2. Data

Scientific data are to be collected and stored in accordance with current statutory rules and other provisions. Data are defined as all material collected systematically for research purposes, including electronic data from registers, surveys or interviews, images, human material such as blood or tissue or material from animals, including biobanks.

The general guidelines for responsible conduct of research with regard to data are as follows:

  • The data flow 1 must be outlined in the project description
  • All experimental protocols, plans and strategies for experiments/studies, notes, laboratory books, data and primary material must be stored for five years after the completion of the research project, except where this conflicts with other legislation or professional standards. As stipulated in section 3.2 of AU’s policy and the Instruction for research data management (guide under development)  
  • There must be open access to material on which publications are based (the FAIR principles), except where this conflicts with legislation or contractual obligations. According to section 3.2 of AU’s policy
  • Any corrections made to data during data collection and data recording must be clearly indicated and accounted for in order to ensure that all changes or additions are completely transparent, thereby ensuring data traceability.

The EU’s General Data Protection Regulation (GDPR) and the Danish Data Protection Act (the data protection legislation)describe the fundamental principles that must be fulfilled in connection with all processing of personal data. The Danish Data Protection Agency is the central independent authority which monitors compliance with the data protection legislation.

  • More detailed guidance on how to store and secure personal data is available on Aarhus University’s website on data protection and data protection legislation.   
  • A general security criterion is the requirement to pseudonymise data whenever possible in the given context. The security requirements for pseudonymised data2 are less strict.
  • In accordance with the data protection legislation, data (including biological material) may not be stored longer than is necessary for the purpose for which they were collected and must be anonymised after the purpose, including requirements regarding storage, has been achieved. There are different requirements with regard to how long experimental data must be stored, including personal data, after the completion of the project. See for example the Danish clinical trials of medical products act (Lov om kliniske forsøg med lægemidler), which stipulates a storage period of 25 years. See also the Instruction for research data management (guide under development)  
  • After the purpose has been achieved and the storage requirement fulfilled, it must not be possible to identify individual data subjects in the experiment. Personal data must be subsequently deleted3, anonymised or submitted to the National Archives.
  • In connection with research involving personal data, registration and authorisation are mandatory. These requirements are described above under the individual types of project. Further information is available from TTO at Aarhus University.
  • Data must be stored at the institution where the research was conducted. However, where relevant any conditions set by project funders must be taken into account. Individually identifiable data may not be stored on a personal computer, and paper print-outs of such data must be locked away securely. With regard to data storage, the rules for storage laid down in the data protection legislation and other supplementary legislation must be complied with.

 


Footnotes

1  The concept ‘data flow’ is used here to refer to the processing of research data during and after the project’s ‘lifetime’, including collection, registration, storage, sharing/transfer, etc. of data during and after the project.

2 When personal data are pseudonymised, the data are keycoded so that they cannot be attributed to a specific data subject without the use of additional information that is stored separately. Pseudonymised data are still covered by the data protection legislation.

3 When personal data are pseudonymised, it is not possible to identify the data subject, either directly or indirectly. Anonymised data are not covered by the data protection legislation.

14213 / i30