Privacy in Data Storing & Licenses

Privacy in Data Storing and Publication

In psychology, the most pressing issue in this context is probably the handling of sensitive data. In Germany the handling of sensitive data is legally anchored within the Federal Data Protection Act (BDSG, Bundesdatenschutzgesetz, Bundesministerium der Justiz und für Verbraucherschutz, 2018). Specifically, the BDSG sets the framework for processing person related research data. Within the BDSG, a definition of the term ‘personal data’ is provided. The BDSG regulates, among other things, that informed consent must generally be obtained when personal data are collected and processed, and introduces exceptions to this rule, e.g., under which circumstances research interests override the right of informational self-determination of participants.

Moreover, German data protection demands specific protection for specific kinds of personal data (BDSG § 46 (14)). Researchers are not allowed to collect, process or publish this kind of data without explicit consent of participants, that refers to the specific kind of personal data. An extensive list with examples of special kinds of personal data (only German) was put together by Datenschutz-Wiki. Following this list, psychological data such as character traits or education do not fall under special kinds of personal data, while information about diseases/disorders, diagnoses and disease/disorder severity are specific kinds of personal data and, thus, involve higher requirements on data protection. German data protection further demands that “details which help to assign data about personal or factual circumstances to a certain or ascertainable person have to be stored separately. They may only be merged with the data if that is required by the purpose of the research” (BDSG § 27 (3)). Thus, documents, which allow relating research data to a specific person (e.g. signed informed consent sheets), have to be stored separately from the research data. Moreover, personal data have to be deleted as soon as they are no longer needed to fulfil the research’s purpose (BDSG; Cooper, 2016).

Beyond these legal requirements the DGPs recommends the following: Not fully anonymized data should be non-publicly archived for at least 10 years (DGPs, 2016). The anonymization process has to be documented (DGPs, 2016).

Licenses

Assigning licenses to data is vital to make other researchers know if and under which circumstances they can use the shared data. The probably most frequently used licenses for data are Creative Commons Licenses. Creative Commons is global nonprofit organization which offers six different licenses and guidance on the usage of those licenses. As the FAQ of Creative Commons (2016) states: “All of our licenses require that users provide attribution (BY) to the creator when the material is used and shared. Some licensors choose the BY license, which requires attribution to the creator as the only condition to reuse of the material. The other five licenses combine BY with one or more of three additional license elements: NonCommercial (NC), which prohibits commercial use of the material; NoDerivatives (ND), which prohibits the sharing of adaptations of the material; and ShareAlike (SA), which requires adaptations of the material be released under the same license.” Another option is to assign a CC0 license to the data which actually means that all rights on the data are waived. In contrast to CC-BY licenses, there will be no (legal) requirement to cite the creator of the data if this option is chosen (although scientific standards still apply naturally). It should be noted that Creative Commons Licenses only cover the public use of data and not the scientific use. For more information on the scientific use licenses applied in the PsychArchives repository of ZPID please visit the following page: https://www.psycharchives.org/en/about