Research, by definition, cannot do without data. Data are, in general, a container of the most varied information: they represent not only the food by which any study is nourished, but also form part of the product of the completed investigation, thereby traversing the entire life cycle of any research activity.
However, not every piece of data part of the research constitutes personal data. Just think, for example, about the quotation in a footnote that refers to an important monograph, the work of an illustrious Master: no one can doubt that, in principle, the author's name and surname should be protected in the same way as personal data, as well as the quoted thought - information that, rightly, is attributed to whoever is its progenitor.
It is necessary to make a distinction, not only because some data is already being made public and is accessible by anyone (e.g. data contained in research databases), but it is also important to consider the use of the data according to the objectives pursued, in concrete terms, by those who use the information: the protection of personal data in the context of scientific research only contemplates that subset (smaller than the broad category of research data but not necessarily reduced in terms of dimensions) of information belonging to those who, spontaneously or not (for example, by taking part in surveys or through video-interviews, or through the use of genetic samples deposited in specific banks), find themselves “participating” in the research activity, given that the data offered by private individuals is a very important tool for the study carried out.
In summary, the perspective to be taken is, in essence, relative: each researcher is put to the test in having to identify the personal data to which maximum attention must be given, in order to avoid slipping, more or less consciously, into non-authorized and, therefore, illegal personal data processing operations.
"Personal data" means any information that concerns an identified or identifiable natural person. In practice, any information when associated, directly or indirectly, with a specific individual is to be considered personal data.
At the opposite extreme of personal data is anonymous data, which does not in any way allow the identification of the individual and does not fall within the scope of application of privacy legislation.
Then there are de-identified (or pseudonymised) data, that are, personal data that do not permit the immediate identification of an individual, but that, if associated with other information, can then identify the data subject. De-identified data are personal data and therefore subject to the legislation on personal data.
If the notion of an "identified" person is easily understandable, it should be noted that "identifiable" is an individual who can be identified directly (e.g. by their name) or indirectly (e.g. by their address or position held), and/or by one or more specific elements of physical, physiological, genetic, psychic, economic, cultural or social identity.
It should be emphasized that information concerning companies, associations, committees and other entities does not constitute personal data: they are not, in fact, natural persons, but legal persons. However, legal person’s data are not totally excluded from the application of privacy regulations; in fact, for example, unsolicited communications cannot be sent, even to legal persons, without the prior consent of the recipient.
Examples of personal data:
The term "sensitive data" commonly refers to personal data that can reveal racial and ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, as well as genetic data, biometric data, intended to identify univocally a natural person, and data concerning health, sex life or sexual orientation.
In practice, these are data related to the most intimate sphere of each individual and, consequently, they must be processed applying special safeguards, only when strictly necessary, and when there are specific legal basis that allow their processing. The terminology used for "sensitive data", once contained in the Privacy Code, has now been replaced by that of "special categories of personal data" introduced by the GDPR.
Finally, personal data relating to criminal convictions and offences are also subject to specific safeguards.
Examples of special categories of personal data:
The legislation regarding the protection of personal data is particularly complex, since it presents, in addition to a vast production of general regulations, specific sectoral rules.
The main sources are:
It should also be borne in mind that there are also other connected regulations (e.g. copyright law and right of personal portrayal), and that this subject is applied daily by innumerable actors, both in the workplace and in academia, and it is shaped by decisions of the Garante per la Protezione dei Dati Personali, deontological codes, protocols, circulars, guidelines, practices, which contribute positively to update a sector in perennial, continuous and unstoppable evolution.
"Processing" represents an all-encompassing expression of the activities concerning personal data. In general, it can be said that any operation or set of operations performed on personal data - whether by automated means, manual, and/or carried out via computer or on paper - constitute “processing”.
For example, it is considered processing: the collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, communication, dissemination or any other form of comparison, interconnection, limitation, cancellation or destruction of personal data.
It is not necessary to archive personal data in a database to have processing of personal data: even one single activity on a single piece of data is therefore considered processing of personal data. Operations on personal data carried out in the course of a purely personal or household activity are excluded from the application of the above mentioned laws.
The data subject is the main subject of all the rules protecting personal data.The definition of “data subject” can be inferred by the notion of personal data: the data subject is the natural person (not association, company, animal, etc.), identified or identifiable, to which the personal data refer, directly or indirectly.
No formal recognition is required to be considered a data subject, since the natural person to whom the data relates assumes de facto this status.
In principle, the data of deceased persons are not protected by the legislation on personal data.
Although the GDPR provides (Recital 27) that it does not apply to the personal data of deceased persons, it allows Member States to provide for rules regarding the processing of personal data of the deceased. In Italy, the Garante per la Protezione dei Dati Personali has recently clarified that deceased persons continue to be guaranteed the protections provided by the law on personal data.
Furthermore, the rights provided by the legislation on the protection of personal data can also be exercised subsequently, by those who can claim a certain personal interest in this regard, or act directly for the protection of the deceased or, more simply, for reasons of a familial nature (for example, access to the patient's health records by the relatives).
As mentioned, the data subject is the subject to whose personal data is the object of the processing activities. We will now analyse those who perform the processing of personal data:
In the context of research projects handled by the University, the subjects of reference are (except for the particular cases that will have to be considered specifically):
Personal data, in general, must be:
It is fundamentally wrong to think that the processing of personal data is lawful only when the data subject has given their free, informed, specific and unambiguous consent.
There are also other feasible avenues, as provided for by the GDPR, and it is sufficient to identify one legal basis for the processing to be lawful: i.e. the processing of personal data is lawful when it is necessary for the performance of a contract in which the data subject is part of; when it is necessary fulfilling a legal obligation to which the data controller is subject; furthermore, the processing could be necessary to safeguard the vital interests of the data subject or another natural person and, nonetheless, it may be necessary to carry out a task of public interest or one connected to the exercise of public powers the data controller is invested with.
The legislation on the protection of personal data provides a series of rights to the data subject, which relate to the control that the individuals can exercise over the use of their personal data.
Among the other rights, it is important to mention the right to access their personal data, extracting a copy, as well as the right to rectify, integrate, delete and de-index (also known as the "right to be forgotten"); again, it is important to mention the right to limit and oppose processing (especially in the case of direct marketing), as well as the right not to be subjected to automated processing and subsequent profiling; there is also the right to lodge a complaint to the Data Protection Authority for the protection of personal data and/or to bring a claim before the Court.
The legislation on the protection of personal data provides, for those who perform data processing operations, the obligation to provide the data subject - unless the law expressly requires it or the data subject is already in possession of the information or in extreme cases of force majeure and when it is impossible to find the recipients if not at disproportionate costs – with a clear, simple but specific explanation about the various aspects of the processing.
The dissemination and publication of personal data must take place in compliance with the 'need to know' principle, i.e. access to personal data must be guaranteed only to those who have a proven need to know this information.
Therefore, where not explicitly required by law or regulation, documents containing personal data may be disclosed to a general public only if (i) the personal data have been obscured or (ii) the persons concerned are not identifiable (for example, in case of the publication of aggregate data).
It should also be noted that the dissemination of special categories of personal data (see par. 1.3) to a general public, given the sensitivity of such data, is prohibited. It will be necessary to de-identify personal data in order to publish the documents including the abovementioned personal data.
The case of communication of personal data to Partners of the research project, to auditors or to those who have to review the results of the research is different: it is allowed if justified in writing and limited to those who have a proven need to know this information. Furthermore, only the data strictly necessary must be communicated and, in any case, respecting the security rules provided by the University.
Scientific research is the activity, conducted either by a single individual (scientist, professor, researcher, student, etc.), or by a team of scholars, dedicated to the fundamental purpose of improving and spreading knowledge in a specific area, in compliance with the methodological standards of each scientific disciplinary sector.
In particular, historical research involves the systematic investigation of people, figures, facts and circumstances that belong to the past. Statistical research is conducted to measure certain aspects of collective phenomena. Knowledge, in all its varied forms and manifestations, lives mainly in the universities, as well as in other institutions, bodies or scientific societies (being them public or private bodies) and whose institutional purpose is precisely to accomplish the activity recalled above.
And if the interest in the dissemination of knowledge is held by the entire community, in order to implement and improve scientific, historical or statistical research, it is needed to stress the importance that the processing of personal data assumes.
In general, scientific research is an expression of an interest of the entire community in the dissemination of knowledge; however, knowledge needs must be counterbalanced with the protection of everyone's fundamental right to control the use of their personal data.
It is common for the scholar to find himself having to carry out research involving some personal data recovered from databases, archives, registers, other research institutes, hospitals, companies, associations, ecclesiastical bodies, etc.
On the contrary, the personal data used for scientific purposes cannot be processed to make a decisions concerning the data subject, in the same way as further processing is not permitted that is an expression of intentions of a very different nature (for example, commercial advertising).
In practice, contacting the data subject could prove to be an impossible, extremely difficult and costly operation or require a decidedly disproportionate effort (for example, in the case of thousands of subjects who have provided blood samples). Also, in some instances, tracing each data subject would risk making the performance of the research impossible or seriously damage it.
Therefore, in dealing with data for such purposes - data collected from parties other than the data subject - the information is not due when it requires an exaggerated effort with respect to the right to protection of the personal data protected, provided that adequate guarantees arein place, even under the form of advertising of information (for example, insertion of an advertisement in national or local newspapers).
In the cases mentioned above, it is always advisable to keep written evidence of the reasons why it was considered that providing the information to the data subject constituted a disproportionate effort. This document must be kept with the rest of the project documentation.
It should be remembered that there are different legal conditions or, better, bases for the processing of personal data to be in compliance with the law (see FAQ 2.7). Therefore, it is sufficient to prove the existence of one of these legal basis to make the processing of personal data legitimate.
The consent to the processing of personal data must not therefore be collected on every instance. It has to be noted, however, that it is not necessary to obtain the consent to take part in the research, by specifying the purposes of the research, the operations that will be carried out in relation to personal data and providing information.
It is more probable then that other conditions of lawfulness rather than consent apply for the collection of data already available in archives, or otherwise made known directly by the data subject or, more generally, collected from other subjects, other than the data subject. This is not an exemption, of course, from the obligation imposed on the data controller to always inform the data subjects about the use of their personal data (unless exemptions apply).
It should be remembered that the data subject has the right to withdraw consent at any time - if the legal basis of the processing of personal data was consent and it was withdrawn, it will no longer be possible to extract information from the personal data collected. However, the information already collected remains unaffected in order not to alter the search results.
In the event that the research concerns the processing of special categories of personal data, the data subject’s explicit consent must be obtained before collecting this type of personal data. In cases where consent must be obtained, it is advisable to obtain it in writing and keep the document with the evidence of consent together with the rest of the research project documentation.
If it is not possible to obtain it in writing (for example in the case of an illiterate individual), it must be documented in writing, in any case, that consent was requested and was obtained.
In addition to the GDPR and the (updated) Privacy Code, the Garante per la Protezione dei Dati Personali has published the "Deontological rules for processing with statistical or scientific research objectives” that include further rules in relation to the processing of personal data in the research field.
In particular, the deontological rules define the behaviours that must be adhered to with regard to the processing of personal data in the research field and define the safeguards that must be put in place to protect the rights and freedoms of the data subjects. In particular:
A careful reading of the deontological rules is advised: non-compliance may result in the application of sanctions by the Garante.
The legislation on the protection of personal data, for processing activities carried out by the data controller or data processor established within the European Union, is also applied when the operations relating to personal data are carried out in a third country.
Therefore, in the event that the research is undertaken abroad, it will be necessary to comply with the European rules and the rules in force in the State where the scientific investigation activities are carried out.
In the case of the University, the legislation of reference is that of the European Union and Italy, except in cases where the processing of personal data involves other countries.
It may seem paradoxical to link the protection of personal data to a criterion of strong discrimination such as that based on citizenship.
It is natural that the regulation on the protection of personal data applies to every individual, regardless of their nationality or residency status.
Last update: 19/07/2019