Data @ Reed

Data Privacy

Working with data from or about people? Whether you are collecting data or reusing previously collected data that is personally identifiable, you should consider data privacy issues and ensure you are managing data responsibly. If you are working with data from people residing in the EU, you will have specific legal obligations.

What is personally identifiable data?

Data such as names and ID numbers is directly identifiable. Indirectly identifiable data enables personal identification when used in combination, for example, age+occupation+census tract or birthdate+gender+college major.

What is Data Privacy?

Different types of personal data have different levels of risk associated with them. Data is “classified” by levels of risk to the subject; privacy means protecting data appropriately for the level of risk. For more information, see the Reed data classification and handling guidelines.

When is human subjects review (IRB) required?

Research on human subjects that will be published or presented, including a senior thesis, requires review and approval by the Institutional Review Board (IRB). Research for course assignments that will not be distributed publicly does not require IRB review.

How can I protect personal data used in my research?

Whether or not your research requires IRB approval, you should develop a plan to meet your legal and ethical responsibilities as a researcher and follow these best practices:

  • Get informed consent when gathering personal information, and only use the data for research purposes.
  • Only collect risky data if it is integral to your research, or try to make the data less risky. For example, do you need the exact date of birth, or will age suffice? Can you anonymize personal information you collected?
  • Only save personally identifiable data as long as it’s needed for your research, which could include future needs such as presentations or archiving requirements. Develop a plan for securely deleting sensitive research data when it is no longer needed.
  • If data will be shared, FileRobot is more secure than email for transferring sensitive data.
  • Follow Reed’s Data Privacy Policy and link to it from data collection instruments (it is already linked from the Reed Qualtrics template).
  • Secure your data with strong passwords, whole disk encryption, and reliable backups
  • Follow terms of service and security requirements for data acquired from external sources

Special considerations for data gathered in the European Union

If your data is being collected from human subjects in the European Union (EU), then you also need to comply with the General Data Protection Regulation (GDPR). Under GDPR there must be a legal basis for collecting personal data - for most scholarly research the legal basis is the legitimate interests of the researcher.

Personal data are “personally identifying” data either alone or in combination with other data. Special categories of personal data include information relating to health, race, sexual orientation, biometrics, political views, religion, genetics, or children. Higher risk data carries higher standards for protection.

If your research may involve EU subjects, follow these steps:

  • Determine whether GDPR is applicable
    • Do the data subjects reside in the EU while participating in the study?
    • Is personal information being collected?
    • Are the data subjects identifiable, either directly or indirectly?
    • Does the personal data fall into a “special category”?
  • Justify the legitimate interest in gathering and processing the data
    • Ensure that the specific data items being collected are necessary for the purpose(s) of the research
    • Evaluate and document the risks to the data subjects
    • Develop a plan for managing and deleting the data in a manner that balances your research needs with subject risks
    • Review What is the ‘legitimate interests’’ basis? from the UK Information Commissioner’s Office.
  • Follow the best practices for data security and privacy, as described above