Storage is a processing of personal data. The data protection rules therefore also apply when you store personal data.
There are 2 things that is important to keep in mind when talking about storage.
First, it is important that you consider how long you may process the personal data (storage limitation).
Second, you must ensure that personal data is stored securely – both during and after your research.
Just as the description of purpose sets the framework for the purpose(s) for which the personal data may be processed, it is also the purpose(s) that ultimately determine how long you may or must process personal data. You may only process the personal data for as long as is necessary for the purpose(s) for which you process it. Therefore, there is no fixed conclusion when it comes to storage limitation.
As a researcher, it can be difficult to determine how long the processing of personal data is necessary. This is particularly difficult because storage limitation has to be assessed before the processing is initiated. At this point, you probably don't know exactly how long your research will take, where you will publish or when you will finish publishing? What if it turns out that your research data can be used for research within the same research field?
It is important that you, as a researcher, know what to consider.
Storage limitation basically means that it will not be possible to process the data subject's personal data for ‘time and eternity’.
Personal data may become outdated, become irrelevant or have a character that means that the processing of them at some point poses or may pose a risk to the rights or freedoms of the data subject.
Therefore, personal data may only be processed for as long as it is relevant and necessary to achieve the purpose(s) for which it is processed.
Storage limitation basically means that it will not be possible to process the data subject's personal data for ‘time and eternity’.
Personal data may become outdated, become irrelevant or have a character that means that the processing of them at some point poses or may pose a risk to the rights or freedoms of the data subject.
Therefore, personal data may only be processed for as long as it is relevant and necessary to achieve the purpose(s) for which it is processed.
Example: Your purpose is to process personal data for the research project 'Play and learning in the 2nd grade’. This means that, as a rule, you may only process the personal data until you have finished your research project on 'Play and learning in 2nd grade. When assessing when you are 'finished' with a research project (have achieved the research purpose), it is important that you think about the entire life cycle of the research project. For instance, you are not finished processing the personal data upon publication of your research, if you are obliged to store the personal data for 5 years in accordance with the rules on responsible conduct of research. In that case, it will still be necessary for you to process the personal data during that period. |
When describing and documenting your assessment of the duration of the processing, you can follow the 3 steps below:
When you describe how long you will be processing the personal data, you are not required to set a specific date.
Instead, you can describe the things you emphasise when assessing how long the personal data is necessary for the purpose(s) for which you process it.
You must be able to document the considerations your assessment is based on.
This means that you must document in writing the criteria for when personal data is no longer necessary. In other words, when deletion, anonymisation, archiving or other lawful termination of the processing of the personal data must take place.
How you document your assessment is your choice as long as it is documented in writing.
What such documentation might look like depends on the other project material. As an example, you might:
There are several places where your assessment of how long it is necessary to process personal data must be stated. Among other things, you must: state it when you:
Example |
According to the data protection rules, the processing, including storage, of personal data must take place in such a way that the level of security matches the risks the processing poses to the data subject's rights and freedoms. In other words, there is no fixed answer to how personal data are processed securely. It depends on the facts.
When assessing how you can store the personal data in your research project, it is important to look at the level of security that is appropriate for the processing you will be carrying out.
First, you need to know the risks associated with your processing. You assess this by carrying out a risk assessment. You can read more about how to make a risk assessment here.
Secondly, you must ensure that the system you wish to use meets the security requirements identified by your risk assessment.
AU provides a number of systems and storage solutions. You can find out where you can store your research data on AU's data classification.
If you use a storage system that is not listed on the data classification, you must:
Note! AU is working on a new solution, 'SIF', for storing research data containing personal data. ‘SIF’ is expected to be available in autumn 2023.