Information Security

Dansk

 Information Security Data protection (GDPR) Data protection (GDPR): Personal data and research Storing personal data

Storing personal data

The content on this page was updated in October 2023. Note that we regularly update these pages. 

Do you process personal data as a part of your research?  Here you can learn more about: 

  • For how long time it is necessary to process personal data 

  • How you store personal data in a secure manner during and after your research. 

Storage is a processing of personal data. The data protection rules therefore also apply when you store personal data.

There are 2 things that is important to keep in mind when talking about storage.

First, it is important that you consider how long you may process the personal data (storage limitation).

Second, you must ensure that personal data is stored securely – both during and after your research.

What should you be aware of when determining how long you can or must process personal data?

What determines how long you can or must process personal data?

Just as the description of purpose sets the framework for the purpose(s) for which the personal data may be processed, it is also the purpose(s) that ultimately determine how long you may or must process personal data. You may only process the personal data for as long as is necessary for the purpose(s) for which you process it. Therefore, there is no fixed conclusion when it comes to storage limitation.

As a researcher, it can be difficult to determine how long the processing of personal data is necessary. This is particularly difficult because storage limitation has to be assessed before the processing is initiated. At this point, you probably don't know exactly how long your research will take, where you will publish or when you will finish publishing? What if it turns out that your research data can be used for research within the same research field?

It is important that you, as a researcher, know what to consider.

Storage limitation basically means that it will not be possible to process the data subject's personal data for ‘time and eternity’.

Personal data may become outdated, become irrelevant or have a character that means that the processing of them at some point poses or may pose a risk to the rights or freedoms of the data subject.

Therefore, personal data may only be processed for as long as it is relevant and necessary to achieve the purpose(s) for which it is processed.

Quick guide to understanding storage limitation

Storage limitation basically means that it will not be possible to process the data subject's personal data for ‘time and eternity’.

Personal data may become outdated, become irrelevant or have a character that means that the processing of them at some point poses or may pose a risk to the rights or freedoms of the data subject.

Therefore, personal data may only be processed for as long as it is relevant and necessary to achieve the purpose(s) for which it is processed.

Example:

Your purpose is to process personal data for the research project 'Play and learning in the 2nd grade’.

This means that, as a rule, you may only process the personal data until you have finished your research project on 'Play and learning in 2nd grade.

When assessing when you are 'finished' with a research project (have achieved the research purpose), it is important that you think about the entire life cycle of the research project.

For instance, you are not finished processing the personal data upon publication of your research, if you are obliged to store the personal data for 5 years in accordance with the rules on responsible conduct of research. In that case, it will still be necessary for you to process the personal data during that period.

How do you describe how long you will be processing the personal data?

When describing and documenting your assessment of the duration of the processing, you can follow the 3 steps below:

  1. Describe the duration of the processing

When you describe how long you will be processing the personal data, you are not required to set a specific date.

Instead, you can describe the things you emphasise when assessing how long the personal data is necessary for the purpose(s) for which you process it.

  1. Document your assessment

You must be able to document the considerations your assessment is based on.

This means that you must document in writing the criteria for when personal data is no longer necessary. In other words, when deletion, anonymisation, archiving or other lawful termination of the processing of the personal data must take place.

How you document your assessment is your choice as long as it is documented in writing.

What such documentation might look like depends on the other project material. As an example, you might:

  1. have a written protocol describing what personal data you will process, why it is necessary, and how to continuously ensure that it is still necessary for the research.
  2. that you have a written procedure for how and how often you 'clean up' your data set, e.g., in cases where your scientific method means that you do not know exactly what information is required to conduct your research.

  1. Remember to state what you have assessed

There are several places where your assessment of how long it is necessary to process personal data must be stated.  Among other things, you must: state it when you:

Example

Where to save documentation for your assessment

You must store your written assessment with your other project documentation for the entire period, you process personal data.

What should you be aware of when storing personal data securely?

What do the data protection rules say?

According to the data protection rules, the processing, including storage, of personal data must take place in such a way that the level of security matches the risks the processing poses to the data subject's rights and freedoms. In other words, there is no fixed answer to how personal data are processed securely. It depends on the facts.

What is an appropriate level of security?

When assessing how you can store the personal data in your research project, it is important to look at the level of security that is appropriate for the processing you will be carrying out.

  1. Assess potential risks 

First, you need to know the risks associated with your processing. You assess this by carrying out a risk assessment. You can read more about how to make a risk assessment here.

  1. Use a system that meets the security requirements identified by your risk assessment

Secondly, you must ensure that the system you wish to use meets the security requirements identified by your risk assessment.

AU provides a number of systems and storage solutions. You can find out where you can store your research data on AU's data classification.

If you use a storage system that is not listed on the data classification, you must:

  • check whether there any local rules at your department on the use of other systems (and comply with them)
  • ensure that the system complies with data protection requirements and relevant agreements have been entered into. Remember that it is your head of department or centre director that has the authorisation to sign such agreements.  

Note! AU is working on a new solution, 'SIF', for storing research data containing personal data. ‘SIF’ is expected to be available in autumn 2023.

Do you need more help?

Contact your local IT support if you have questions about AU's data storage solutions. 
Revised 07.11.2023
-
Webredaktionen, Universitetsledelsens Stab