Future research? Here you can learn more about:
There is no single set of rules that determines how personal data can be processed for future research. This naturally raises a number of questions about how and within what framework the processing of personal data for future research can take place.
The requirements for the processing depend on several factors and originate, for example, from health law, ethical considerations and/or general data protection law.
Here you can read more about the data protection considerations you need to be particularly aware of if you are going to process personal data for future research. Remember that you must fulfil the other obligations under the data protection rules – exactly like you use to.
Future research is research that is in the future, which means that you often do not know the exact research purpose(s) in advance.
Example A: Future research For example, a researcher collects personal data to be able to investigate causations between exposures in the embryonic stage and diseases in early adulthood. The research data generated is unique and can be used to shed light on many different disease pictures. Therefore, the researcher collects them in a database that can serve as a data source for future research projects on causations between exposures in the embryonic stage and diseases in early adulthood. |
There are different types of biobanks depending on what the purpose of the biobank is. This guide focuses on biobanks for future research.
A biobank for future research is a structured collection (a manual register) of biological material (and possibly an associated physical or electronic database with 'dry' data) that aims to be included (in whole or in part) in future research projects. If the biobank only aims to be part of one specific research project, it is not a biobank for future research.
The concept of database does not exist in the data protection rules, here we only talk about 'registers'. When the word database is used on these pages, it should be understood as a structured collection of research data containing personal data, which is intended to be used in future research within a specified area.
No, there are basically no different rules. However, in some cases, your choice of method may have an impact on which rules apply in your situation, e.g. whether you make a direct or indirect collection (i.e. whether you collect from the data subject or from others).
In addition, your choice of method may have an impact on whether you can meaningfully work with pseudonymised personal data, or whether it is necessary for you to be able to see the information in plain text. For example, it may affect the way you assess the risks related to the processing.
When you process personal data, it is a requirement that the processing of personal data is necessary to achieve the purpose of the processing. At the same time, this means that there is a requirement for timeliness. These are basic principles to ensure that data accumulation does not occur.
As a researcher, you must therefore assess 1) whether it is necessary to process the personal data and 2) whether the purpose of the processing is relevant.
Example B: Timeliness |
In the example, there is a clear timeliness between the data collection that the researcher wants to carry out and the subsequent research that is to be carried out.
Example C: Hypothetical purpose A researcher wants to build a database that can be used for research in a broad sense. The researcher therefore collects research data, including personal data, from various data sources: i) newspaper articles, ii) data from news media and social media, and iii) data from a number of previous research projects. The collection takes place continuously in the period 2014 to 2016. In 2022, the researcher randomly reviews the collected research data and based on the data collection, decides to investigate young people's self-image. Later that year, the researcher also decides to start a research project on the impact of the media on the political debate. |
In the example, there is no objective and specified purpose at the time of collection, as the researcher collects the personal data with a view to being able to conduct research in the future without further defining the research area. At the time of collection, the research purpose is hypothetical, which is made clear by the time span between collection and the actualization of the research purposes.
When you process personal data, there is a requirement that the processing must take place for a specific purpose. Processing personal data for future research is in itself a purpose, but 'future research' is not specified 'enough'.
In other words, it requires that you put a few more words into the scientific area in which you are researching. Among other things, the data subject must be able to understand why their personal data is being processed. You must therefore make it transparent for the data subject.
Example D: What should you consider when writing your purpose statement You are probably specialized in or are particularly interested in a certain area. This could be e.g. schoolchildren's learning processes, management evaluation, communication on social media, psychological treatment in a certain area, etc. As a researcher, the area will often follow you through all or larger parts of your research work. Your collection of data, including personal data, will often take place in the context of a specific research project. When you establish a database/biobank for future research, you should therefore consider the above when determining the purpose of the processing of personal data in your database. Whereas in a specific research project you have a more limited area that you want to investigate, you do not know the specific purposes of the research that you will conduct in the future when you have to describe the purpose of the database. A hypothetical example:
In the hypothetical example, the description of purpose in 'purpose b' can be accommodated under the description of purpose in 'purpose a'. You can therefore have several purposes like 'purpose b', under the purpose description in purpose a. |
You can read more about purpose descriptions on this page.
Every time you (as a researcher) process personal data, you must have a legal basis for processing.
The processing of personal data for research purposes has an independent legal basis (scientific research purposes) in the General Data Protection Regulation and the Danish Data Protection Act, and often this basis for processing will be the most appropriate to base the processing of personal data in research on – also for future research – and even if you collect the data directly from the data subject.
Depending on the circumstances, it may be possible to base the processing on other legal bases, e.g. valid consent to data processing. However, you should be aware that a requirement for consent in the special legislation (e.g. health law) is generally not a valid consent for data processing. You may therefore be obliged to obtain consent under other legislation or ethical guidelines for the lawfulness of processing the personal data for future research, but such consent does not constitute a legal basis for the processing of personal data. See Example E in the section below.
If you have multiple purposes, you must ensure that you have a legal basis for processing for each purpose.
You can read more about the legal bases for processing here.
When you process biological material, you must be particularly aware that there may be requirements for collection and use in special legislation (e.g. in the Committee Act or the Health Act).
Such rules take precedence over the general rules of data protection law. This means that you must first make sure that you meet the special requirements that apply to biological material, and then the general data protection rules.
Example E: Special law rules and general data protection law A researcher collects a number of blood samples in connection with a health science research project. In the research project, the researcher must use 1 ml of blood for the examination, but the researcher will draw 3 ml of blood per patient. The blood samples come from a number of patients with diabetes. The researcher has obtained informed consent under the Committees Act for the collection of blood for the research project in accordance with the approval that the researcher has received from the research ethics committees (special legislation). At the same time, the researcher obtains informed consent to use the remaining 2 ml of blood in a biobank for future research in the treatment of type 2 diabetes and informs about this second purpose in his/her duty of disclosure. The collection of the sample for future research is not covered by the rules of the Committees Act, but the sample will be when it is used again in a specific research project. All processing of personal data is based on the legal basis: Scientific research purposes (data protection law). |
Just as the description of purpose sets the framework for the purpose for which the personal data can be processed, it is also the purpose that ultimately determines how long you can process the personal data.
Storage limitation also known as 'deletion deadlines', often cause problems as it is difficult to predict how long it will be necessary to process the personal data.
When determining the storage limitation for the personal data processed in a biobank or a database for future research, you must use the principles that you use when assessing the storage limitation in a research project. The difference here is that you do not have a specific purpose that helps to delimit the processing. Your purpose is, so to speak, broader.
When determining the storage limitation for the processing of personal data in a biobank or database for future research, you may want to consider the following questions:
When you create a database/biobank for future research, it is of course intended that you will use personal data from the database/biobank for specific research projects in the future. It may be that you also want to share the personal data with other researchers who have a research purpose that lies within the scope of the database/biobank.
If you are going to share personal data from the database/biobank with others, it is important that you consider it in advance so that you can adapt to it. It's a good idea to check the following:
You can read more about sharing personal data on this page.
As with all processing of personal data, you must consider the risks you expose the data subjects to. The risk assessment is the foundation for your assessment of what measures (initiatives) you need to take to protect the personal data. You can read more about risk assessment and find a template here. You should always consider whether your risk assessment gives rise to an impact assessment.
When you process personal data in a biobank or a database for future research, it is important that you consider that the processing of personal data will in many cases have a longer period of time than if, for example, you process personal data for a specific research project. This places increased demands on both the technical and organisational measures you have to take.
Example F: Measures to help protect personal data
|
In addition to the technical and organisational measures, the processing of personal data for research purposes must be subject to 'appropriate safeguards'. Appropriate safeguards act as a kind of 'compensatory measures', essentially offsetting the wider access to the processing of personal data in research with regard to the protection of data subjects.
A number of appropriate safeguards have already been secured by law, e.g. permission requirements in section 10 of the Data Protection Act, the requirement that the university must have a DPO, purpose limitation, which means that processing of personal data may only be done for research purposes, etc.
In addition, you can help ensure additional safeguards, e.g. by conducting an impact assessment, obtaining ethical participation consent (read more here), etc.
As with any other processing of personal data, you generally have a duty to provide information regarding the processing. When you collect personal data for a biobank or database for future research, it is important that it is stated in the information material, so that it is transparent to the data subject why and how you process their personal data.
If, at the same time as establishing or collecting for the biobank or database, you also process the personal data for a specific research project, this must be stated in your description of the purpose in the duty of disclosure. In other words, you must ensure that it is clear to the data subject that you want to process the personal data for use in the biobank or database for future research in a specified area, and that you want to process it for a specific research project.
To ensure that you comply with the principles of data protection law, including the principle of ‘lawfulness, fairness and transparency’, you must have processes for governing the biobank or database. Good governance will not only help you comply with your data protection obligations, but will also ease your work with the biobank or database in the future.
Example G: Policies and procedures that may be relevant to governance:
|
Yes, all processing of personal data must be included in AU's record. You can register a biobank or a database for future research via this form. On the page, you will find specific instructions on how to register the biobank or database.
You must always document your assessments. As such, there are no formal requirements for your documentation, but it should always be in writing and in a form that allows you to update and version your material.
It is a good idea to save the documentation where you otherwise store project documentation. It could be in WorkZone, for example.
On the website, you can find various templates that you can use to document your risk assessment and if necessary, impact assessment or compliance with the information duty.
You can find the contact details of your GDPR coordinator here.