Solutions for the questions in IST GDPR awareness survey
Question 1: In case you need help with data protection, who can you contact at SDU?
SDU has a data protection officer (DPO), Simon Kamber (email: dpo@sdu.dk .)
SDU RIO can help with legal questions regarding the handling of personal data: https://www.sdu.dk/en/forskning/service_til_forskere or directly via email to sdu.persondata@sdu.dk
General information on data protection at SDU can be found here: https://www.sdu.dk/en/om_sdu/om_dette_websted/databeskyttelse
Information on research data management support at SDU is gathered here: https://www.sdu.dk/en/bibliotek/forskere/rdm+support
Question 2: Please insert link (path) to the IST Research Instruction website
https://www.sdu.dk/en/om_sdu/institutter_centre/ist_sundhedstjenesteforsk/forskningsinstruks
Question 3: Suppose you, by mistake, have sent an email containing personal data. What do you do??
There are two components to this case. Did you send personal data to a recipient who has no right to these data?
In that case, report the security breach immediately to SDU via IT Service (servicedesk,
template: https://www.sdu.dk/-/media/files/om_sdu/fakulteterne/sundhedsvidenskab/gdpr/registreringsskema+ved+sikkerhedsbrud.pdf - only in Danish), contact the recipient to delete the email, but wait with deleting the email from your sent-post folder until further instructions. Did you use email to transfer personal data to a recipient who has the right to see these data? In that case - as a security measure - delete the email from your sent-post folder (remember to delete from deleted-post folder as well!) and contact the recipient to do the same, even though SDU emails are encrypted between SDU accounts. Do not use email to transfer personal data.
Question 4: Specify in which category (A=anonymous, P=pseudonymized, E=encrypted, PI=person identifiable) the following types of data belong to:
• An audio file of a patient interview, in which there are no names and place references. E
• A dataset containing blood test results; Social Security numbers are encrypted. E (but see below)
• An extract of a clinical database with information about type of operation, time of operation, diagnosis, age, gender and municipality, but no Social Security numbers. E (but see below)
• Qualitative interviews with relatives of patients with a rare disease; there are some place references and first names. PI
• A data set with mortality rates by age, gender and region, obtained from Statistics Denmark (https://www.statistikbanken.dk) A
To read up on terminology, you could have a look at the IST Research Instruction website: https://www.sdu.dk/en/om_sdu/institutter_centre/ist_sundhedstjenesteforsk/forskningsinstruks/ordliste
Very short on the difference between pseudonymized and encrypted data: A person (typically a row in your spreadsheet) becomes identifiable when you collect a lot of information (that is, you have many columns=variables for each row), even though you deleted all apparent identifiers such as names, CPR numbers etc.). Therefore, a dataset does not meet the condition of pseudonymity when it is sufficiently large in terms of variables. But a dataset containing information about type of operation, time of operation, diagnosis, age, gender and municipality might well be pseudonymized – if here are more than three persons in all possible subgroups defined by all possible combinations of variables.
Question 6: Where do you store and/or analyze personal data for research, according to the IST Research
Instruction? Note: The question is not about temporary storage of personal data.
Ok for storage of personal data |
Ok for analysis and storage of personal data |
||
OneDrive |
yes | no | |
Sharepoint | yes |
no | |
PF-share | yes | no | |
S4 | yes | yes | |
Nextcloud | yes | no | |
PC desktop/C-drive |
no | no | |
Own phone |
no | no | |
Approved data processor, e.g. Statistics Denmark |
yes | yes | |
Dropbox | no | no |
Question 8: Where are the data management plans for the project(s) kept?
When a data management plan (DMP) does not contain personal data, it does not have to be stored on a
secure site. But since all documentation of a research project should be stored in one place according to
the IST Research Instruction, it could be sensible to place all documentation files, including the DMP,
possibly together with your original data (in an encrypted folder) at a secure server.
Question 9: Imagine that a doctor at Rigshospitalet, who you know, contacts you and asks you to do
some quick statistical analyses on some patient data that he has on a spreadsheet. SDU can invoice him
for your efforts. What do you do?
The data controller (person or institution) is responsible for drawing up a data processor agreement with
the data processor. Therefore, you ask the doctor to request a data processor agreement from the Capital
Region of Denmark. Because it is you as a SDU employee and not you as a private person, who will do the
data processing, it is SDU that signs the agreement for you. Therefore, you ask RIO to review and sign the
agreement when it arrives. Then you can start having fun with the analyses.