Instructions for storage and processing of research data

These instructions (guidelines) for storage and management of research data describe requirements and areas of responsibility for correct data management and data storage.

Aarhus University's policy for management of research data is part of the Policy for research integrity, freedom of research and responsible conduct of research at Aarhus University.


TYPES OF DATA COVERED BY THESE INSTRUCTIONS

Sensitive personal data (incl. pseudonymous data*)

  • racial or ethnic origin
  • political opinions, religious or philosophical beliefs
  • trade union membership
  • processing of genetic data
  • biometric data for the purpose of uniquely identifying a natural person
  • data concerning health (data concerning a person’s health is interpreted broadly, ranging from diagnoses to tests and test results for both physical and mental health)
  • data concerning a natural person’s sex life or sexual orientation

*Pseudonymous data is data that can be attributed to the relevant person via an identification key. One way to pseudonymise data is to replace the civil registration number with a code and delete the name and the exact address. Pseudonymisation of data is subject to the data protection legislation (databeskyttelseslovgivningen).

General personal data (incl. pseudonymous data*)

  • name
  • address
  • position
  • type of employment
  • email address
  • telephone number and IP address
  • gender
  • age
  • interests
  • profiles
  • credit information
  • civil registration number (can refer to special categories of personal data, i.e. sensitive personal data)
  • etc.

*Pseudonymous data is data that can be attributed to the relevant person via an identification key. One way to pseudonymise data is to replace the civil registration number with a code and delete the name and the exact address. Pseudonymisation of data is subject to the data protection legislation (databeskyttelseslovgivningen)

Other types of restricted data

Processing certain types of primary material and/or data may be subject to contractual requirements and/or other legislation*. For instance:

  • copyright data
  • data on animals
  • GMO data
  • confidential data

*For instance: the ABS initiative, the Nagoya Protocol on Access to Genetic Resources, GMO for genetic resources and GMO notifications. 

Types of unrestricted data

All other types of data than those mentioned above, including anonymous data, are not subject to any restrictions.

 


THE RESPONSIBILITY OF THE RESEARCH DIRECTOR

 

1. Registration of the project if it involves personal data

All research projects are unique, and the legal basis for each project must be identified on the basis of type of project and type of data before starting the project.

If the research project involves personal data, the research director is responsible for registering the project internally at Aarhus University. More information.

If you have any questions, please send an email to fortegnelse@au.dk.

2. Data management in accordance with responsible conduct of research and applicable legislation

The research director must manage research data in accordance with responsible conduct of research and applicable legislation within the field of the research project, including notification of digital research data to the Danish National Archives, cf. the ministerial order on the notification of digital research data created by government agencies and institutions.

Approvals from relevant public authorities are of particular relevance within clinical research and data concerning health. The main principles for approval by authorities of collection of data are described in the Standards for responsible conduct of research at Health.

Approvals from other public authorities are stated in the respective faculty standards. 

If you have any questions, please contact the Technology Transfer Office (TTO) at tto@au.dk.

3. Supervision of researchers affiliated with the project

The research director is responsible for supervising the researchers carrying out a research project.

4. Ensuring a legal basis for collecting data

The research director is responsible for ensuring a legal basis for collecting data for scientific research and for possible re-use of data in future research projects.

The legal basis for data collection can be obtained in several ways, e.g.:

If you have any questions, please contact the Technology Transfer Office (TTO) at tto@au.dk


DATA REQUIREMENTS

1. Access to data

During the research period

Aarhus University, represented by the responsible department head, must have access to and is entitled to use all primary research material and all data generated in research at the university, unless this is not possible due to specific  contractual obligations or relevant legislation (note that health legislation may include special obligations).

After publication

According to the FAIR Data Principles, after publication of the results, the underlying data set must be made accessible for re-use by researchers, PhD students or other staff at Aarhus University, as well as by third parties, unless such accessibility is in conflict with contractual requirements and/or legislation concerning e.g. personal data and copyright.

The decision to grant access to and/or permit re-use of data depends on the legal basis.

If you are in any doubt, please contact the Technology Transfer Office (TTO) at tto@au.dk. 

2. Sharing personal data

Access to personal data requires a special legal basis, both in connection with collection and use of data. Provided that access to personal data, including sensitive data, is legally possible and approved by the department head, such access requires either:

Aarhus University must be informed of any sharing of personal data. More information.

If you have any questions about legal documents, please contact the Technology Transfer Office (TTO) at tto@au.dk.

3. Disclosure of personal data requiring approval from the Danish Data Protection Agency

Disclosure of personal data in the form of biological material, disclosure of personal data to third countries (countries outside the EU/EEA) or disclosure for the purpose of publishing personal data in journals etc. require prior approval from the Danish Data Protection Agency. More information.

Publication of anonymous data

Disclosure of information for publication in a given context with no attachment of personal data or the identification key (a number/code) to the personal data does not require prior permission from the Danish Data Protection Agency. This data will be considered anonymous in the given context.

In particular for Health

Inspectors, monitors and investigators must have full access to all databases in connection with inspection, monitoring and/or self-monitoring of clinical trials in accordance with the regulation on clinical trials (EU regulation 536/2014).

If you have any questions, please contact the Technology Transfer Office (TTO) at tto@au.dk. 

4. Management, storage and archiving

In accordance with the Policy for research integrity, freedom of research and responsible conduct of research at Aarhus University, research data must be stored for a period of at least five years, unless another statutory storage period applies with regard to the research project and data requires longer storage. 

Note that relevant legislation may be adjusted in collaboration agreements.

Research data may only be destroyed, anonymised and/or archived, see legislation on archiving, when the following 4 conditions are met:

  1. When the storage period has expired
  2. According to a decision by the department head
  3. In accordance with the legal basis for collecting data
  4. When digital data is delivered to The Danish National Archives (Rigsarkivet)

Storage of data 

The individual researcher is responsible for management and storage of research data at the Aarhus University storage facilities. 

Find information about the storage facilities at Aarhus University

If you have any questions about the storage facilities, please contact your local IT support.


Regarding storage of personal data

Personal data may only be stored for as long as is necessary and/or required by law.

In addition, data concerning health may be subject to special legislation that precedes the general legislation, e.g. the GCP rules (Good Clinical Practice) and the EU regulation on clinical trials, which – when the new rules come into force – will require storage of 25 years.

The individual researcher is responsible for documenting compliance with the requirements in accordance with data protection legislation.