Scientific data is to be collected and stored in accordance with current statutory rules and other provisions. Data is defined as all material collected systematically for research purposes, including electronic data from registers, surveys or interviews, images, human material such as blood or tissue or material from animals, including biobanks.
The general guidelines for responsible conduct of research with regard to data are as follows:
- Information about the collection, registration, storage and sharing/transfer of data during and after he project15 and the responsibility for the data processes described must be stated in the project description.
- All experimental protocols, plans and strategies for experiments/studies, notes, laboratory books, data and primary material must be stored for five years after the completion of the project, except where this conflicts with other legislation or professional standards, cf. AU's policy section 3.2 and AU’s Instructions for the storage and management of research data.
- There must be open access to material on which publications are based (FAIR principles), except where this conflicts with legislation or contractual obligations, cf. AU's policy section 3.2 and AU’s Instructions for the storage and management of research data.
- Any corrections made to data during data collection and data recording must be clearly indicated and accounted for in order to ensure that all changes or additions are completely transparent, thereby ensuring data traceability.
The EU’s General Data Protection Regulation (GDPR) and the Danish Data Protection Act (the data protection legislation) describe the fundamental principles that must be fulfilled in connection with all processing of personal data. The Danish Data Protection Agency is the central independent authority which monitors compliance with the data protection legislation (in Danish).
- More detailed guidance on how to store and secure personal data is available on Aarhus University’s website on data protection and data protection legislation.
- A general security criterion is the requirement to pseudomise16 data whenever possible in the given context. The security requirements for pseudonymised data are less strict.
- In accordance with the data protection legislation (in Danish), data (including biological material) may not be stored longer than is necessary for the purpose for which they were collected and must be anonymised after the purpose, including requirements regarding storage, has been met. There are different requirements with regard to how long experimental data must be stored, including personal data, after the completion of the project. See for example the Danish clinical trials of medical products act, which stipulates a storage period of 5 years.17
- After the purpose has been achieved and the storage requirement fulfilled, it must not be possible to identify individual data subjects in the experiment. Personal data must be subsequently deleted, anonymised or submitted to the National Archives.
- In connection with research involving personal data, registration and authorisation are mandatory. These requirements are described above under the individual types of project. Further information is available from the Data Protection Unit at Aarhus University.
- Data must be stored at the institution where the research was conducted. However, where relevant, any conditions set by project funders must be taken into account. Individually identifiable data may not be stored on a personal computer, and paper print-outs of such data must be locked away securely. With regard to data storage, the rules for storage laid down in the data protection legislation (in Danish) and other supplementary legislation must be complied with. See also AU's Instructions for the storage and management of research data.
15 See note 1.
16 Pseudonymising is when there is a key which may be attributed to a person. Pseudomised data still falls under the scope of the Data Protection legislation.
17 Once the EU regulation on clinical trials comes into force, it will include a requirement for 25 year’s storage.