To provide a structured overview of how to handle and protect privacy sensitive data against unauthorized access, theft, and loss.


  • To structurally follow the instructions described in this guideline.



  • Document all important decisions made while following the instructions in this guideline.



Executing researcher:
  • To make sure all aspects of this guideline are considered regarding privacy sensitive data;
  • To make sure all persons who have access to the privacy sensitive data sign or have signed a privacy statement;
  • To document important decisions made regarding privacy sensitive data;
  • Perform checks on the implementation of the security measures in this guideline;
  • To make sure the research assistant(s) stick(s) to the Code of conduct for medical research;
  • Be alert!
Project leaders:
  • To make sure the executing researcher sticks to the Code of conduct for medical research;
  • To make sure all aspects of this guideline are considered regarding privacy sensitive data;
  • To sign the confidentiality agreement;
  • To make sure a list is set up including all persons who (will) have access to the privacy sensitive data (click here for Dutch version and here for English version) and to let them sign the confidentiality agreement (click here);  For interships is a more extensive agreement available
  • To register study details to the Centraal meldpunt gegevensverwerking of your organisation (VUmc: follow this link; AMC: follow this link; VU: follow this link)
  • Be alert!
Research assistant:
  • To sign the associated confidentiality agreement;
  • To follow the instructions regarding handling privacy sensitive data in this guideline;
  • Be alert!

How To

This guideline must be used as a guidance to correctly handle and protect privacy sensitive data. The most important aspect to note is this: when you are uncertain about aspects regarding privacy sensitive data it is important to contact the Quality Officer of APH or the privacy officer of your organisation!
Privacy statement: Algemene privacy verklaring
Handling privacy sensitive data daily
  • Never share access to accounts (your VUmc account), not to a new colleague, not to a student, etc.;
  • When leaving the office during the day: lock your computer screen, even if you leave for a few moments;
  • When leaving the office at the end of the day: clean your desk and put everything in a secure and locked storage;
  • Store all data on the project file on the network. Do not use the C-drive or USB storage;
  • Be alert!
  • Help your colleagues to be alert: address them when sensitive information is unintentionally accessible.
When is permission needed for the use of data?
Anonymous data can be used without any restriction. Examples of anonymous data are statistical data from the Centraal Bureau voor de Statistiek or number of patients who visited a hospital. Anonymous data is data which can only lead to identification of the natural person after application of unreasonable means or disproportionate time and effort.
Warning: anonymous data can be confidential because of agreements, research data prior to patent filing or competitive reasons.
The main principle about personal data is to ask for informed consent to use or collect data. If the request for consent cannot in all fairness be required, for example because this would cost a disproportionate amount of effort, data can under certain conditions be used for research without consent. Contacting the privacy officer or send a non-WMO proposal to the METc is obligatory if you estimate that informed consent can not be obtained.
New privacy regulation: GDPR/AVG
On May 25, 2018 the General Data Protection Regulation (GDPR; Algemene Verordening Gegevensbescherming AVG) came into effect. This regulation comes with additional requirements with regard to informed consent. In general, the GDPR/AVG means that:
  • It has to be proven that a research project complies with GDPR. This means you should document very well what you do and why. This documentation has to be available after finishing the project.
  • Study subject have to be informed better and more precise (see informed consent).
  • Study subjects obtain new rights (for information: more transparency with regard to how and where data are handled; to withdrawal; to be forgotten; restricted to data that were not processed for scientific publications yet; to complain to the Privacy Officer or the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
  • Written agreements are needed for handling (f.i. sharing, collecting, saving ) data by third parties.
  • The use of genetic data has to comply to more strict regulations
  • Every project (that collects privacy sensitive data) needs to conduct a Privacy Impact analysis (PIA).
Handling data
  • Make sure to de-identify the data during collection or directly after collection. This can be done by removing names, addresses, telephone numbers and IP addresses from e.g. datasets, transcripts and fieldnotes;
  • Make sure to only process coded data (data that cannot be traced back to the individual person);
  • Collect only the variables you really need to answer your research question. Remove variables which you do not need to answer the specific research question in the data set used for analysis. This reduces the chances on identification of the individual person;
  • To reduce identification risks: aggregate and substitute variables where possible. For instance change birth data into age, reduce the numbers in postal codes, use BMI instead of body mass and length;
  • Store and process data always on the network drives of the organisation. Use data encryption when working outside the network . See for instructions  encryption, below the table Classification data for storage and transport;
  • Never use email or open internet connections to transport identifying data including video and sound recordings, such as wetransfer, FTP (see also table Classification data for storage and transport).

Obligatory incident reporting
  • All incidents with privacy sensitive data must be reported to the privacy officer of your organisation without any delay
  • Examples of incidents (a “datalek”) are:
    • Loss or theft of data carriers like USB sticks, portable drives laptops, tablets and data on paper;
    • Hacking of databases, websites, computer systems;
    • Wrongly sent e-mail or letter with personal data;
    • Personal data that were destroyed mistakenly;
    • Viewing the patient file of a family member or acquaintance;
    • Sharing a file or document containing more personal data than necessary with a colleague.
  • The Data protection authority has the power to impose fines up to €20.000.000 for not reported incidents!
Outsourcing: the use of third party services to store, transport, collect or process data
Examples of services: web based questionnaires, scan services, transcribing records, polling agency, webhosting, cloud storage etc.
  • Third party services may only be used after written agreements are made about:
    • Secrecy,
    • Security arrangements, technical maintenance,
    • Handling incidents,
    • Destruction of data after termination.
  • Only use services approved by the organisation.
    Jurists of the team at IXA can help you drawing up agreements
Storage and Transport of data
The storage of (privacy) sensitive and confidential information must be secure. The transportation of privacy sensitive data is only allowed when strictly necessary and with appropriate safety measures. Consult the table Classification data for storage and transport for some practical advice.
Paper questionnaires and data on paper
  • The only data on a questionnaire which can be directly identified is the respondent number;
  • For verification purposes, identifiers (like a name) may be present on the front page. The front page must not contain any research data. Immediately after verification, the front page must destroyed;
  • Never store identifying data on images of the paper data!
Students and temporary co-workers without employment agreement
These research assistants or other project members are not allowed to have access to or process privacy sensitive data without a written and signed confidentiality agreement.
  • Check the data set(s) for (remaining) identifiers;
  • Remover identifiers still present or de-identify these data;
  • Destroy key files and administrative databases. The only exception for not destroying is a written consent of the participant or a legal obligation like Good Clinical Practice;
  • Unsubscribe your project with the Centraal Meldpunt Gegevensverwerking, using the link you received when subscribing.
Privacy Definitions 
  • Anonymous data: data which can only lead to identification of the natural person after application of unreasonable means or disproportionate time and effort.
  • Personal data: every fact about an identified or identifiable natural person;
  • Personal data which can be directly identified: data that the researcher can use to directly identify, or in combination with more information can use to identity of the individual person.
  • Personal data which can be indirectly identified: data which cannot be used to directly identity the individual person, but does make it possible for the researcher to identify the individual person without spending a disproportionate amount of time and effort;
  • Data used for communications: data, such as last name, first name, initials, title, sex, date of birth, address, postal code, city, telephone number, email address, social media identifiers and other data needed for communication;
  • Coded data: data which does not directly include identifying personal data and which have been encoded such that the identity of the individual person can only be determined by the intervention of the supplier or an independent third party and after application of the key to the code.
Classification data for storage and transport
Storage and transport
Internal network
Sending external email
Encrypted** transport on mobile device (USB stick, laptop, tablet, etc.)
Cloud computing only allowed on VUmc approved clouds***
Classification of data
External public
No restrictions
No restrictions
  No restrictions
 No restrictions
No restrictions
Published research, conducted lectures and presentations
 In a locked storage cabinet
 In a secured project directory, only accessible for the project team
 Allowed when encrypted documents
Allowed with encrypted documents
Unpublished research, identifiable datasets
Highly confidential
In a locked storage cabinet and locked room
In a secured project directory, only accessible for the project team
Not allowed. Except when there is a written agreement approved by the head of the department and the file is encrypted
Only allowed when strictly necessary and the file is encrypted
Allowed with end to end encryption
Personal medical data, personal data of co-workers
Video and sound recordings
Key records, address records, respondent databases

Encryption tools
7 zip can be used to encrypt sensitive data. Use 265-aes as an encryption method and a long ( at least 12 characters) password. Do not send the encrypted file and password both by email. Send the password  through a different  channel.
See here for instructions how to encrypt with 7 zip
SurfFile sender
SurfFile sender is available for encrypting and sending files to anybody.
Secure USB stick
Secure, encrypted,USB sticks, working under view can be ordered.
Data sharing tool
Surfdrive is an approved cloud storage for public and medium sensitive data.

If you still have some questions or something is not clear, then please contact the Quality officer of APH or the privacy officer of your organisation for questions about confidentiality aspects.


Audit questions
  • Are confidential details being collected in the project?
  • Which members of staff have access to confidential research data?
  • Has a confidentiality agreement been signed by all staff who have access to confidential research data?
  • Has the researcher taken the necessary measures regarding the safeguarding of files with confidential information?
  • Will separate, anonymized data be made available to individuals outside your organisation? If so, has a transfer agreement been signed for this?
  • Are the input databases and other files with confidential information in a directory on the network?
  • Has the project been registered with the Privacy Officer? (Centraal Meldpunt Gegevensverwerking)

V 2.4: 31 Jul 2018: updated into APH and added GDPR/AVG
V 2.3: 22 March 2017: updated, addition of serveral tools
V2.2: 16 Sep 2016: Addition of links to registration form for admission to sensitive data
V2.1: 20 May 2016: Minor textual corrections
V 2.0: 12 June 2015: Revision format and updated, addtion of data breach
V 1.4: 28 Jan 2013: Name change from Ready to Go to Law and Regulations and update
V 1.3: 1 Jan 2009: Translation into English and update
V 1.2: 22 Jan 2009:  TIP non WMO project
V 1.1: Sept 2006: Addition of trial registration and Population Screening Act (WBO)