To main content To main navigation
Research code UMCG

    Handling research data

    Content on this page

    Research data must be accurate, complete, reliable, and authentic, and it must be obtained and managed so that it complies with all relevant ethical and legal requirements, codes of conduct (Netherlands Code of Conduct for Research Integrity 2018 UNL and Code of Conduct for Health Research 2022, and FAIR data principles (in accordance with the UG Research Data Policy 2021). Good data management is important from the design phase to archiving.

    Data management

    Good data management starts with writing the research proposal, which should include attention to:

    Data management plan (DMP)

    In addition to the study protocol, all relevant aspects of research data and their management should be adequately described in a DMP before the start of a study, preferably using the UMCG DMP template. This contains all the necessary items and has been approved by the NWO, amongst others.

      • Compliance with relevant legislation and regulations, as described in this chapter
      • Improved research quality (for example, improved data quality and reproducibility)
      • Making the research data FAIR for reuse

      The latest version of the DMP approved by the principal investigator will be kept in the study file. The principal investigator is responsible for keeping the DMP up-to-date and for complying with it.

    Retention periods

    The retention period for research data is laid down in the study protocol or a DMP, and study participants should be informed about the retention period when their consent is requested.

    In general, a retention period of 10 years applies to research data (and associated biomaterials), but for medical-scientific research involving humans, the retention period depends on the type of research (NFU Guideline Quality assurance of research involving human subjects 2023).

    The retention period starts after the last research data of the last participant has been collected and is:

    • 30 years for research with advanced therapeutic medicinal products (medicinal products such as gene therapies, cell therapies, and tissue-engineered products)
    • 25 years for drug research
    • 10 years for research with non-implantable medical devices
    • 15 years for other WMO-governed and nWMO studies

    If encrypted personal data (see Personal data protection) are archived longer than the above-mentioned retention period, the extended retention period must be described in advance and substantiated in the study protocol. Unless the research data are archived completely anonymously, research participants must be informed in advance of the extended retention period and must have given their written consent.

    FAIR data

    As part of Open Science (see Open Science and Access), after scientific publication, the research data must meet the following criteria (FAIR):

      • All metadata of the research data, including contact details of the principal investigator and conditions for reuse, are recorded in a catalogue.
      • Research data are deposited in a repository unless they are personal data or subject to IP rights or contractual obligations.
      • All data necessary for reproducing or assessing the research are archived in a UMCG-approved archive, including associated scripts or software necessary for analysing the research data.

      • Data are kept for the required retention period (see Retention periods).
      • Conditions for accessing and re-using the data are clear.

      • Where possible, data are archived for the long-term in an open-source format or other common format within the field.
      • Data are archived with metadata according to standards of the field or, if these are not available, according to unambiguously defined vocabulary or ontologies that are common within the field.
      • Data are ideally machine-readable to enable interoperability with applications and workflows for analysis, storage, and processing.

    • Data are systematically documented, for example by adding Readme text files with explanations for uninvolved researchers. Other documentation includes:

      • How the data were obtained and processed (if data were reused: information about their origin)
      • A codebook or data dictionary
      • Documentation on decisions made and any differences between the versions of experiments and scripts
      • Version control
      • The file-naming convention used
      • The folder structure with an index
      • If the data are deposited in an open repository: a clear licence for reuse

    Using the FAIR-Aware tool (KNAW), researchers can check whether their research data meet the above criteria.

    FAIR data ≠ open data
    Research data can be included in an open repository if:

    • No contracts or IP rights prohibit it.
    • In the case of human research, the data are anonymised and the research participants have given permission for the storage of their anonymous data in the open repository.

    According to the guidelines of the Horizon Europe Programme, FAIR data are ‘as open as possible and as closed as necessary’. Complete anonymisation of subject data is often not possible. In those cases, the research data remain personal data, even when encrypted, and cannot be included in an open repository. For most UMCG data files, only the metadata will be findable. In the event of a request for reuse, encrypted research data may be made available if:

    • The study participant has given permission for this
    • The request complies with the conditions for reuse set out in the DMP
    • A written agreement has been drawn up and signed by both parties via the LCR (see Collaboration with external parties)
    • The reuse is registered in the UMCG Research Register
    • It is made available in a secure manner (SOP data transport)

    Personal data protection

    Protecting the privacy of research participants is crucial. This applies to directly traceable personal data (such as name and email address) indirectly traceable data (such as patient number), but also to encrypted data that can be traced back to an individual as these are also considered personal data. The collection, viewing, analysis, storage, making available, and destruction of personal data for scientific research is covered by the GDPR.

    Research data are encrypted (pseudonymised) at the earliest possible stage and stored separately from the directly traceable personal data. To access the directly identifiable personal data or the encrypted data, members of the research team need authorisation from the principal investigator. These authorisations are recorded in the DMP.

    Healthcare data of deceased patients are not covered by the GDPR, but they are covered by the WGBO. The privacy of these deceased patients must also be protected. The use of anonymous data is not covered by the GDPR or WGBO, but truly anonymous data are difficult to achieve in practice. IMO can help with this.

    Determining consent

    Personal data, including healthcare data, may only be used if there is a legal basis to do so. The starting point is the informed consent of the participant. Use of healthcare data without consent falls under the ‘No objection system’ and is only possible under certain conditions. The researcher must then run an objection check.

    • Patient healthcare data may be used without informed consent when one of the following grounds for exception applies:

      • Asking for informed consent is impossible in practice or an unreasonable requirement under the circumstances.
      • In view of the nature and purpose of the study, asking for informed consent cannot reasonably be expected.

      Use of healthcare data without consent is only allowed if all three conditions have been met: the research serves a public interest, the research cannot be conducted without the relevant data, and the patient has not objected to the use of their data for scientific research. The researcher should check this and store the report (objection check). All patients are informed about this at the beginning of the treatment relationship via the UMCG patient brochure or website.

      Requesting patients’ informed consent for the use of their healthcare data is impossible in practice or an unreasonable requirement under the circumstances when one or more of the following situations applies:

      • The patients have died.
      • The current contact details of the patients are possibly not correct.
      • Approaching the patients to ask for their consent would be too much of a burden for them.
      • Asking for consent would require an unreasonable effort from all parties involved due to the size of the patient group concerned.
      • There is a substantial risk of un-correctable bias (this argument is only valid in exceptional cases).

      The use of the care data in a study under the no objection system is recorded in the care file.

      For a detailed explanation, see the NFU guideline: Reuse of healthcare data for scientific research.

    Data minimisation

    Only the personal data needed to answer the research question may be collected for research. This means:

    • Measuring no more or no further variables than needed
    • Including no more research participants than needed

    In the study protocol, the choice of variables and the number of study participants must be substantiated.

    Data breach

    If someone has had, or could have had, unauthorised access to personal data, i.e., directly traceable, indirectly traceable, or coded data, this is a data breach. Losing personal data is also a data breach. A data breach must be immediately reported via the ‘Reporting portal’ button (next to the SOS button) on the UMCG intranet homepage or via UMCG telephone number (050 36)11111 in case of emergency.

    UMCG Research Register

    The UMCG Research Register is the register of research processing operations required by the GDPR. All WMO- and nWMO-governed research with humans conducted within the UMCG or by UMCG staff members elsewhere must be registered here. This also applies to research by another party in which the UMCG participates and provides data. In addition to this overview of the processing operations, the GDPR also requires the UMCG to have insight into the processing. To this end, the Research Register has been supplemented with a number of privacy items that together form the PIA light. For databanks and biobanks, an extensive PIA must be done via the Research Register. The completed PIA or PIA light is assessed against the GDPR and, if necessary, the WGBO by the IMO (for WMO and nWMO studies) or the PWO (for databanks and biobanks). Important aspects include (1) the researcher’s justification for using the no objection system when doing research with healthcare data (see Determining consent) and (2) the contracts (LCR).

      • Invasion of a research participant’s privacy should be kept to a minimum. For example, if encrypted data are sufficient, directly identifiable data may not be used.
      • Before statistical analyses, data should be converted into the least identifiable form that can be used without losing their value, for example by converting birth dates to age or age categories.
      • The entire process of collecting, analysing, sharing, and storing data must be properly protected against loss, theft, and unauthorised access or use.
      • Authorisations for access to the data should be limited to the staff involved in the study for whom access is necessary to do their work. Authorisations partly depend on the phase of the research process.
      • After the study is completed, temporary files and other non-essential data must be destroyed. Remaining essential data must be archived in a secure manner for the retention period specified in the DMP or research protocol. After that period ends, the data will be destroyed or completely anonymised.
      • Collaboration with third parties in the collection, management, and storage of data, or the provision of data to third parties, requires a written agreement between the UMCG and the third party. Every agreement is entered into via the LCR.

    UMCG-wide organisational and technical measures alone are not sufficient to protect the privacy of the research participants. Every researcher must educate themselves about the legislation, regulations, procedures, and guidelines relevant to their research and comply with them. For the GDPR, the e-learning module ‘Privacy in research’ has been developed for researchers both with and without a UMCG account. Via the UMCG Research support Service portal, information is available about secure storage/archiving and sharing of data, data management (including key lists), compliance with legislation and regulations, and research applications for GDPR compliance. For questions about the UMCG Research Register, please contact the SD CRO. For questions or advice on data protection and information security, please contact the IMO or the PWO.

    Ownership of data

    All research data generated by a UMCG researcher is, in principle, property of the UMCG. In consultation with the supervisors or the head of department, respectively, students and former staff members can make agreements via P&O about the use of research data after their departure, for example via a guest appointment at the UMCG. Under certain conditions, collaboration partners such as funders, companies, and other research institutions may be granted the right to use data (or biomaterials) for a specifically defined study. The agreements on this must be laid down via the LCR in a collaboration agreement. These contractual agreements may also cover publication rights, copyright, ownership of the data (or some of the data), and IP rights. If commercial companies are involved, the Innovation Centre can offer support in making these contractual agreements.

    Personal data (indirectly traceable, directly traceable, and coded data) and biomaterials are not the property of the UMCG in the ordinary sense of the word – the UMCG is the administrator. Research participants from whom these data have been collected have the right to:

    Researchers should point this out to research participants via a link to the UMCG privacy statement in the study information letter and by performing their obligations related to these rights. In the case of research under the no objection system (see Determining consent), patients are informed about the UMCG privacy statement through the UMCG patient brochure or website.

    Feedback about this page?

    Elizabeth Koier Policy Advisor Research Office