The protection of sensitive and personal data is a fundamental responsibility in research. At the University of Milan, we are committed to supporting researchers in the responsible management of such data, in accordance with Regulation EU 2016/679 - General Data Protection Regulation (GDPR) - and recognised ethical standards.
Sensitive data often require special protection due to the risks associated with unintentional disclosure. While it can include non-human data, such as ecological information or commercial insights, which must remain confidential, it primarily refers to human data as specified in Articles 9 and 10 of the GDPR, which highlight categories such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data for the purpose of unambiguous identification, and data concerning health, sex life or sexual orientation. Criminal convictions and offences are also subject to enhanced protection. It is important to understand that although names, addresses and identification numbers are personal data, they are not considered sensitive unless they reveal protected characteristics as defined by law.
USEFUL LINKS:
- Data protection under GDPR
- Type of sensitive data
- Approaches in the diverse life sciences' domain
- European legislation on open data
- Publishing sensitive data guide
Legal Framework and Responsibilities
Anonymising or pseudoanonymising such information allows to eliminate the relationship between a person and the data deriving from surveys, tests or studies concerning that person.
The GDPR outlines specific conditions for the processing of personal data for research purposes, in particular in articles 110 and 110 bis of d.lgs 196/2003and article 89 of the GDPR. These provisions allow the use of personal data for scientific research, provided that several requirements are met. The University of Milan, represented by the Rector, is the data controller for the research activities carried out under its auspices. In the case of multi-centre or collaborative projects, there may be joint controllers, which requires a formal agreement defining the responsibilities of each organisation involved. Where third parties process data on behalf of the University, they act as Data Processors bound by contracts that ensure compliance with the GDPR. The Data Protection Officer (DPO) oversees privacy and data protection practices, and is available to guide researchers through the relevant procedures. Importantly, also contact UNIMI's technological transfer and IP office if your research will use other party/non public data, if you need to share non public data/proprietary material, if you think your results will be innovative and have industrial application. Similarly, you can contact the university’s ethical committee if your research involves experiments on humans and/or animals; in this cases also check this guide.
Researchers must define the scientific purpose of their project and adhere to the principle of data minimisation, collecting only data that are essential to the study. If the data is sensitive, the level of care must be proportionately higher, both in its management during the reasearch project and in the anonymised sharing at its end, also including strict technical and organisational safeguards - such as encryption, access restrictions and regular risk assessments. Importantly, informed consent remains a key requirement under Article 6 of the GDPR. You must clearly provide individuals with information on who is processing the personal data about them and why. Consent must be free, specific, informed and unambiguous, with documentation maintained for the duration of the research. For researchers who need a starting point for drafting consent forms, the DARIAH Consent Form Wizard provides valuable guidance, particularly in the humanities.
Significantly, take note that if your project involves the transfer of data to countries outside the European Union, this is only permitted if the destination country provides adequate protection or if appropriate contractual safeguards are in place (check the rules here). Nevertheless, even if you are planning to transfer data between EU member states (and even if it is not sensitive data) always take special care to ensure its integrity!
Incorporating GDPR and Sensitive Data into Your Research Management Plan
Programmes such as Horizon Europe require each project to produce a Research Data Management Plan (DMP). This plan details how data will be collected, stored, processed, preserved and, where appropriate, shared. When sensitive data are involved, it is crucial to:
- Identify data types: Clearly identify which data is sensitive or personal.
- Outline data collection: Explain the methods and legal basis for data collection, noting how consent is obtained or what exemptions apply.
- Describe safeguards: Indicate whether data will be anonymised or pseudonymised and describe the technical safeguards in place (e.g. encryption, access control).
- Plan for storage and retention: Provide a rationale for storage locations, retention periods, and eventual anonymisation or deletion strategies.
- Address sharing and disclosure: If data will be shared - whether internally or externally - clarify under what conditions and in what form (aggregated, anonymised).
- Manage risks: Carry out a Data Protection Impact Assessment (DPIA) when dealing with high-risk processing, detailing the risks identified and mitigation measures.
Social Media and Publicly Available Data
Researchers collecting data from social media or other public platforms need to ensure that they have a lawful basis for doing so. Publicly available posts are often still considered personal data if they contain identifiable details, meaning that GDPR principles apply. Depending on the scope of the study, it may be necessary to inform subjects (where possible) or provide a prominent privacy notice online. The terms and conditions of each platform should also be reviewed and adhered to.
Copyright and Third-Party Materials
When using or uploading content that may be protected by copyright, researchers need to check that the work is still in copyright. Even material in the public domain may have modern reproductions or digital versions that are protected. For copyrighted material, explicit permission from the rights holder is required. All sources and authors should be properly acknowledged, and the use of standard open licences is encouraged wherever possible.