F.A.Q. - Research and protection of personal data

Section I - Research data and personal data

Research, by definition, cannot do without data. Data are, in general, a container of the most varied information: they represent not only the food by which any study is nourished, but also form part of the product of the completed investigation, thereby traversing the entire life cycle of any research activity.

However, not every piece of data part of the research constitutes personal data. Just think, for example, about the quotation in a footnote that refers to an important monograph, the work of an illustrious Master: no one can doubt that, in principle, the author's name and surname should be protected in the same way as personal data, as well as the quoted thought - information that, rightly, is attributed to whoever is its progenitor.

It is necessary to make a distinction, not only because some data is already being made public and is accessible by anyone (e.g. data contained in research databases), but it is also important to consider the use of the data according to the objectives pursued, in concrete terms, by those who use the information: the protection of personal data in the context of scientific research only contemplates that subset (smaller than the broad category of research data but not necessarily reduced in terms of dimensions) of information belonging to those who, spontaneously or not (for example, by taking part in surveys or through video-interviews, or through the use of genetic samples deposited in specific banks), find themselves “participating” in the research activity, given that the data offered by private individuals is a very important tool for the study carried out.

In summary, the perspective to be taken is, in essence, relative: each researcher is put to the test in having to identify the personal data to which maximum attention must be given, in order to avoid slipping, more or less consciously, into non-authorized and, therefore, illegal personal data processing operations.

"Personal data" means any information that concerns an identified or identifiable natural person. In practice, any information when associated, directly or indirectly, with a specific individual is to be considered personal data.

At the opposite extreme of personal data is anonymous data, which does not in any way allow the identification of the individual and does not fall within the scope of application of privacy legislation.
Then there are de-identified (or pseudonymised) data, that are, personal data that do not permit the immediate identification of an individual, but that, if associated with other information, can then identify the data subject. De-identified data are personal data and therefore subject to the legislation on personal data.

If the notion of an "identified" person is easily understandable, it should be noted that "identifiable" is an individual who can be identified directly (e.g. by their name) or indirectly (e.g. by their address or position held), and/or by one or more specific elements of physical, physiological, genetic, psychic, economic, cultural or social identity.

It should be emphasized that information concerning companies, associations, committees and other entities does not constitute personal data: they are not, in fact, natural persons, but legal persons. However, legal person’s data are not totally excluded from the application of privacy regulations; in fact, for example, unsolicited communications cannot be sent, even to legal persons, without the prior consent of the recipient.

Examples of personal data:

  • personal details (e.g. name, surname, gender, age, date of birth);
  • contact details (e.g. address, e-mail address, telephone number, Skype Id);
  • identity documents and unique identifiers (e.g. passport number, license plate number);
  • CV and related professional and academic experiences;
  • recorded voice, not altered, from which it is possible to identify a person;
  • images from which it is possible to identify a person (e.g. photographs, video footage);
  • comments from which a person can be identified based on the information provided in the comment;
  • online identifiers (IP address, geo-location points).

The term "sensitive data" commonly refers to personal data that can reveal racial and ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, as well as genetic data, biometric data, intended to identify univocally a natural person, and data concerning health, sex life or sexual orientation.

In practice, these are data related to the most intimate sphere of each individual and, consequently, they must be processed applying special safeguards, only when strictly necessary, and when there are specific legal basis that allow their processing. The terminology used for "sensitive data", once contained in the Privacy Code, has now been replaced by that of "special categories of personal data" introduced by the GDPR.

Finally, personal data relating to criminal convictions and offences are also subject to specific safeguards.

Examples of special categories of personal data: 

  • Data revealing racial or ethnic origin (e.g. statement written by the data subject in an application form indicating their skin colour);
  • Data revealing political opinions (e.g. list of members of a political party);
  • Data revealing religious or philosophical beliefs (e.g. statement written by the data subject in an application form indicating their preference for kosher or halal food);
  • Data revealing trade union membership (e.g. list of members of a trade union);
  • Genetic data (e.g. result of a genetic examination);
  • Biometric data (e.g. fingerprint, graphometric signature);
  • Data relating to health (e.g. disability);
  • Data related to sexual life or sexual orientation (e.g. statement written by the data subject  in an application form revealing that they belong to the LGBT community);
  • Data relating to criminal convictions and offences (e.g. data contained in the criminal record). 

Further example:

  •  A research project, that aims to compare the policies related to disability in two different communities (e.g. Italian and Bengali), will deal with at least two types of special categories of personal data, namely data concerning health and data that can reveal the ethnic origin of the data subject.

Section II – General rules concerning the protection of personal data

The legislation regarding the protection of personal data is particularly complex, since it presents, in addition to a vast production of general regulations, specific sectoral rules.

The main sources are:

  • the European Regulation n. 679/2016 ("GDPR"), which came into force on 25 May 2018: a very long document (99 articles!), which provides immediately and directly applicable rules for those who are involved in the management of personal data;
  • Privacy Code (Legislative Decree 196/2003 as amended by Legislative Decree No. 101/2018).

It should also be borne in mind that there are also other connected regulations (e.g. copyright law and right of personal portrayal), and that this subject is applied daily by innumerable actors, both in the workplace and in academia, and it is shaped by decisions of the Garante per la Protezione dei Dati Personali, deontological codes, protocols, circulars, guidelines, practices, which contribute positively to update a sector in perennial, continuous and unstoppable evolution.

"Processing" represents an all-encompassing expression of the activities concerning personal data. In general, it can be said that any operation or set of operations performed on personal data - whether by automated means, manual, and/or carried out via computer or on paper - constitute “processing”.

For example, it is considered processing: the collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, communication, dissemination or any other form of comparison, interconnection, limitation, cancellation or destruction of personal data.

It is not necessary to archive personal data in a database to have processing of personal data: even one single activity on a single piece of data is therefore considered processing of personal data. Operations on personal data carried out in the course of a purely personal or household activity are excluded from the application of the above mentioned laws.

Examples:

  • As part of a research project, recording the voice of the data subject on an audio device during an interview constitutes processing of personal data. The same applies to video recordings.
  • As part of a research project, the collection of the data subject’s personal data, by filling in a form, to contact them regarding the further development of the project, constitutes processing of personal data.
  • The analysis of comments, which can identify an individual, left on Facebook by users, constitutes processing of personal data.
  • The communication of the contact details of a participant, to a research project, to the other participants of the same in order to create a working group, constitutes a personal data processing activity.

The data subject is the main subject of all the rules protecting personal data.The definition of “data subject” can be inferred by the notion of personal data: the data subject is the natural person (not association, company, animal, etc.), identified or identifiable, to which the personal data refer, directly or indirectly.

No formal recognition is required to be considered a data subject, since the natural person to whom the data relates assumes de facto this status.

Examples:

  • In case of a research project, which involves conducting interviews with parents of children of school age to assess the impact of territorial policies in relation to the same, the data subjects will be both the parents and the minors.
  • In case of a research project, which includes the analysis of linguistic compositions created by the participants at the project, in order to detect the most common errors, each participant will be a data subject. 

In principle, the data of deceased persons are not protected by the legislation on personal data.

Although the GDPR provides (Recital 27) that it does not apply to the personal data of deceased persons, it allows Member States to provide for rules regarding the processing of personal data of the deceased. In Italy, the Garante per la Protezione dei Dati Personali has recently clarified that deceased persons continue to be guaranteed the protections provided by the law on personal data.

Furthermore, the rights provided by the legislation on the protection of personal data can also be exercised subsequently, by those who can claim a certain personal interest in this regard, or act directly for the protection of the deceased or, more simply, for reasons of a familial nature (for example, access to the patient's health records by the relatives). 

As mentioned, the data subject is the subject to whose personal data is the object of the processing activities. We will now analyse those who perform the processing of personal data:

  • data controller: natural person or legal person (company, association, foundation, etc.), public authority, agency or other body that, alone or jointly with others (joint-controllers), determines the purposes of the processing - the reasons for which personal data are handled, the intentions being lawful or unlawful - as well as the means (technical, IT, organizational, etc.) of the processing. A typical example of the data controller is the University in the performance of its institutional activities (e.g. enrolment of students in degree courses). Where decisions relating to the processing are taken jointly by two or more subjects, the latter are qualified as joint-controllers of the processing.
  • data processor: a subject external to the data controller’s organization, who acts on behalf of the data controller and on the instructions provided by the same. The data processor must be appointed by the data controller with a specific written document - containing specific instructions that the data processor must necessarily comply with. For example, providers of cloud services, IT services and archiving of paper documentation are considered data processors. The data processor who goes beyond the instructions received by the data controller, or who decides independently the purposes and means of processing becomes a data controller. 
  • internal supervisor: the data controller may appoint, in writing, under its own responsibility and within the framework of its organizational structure, one or more internal supervisors who will be responsible for the performance of specific tasks connected to the processing of personal data.
  • authorized parties: exclusively natural persons, who perform specific data processing activities under the direct authority of either the data controller or the internal supervisor. 

In the context of research projects handled by the University, the subjects of reference are (except for the particular cases that will have to be considered specifically):

  • The University, legally represented by the Rector, who acts as the data controller.
  • The Principal Investigator or Main Researcher, who act as internal supervisors, following their appointment, with a specific act of nomination, by the Rector.
  • The other participants in the project (for example, researchers, research fellows, PhD students), who will be authorized subjects following their appointment, with a specific act of nomination, by the Rector.

Examples:

  • The University, as part of a research project, instructs a private body to send survey questionnaires to the participants of the project. In this case, the University will be the data controller, while the private body will be the data processor.
  • Within a research project, a project Partner requests the University to collect the personal data object of the investigation and analyse them on its behalf. It also requires that the analysis results are send back to it. In this case the University will be the data processor, while the Partner will be the data controller.
  • In the case of an agreement in which two universities jointly define the purposes and means of the collection of the personal data under investigation, the universities will be joint-controllers.

Personal data, in general, must be:

  • processed in a lawful, fair and transparent manner; 
  • collected for specific, explicit and legitimate purposes, as well as processed in a way compatible with the purposes for which they were originally collected (in this regard, the re-use of the data – with appropriate safeguards in place - for scientific, historical or statistical research is considered compatible);
  • accurate and their correction and cancellation must be guaranteed where necessary;
  • adequate, relevant and limited to the purposes pursued and only stored for the time necessary to achieve them (the storage of personal data for a longer period for is allowed for research purposes); 
  • protected through organizational and technical security measures, in order to prevent illegal or unauthorized processing.

It is fundamentally wrong to think that the processing of personal data is lawful only when the data subject has given their free, informed, specific and unambiguous consent.

There are also other feasible avenues, as provided for by the GDPR, and it is sufficient to identify one legal basis for the processing to be lawful: i.e. the processing of personal data is lawful when it is necessary for the performance of a contract in which the data subject is part of; when it is necessary fulfilling a legal obligation to which the data controller is subject; furthermore, the processing could be necessary to safeguard the vital interests of the data subject or another natural person and, nonetheless, it may be necessary to carry out a task of public interest or one connected to the exercise of public powers the data controller is invested with.           

The legislation on the protection of personal data provides a series of rights to the data subject, which relate to the control that the individuals can exercise over the use of their personal data.

First of all, it should be remembered that the data subject has the right to be informed, through the privacy policy, on the processing activities related to their personal data. This also constitutes an obligation for the data controller.

Among the other rights, it is important to mention the right to access their personal data, extracting a copy, as well as the right to rectify, integrate, delete and de-index (also known as the "right to be forgotten"); again, it is important to mention the right to limit and oppose processing (especially in the case of direct marketing), as well as the right not to be subjected to automated processing and subsequent profiling; there is also the right to lodge a complaint to the Data Protection Authority for the protection of personal data and/or to bring a claim before the Court.

The legislation on the protection of personal data provides, for those who perform data processing operations, the obligation to provide the data subject - unless the law expressly requires it or the data subject is already in possession of the information or in extreme cases of force majeure and when it is impossible to find the recipients if not at disproportionate costs – with a clear, simple but specific explanation about the various aspects of the processing.

In this way the privacy policy is disclosed and facilitates the exercise of the powers of control of the person whose data one is referring to: for this reason, it is necessary not only to provide the minimum information required by the law, but also to adapt the content of the privacy policy to the level of risk of the processing.

Please create a draft privacy policy for your research project. Once complete, please send it to dpo@unive.it  to be validated by the University DPO.

The privacy policy is usually provided in writing or by digital means (also in combination with standardized icons, to give an overview of the processing activities in an easily visible and clearly legible manner).

It should be emphasized that information on the processing of personal data can also be provided orally, but only when the data subject explicitly requests it. In this case it will still be necessary to keep the written text of the privacy policy jointly with the following information: the name of the data subject who received the privacy policy, the data controller or data processor who has provided it, and the date on which it was provided.

Of course, the privacy policy is provided for free and must  not require any charge or disbursement by the data subject. As for the time in which the information must be provided, it is necessary to distinguish: 

  • if the data is collected from the data subject, it shall be given prior to the collection of data;
  • when the data is obtained from a subject other than the data subject, the information must be provided to the latter - always if it is possible to trace them and this is not particularly difficult or excessive, as it could be, for example, for a search involving a very large number of people - within a reasonable time from obtaining the data, at the latest within a month or in any case,in the event that the personal data allows contact to be made with the data subject, in the first communication.

Examples:

  • If, as part of a research project, prospective participants are required to fill in a form with their personal data as first activity, the information must be provided in writing, enclosing it or inserting it in the aforementioned form.
  • In the case of a research project that involves interviewing illiterate participants, the information must be provided orally. However, it will be necessary to keep the text of the information in writing with the remaining project documentation and to keep track of the name of the person who provided the information, who received the information and the date on which it was provided.

The dissemination and publication of personal data must take place in compliance with the 'need to know' principle, i.e. access to personal data must be guaranteed only to those who have a proven need to know this information.

Therefore, where not explicitly required by law or regulation, documents containing personal data may be disclosed to a general public only if (i) the personal data have been obscured or (ii) the persons concerned  are not identifiable (for example, in case of the publication of aggregate data).

It should also be noted that the dissemination of special categories of personal data (see par. 1.3) to a general public, given the sensitivity of such data, is prohibited. It will be necessary to de-identify personal data in order to publish the documents including the abovementioned personal data.

The case of communication of personal data to Partners of the research project, to auditors or to those who have to review the results of the research is different: it is allowed if justified in writing and limited to those who have a proven need to know this information. Furthermore, only the data strictly necessary must be communicated and, in any case, respecting the security rules provided by the University.

Section III – Protection of personal data in scientific research

Scientific research is the activity, conducted either by a single individual (scientist, professor, researcher, student, etc.), or by a team of scholars, dedicated to the fundamental purpose of improving and spreading knowledge in a specific area, in compliance with the methodological standards of each scientific disciplinary sector.

In particular, historical research involves the systematic investigation of people, figures, facts and circumstances that belong to the past. Statistical research is conducted to measure certain aspects of collective phenomena. Knowledge, in all its varied forms and manifestations, lives mainly in the universities, as well as in other institutions, bodies or scientific societies (being them public or private bodies) and whose institutional purpose is precisely to accomplish the activity recalled above.

And if the interest in the dissemination of knowledge is held by the entire community, in order to implement and improve scientific, historical or statistical research, it is needed to stress the importance that the processing of personal data assumes.

In general, scientific research is an expression of an interest of the entire community in the dissemination of knowledge; however, knowledge needs must be counterbalanced with the protection of everyone's fundamental right to control the use of their personal data.

It is common for the scholar to find himself having to carry out research involving some personal data recovered from databases, archives, registers, other research institutes, hospitals, companies, associations, ecclesiastical bodies, etc.

These are personal data may have initially be collected for the most disparate purposes, but on which subsequently scientific, historical or statistical research is performed upon. The law then provides that the further processing, if the aims pursued are, in fact, related to conducting a research, is to be considered compatible and therefore lawful, although the purposes for which the data were originally collected were very different. This does not diminish the need to provide for a selection of genuinely relevant data and provide – unless exceptions apply- a privacy policy to interested parties on the further uses of their personal data. When the purpose of the processing of personal data is research, the rules around retention periods are more relaxed. 

On the contrary, the personal data used for scientific purposes cannot be processed to make a decisions concerning the data subject, in the same way as further processing is not permitted that is an expression of intentions of a very different nature (for example, commercial advertising).

The data controller, as a rule, must inform the data subject about the research purpose of the processing of personal data: only an objective impossibility exempts the researcher from providing the privacy policy to the data subject. In any case the data controller must put in place adequate safeguards in order to protect the rights, freedoms and legitimate interests of the data subject.

In practice, contacting the data subject could prove to be an impossible, extremely difficult and costly operation or require a decidedly disproportionate effort (for example,  in the case of thousands of subjects who have provided blood samples). Also, in some instances, tracing each data subject would risk making the performance of the research impossible or seriously damage it.

Therefore, in dealing with data for such purposes - data collected from parties other than the data subject - the information is not due when it requires an exaggerated effort with respect to the right to protection of the personal data protected, provided that adequate guarantees arein place, even under the form of advertising of information (for example, insertion of an advertisement in national or local newspapers).

In the cases mentioned above, it is always advisable to keep written evidence of the reasons why it was considered that providing the information to the data subject constituted a disproportionate effort. This document must be kept with the rest of the project documentation.

It should be remembered that there are different legal conditions or, better, bases for the processing of personal data to be in compliance with the law (see FAQ 2.7). Therefore, it is sufficient to prove the existence of one of these legal basis to make the processing of personal data legitimate.

The consent to the processing of personal data must not therefore be collected on every instance. It has to be noted, however, that it is not necessary to obtain the consent to take part in the research, by specifying the purposes of the research, the operations that will be carried out in relation to personal data and providing information.

It is more probable then that other conditions of lawfulness rather than consent apply for the collection of data already available in archives, or otherwise made known directly by the data subject or, more generally, collected from other subjects, other than the data subject. This is not an exemption, of course, from the obligation imposed on the data controller to always inform the data subjects  about the use of their personal data (unless exemptions apply). 

It should be remembered that the data subject has the right to withdraw consent at any time - if the legal basis of the processing of personal data was consent and it was withdrawn, it will no longer be possible to extract information from the personal data collected. However, the information already collected remains unaffected in order not to alter the search results.

In the event that the research concerns the processing of special categories of personal data, the data subject’s explicit consent must be obtained before collecting this type of personal data. In cases where consent must be obtained, it is advisable to obtain it in writing and keep the document with the evidence of consent together with the rest of the research project documentation.

If it is not possible to obtain it in writing (for example in the case of an illiterate individual), it must be documented in writing, in any case, that consent was requested and was obtained.

In addition to the GDPR and the (updated) Privacy Code, the Garante per la Protezione dei Dati Personali has published the "Deontological rules for processing with statistical or scientific research objectives” that include further rules in relation to the processing of personal data in the research field.

In particular, the deontological rules define the behaviours that must be adhered to with regard to the processing of personal data in the research field and define the safeguards that must be put in place to protect the rights and freedoms of the data subjects. In particular:

  • the data controller must define the measures to be taken in the processing of personal data, in order to guarantee the respect of the deontological rules, as well as the legislation on the protection of personal data;
  • the data controller creates a declaration of commitment to comply with the ethical rules. A similar declaration is also signed by the authorized parties - researchers, managers etc - who were involved in the research;
  • the data controller deposits the project at the university or research organization or scientific society to which they are affiliated, which takes care of its conservation, in a confidential manner (the consultation of the project being possible only for the purposes of the application of the law on personal data), for five years after the planned conclusion of the research;
  • the research takes place on de-identified data. An data subject considers himself identifiable when, with the use of reasonable means, it is possible to establish a significantly probable association between the combination of the modalities of the variables relating to a statistical unit and the data that identify him;
  • the data controller pays specific attention to the selection of the personnel responsible for collecting data and in defining the organization and the methods of collection, so as to guarantee compliance with the ethical rules and the protection of the rights of the individuals concerned. The personnel responsible for the collection must comply with the deontological rules and the instructions received;
  •  the internal supervisors and authorized parties who, for work and research reasons, have legitimate access to personal data processed for statistical and scientific purposes, conform their behavior to the following provisions: a) personal data can only be used for purposes defined in the research project; b) personal data must be kept in such a way as to avoid its dispersion, removal and any other use not in compliance with the law and the instructions received; c) personal data and news not available to the public of which it becomes aware during the performance of the statistical activity or activities instrumental to it cannot be disseminated, or otherwise used for private interests, one’s own or that of others; d) the work performed is adequately documented; e) professional knowledge in the field of personal data protection are constantly adapted to the evolution of methodologies and techniques; f) the communication and dissemination of statistical results are favored, in relation to the cognitive needs of the scientific community and public opinion, in compliance with the regulations on the protection of personal data; g) behavior that does not comply with the ethical rules is immediately reported to the data controller or data processor

A careful reading of the deontological rules is advised: non-compliance may result in the application of sanctions by the Garante.

The legislation on the protection of personal data, for processing activities carried out by the data controller or data processor established within the European Union, is also applied when the operations relating to personal data are carried out in a third country.

Therefore, in the event that the research is undertaken abroad, it will be necessary to comply with the European rules and the rules in force in the State where the scientific investigation activities are carried out.

In the case of the University, the legislation of reference is that of the European Union and Italy, except in cases where the processing of personal data involves other countries.

Examples: 

  • In the event that a research project, for the purpose of a specific survey, collects personal data through the recording of interviews in India, in addition to the legislation of reference of the University (European and Italian), the legislation of India concerning the protection of personal data must also be respected.

It may seem paradoxical to link the protection of personal data to a criterion of strong discrimination such as that based on citizenship.

It is natural that the regulation on the protection of personal data applies to every individual, regardless of their nationality or residency status.

In this context, the linguistic factor assumes importance: the data controller must provide a clear and simple privacy policy that is understandable to the data subject. 

Examples:

  • In case of a research project aimed at interviewing members of the scientific community both in Italy and in England, two models of privacy policy must be prepared, one in Italian and one in English.
  • In case of a research project that takes place entirely in Spain, the privacy policy and related documents must be prepared in Spanish.
  • In case of an international research project, which concerns the processing of personal data of data subjects who speak different languages, but who understand English very well, it will be sufficient to provide the privacy policy in English. If the researcher is not sure that the information in English will be understood by the data subjects, this should be translated into the language spoken by each of them.

Last update: 27/02/2024