Personal data management

This section provides a general overview of things to consider when working with personal data. For a more practical overview on tools and practises that facilitate reproducibility, please see the Sensitive Data Projects chapter.

Personal data

Personal data is information about living people who can be identified using the data that you are processing, either directly or indirectly (for example, a person’s name, address or other unique identifier such as their Social Security number). “Data related to the deceased are not considered personal data in most cases under the GDPR.” Indirect identifiers include health, economic, cultural or social characteristics. Especially when a certain combination of these identifiers can be used to identify a person, care must be taken to manage the data properly. Particularly sensitive data include data relating to a person’s:

  • racial/ethnic identity

  • political opinions

  • religious/philosophical beliefs

  • trade union membership

  • genetic and biometric data

  • physical or mental health

  • sexual orientation

Personal data policies

There are various policies in place in different countries to protect the rights of individuals over their personal data. For example, in Australia personal data is regulated under the Australian Privacy Act. In the European Union the GDPR (General Data Protection Regulation) applies to the processing of personal data and may require you to carry out a Data Protection Impact Assessment (DPIA). Processing means doing anything with a person’s information, including collection, storage, analysis, sharing, deletion and destruction. To ensure that you are up to date with the requirements of managing sensitive data, please review the national/institutional policies that apply to your research. See [HCH+15] for recommended practices for sharing clinical trial data.