulation, especially the principles of data minimisation (GDPR, Article 5, paragraph 1(c)) and storage limitation (GDPR, Article 5, paragraph 1(e)). Technical and organisational safeguards implemented in proportion to the risk entailed by the processing must also be addressed in the assessment.
The controller must take the rights of the data subject and other general principles for the processing of personal data into account when assessing the proportionality of the processing. If the rights of the data subject have been derogated from by virtue of section 32 of the Data Protection Act, the controller must pay special attention to this when assessing the proportionality of the processing. As a rule, data subjects are entitled to exercise their rights under the GDPR also with regard to data archived in the public interest. The first condition for derogation is that the processing in the public interest is subject to the appropriate safeguards for the rights and freedoms of the data subject in accordance with the GDPR (see GDPR, Article 89, paragraph 1). As a rule, data subjects are entitled to exercise their rights under the GDPR also with regard to data archived in the public interest. The first condition for derogation is that the processing in the public interest is subject to the appropriate safeguards for the rights and freedoms of the data subject in accordance with the GDPR (see GDPR, Article 89, paragraph 1).
Section 32 of the Data Protection Act additionally specifies that
- the right of access by the data subject;
- the right to rectification; the right to restrict processing;
- the notification obligation regarding rectification or erasure of personal data or restriction of processing;
- the right to data portability; and
- the right to object
can be derogated from on the basis of a case-by-case assessment only insofar as
- they would probably prevent or seriously hinder the achievement of the study’s specific purposes; and
- the derogations are necessary for the achievement of these purposes (see GDPR, Article 89, paragraph 3).
If the archived research data contains special categories of personal data, the safeguards provided for in the Data Protection Act must be observed in addition to the above. Furthermore, the purpose of the archiving must be in the public interest. Archiving could be necessary for the public interest if the controller has a statutory or regulatory duty to store research data and make it available. Another important consideration is whether the archiving activities are based on a plan available to the public. The Data Protection Act’s concept of archiving purposes in the public interest is not fully equivalent to the expression “processing for archiving purposes in the public interest” used in the GDPR, but has a narrower scope of application.