In qualitative social sciences, research often involves sensitive data from study participants. Ethical research considerations and data protection regulations require that the identities of researched individuals be safeguarded. It is therefore crucial to address data protection as early as possible and repeatedly throughout the research process, developing strategies to protect personalPersonal data includes: 'any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person(…)” (EU GDPR Article 4 No. 1, 2016; BDSG §46 para. 1, 2018; BlnDSG §31, 2020). Read More and especially sensitive dataWithin the category of personal data, there is a subset known as special categories of personal data. Their definition originates from Article 9(1) of the EU GDPR (2016), which states that these include information about the data subject’s: Read More of study participants.

If personal data is processed during research – meaning any form of handling personal data from collection to deletion – the general principles for processing personal data apply (§ 32 BlnDSG, 2018). These principles stipulate:

• The processing of (special categories of) personal data requires explicit consent from the affected person (see article on informed consent). Processing must be conducted only for specified and clear purposesThe processing of personal data is only permissible for specified and clear purposes. These purposes should ideally be determined as precisely as possible before data collection and, where feasible, documented in a consent form as part of the research project. Further processing steps are tied to this initial purpose. If the purposes change or expand during the research project – for instance, if new research questions arise during data analysis – additional consent from the affected individuals may need to be obtained. Data must be deleted once the purpose has been fulfilled. Read More, which should be defined as precisely as possible before data collection and documented within the research project and, if possible, in a consent formInformed consent refers to the agreement of research participants to take part in a study based on the basis of comprehensive and understandable information. The design of an informed consent must address both ethical principles and data protection requirements. Read More. Further processing steps must align with this purpose. If research purposes change or expand – for example, if new research questions arise during data analysis – new consent may need to be obtained.
• The extent of personal data processing must be proportionate to the purpose. This means collecting and processing only the minimum necessary personal data.
• Personal data must be accurate. Individuals have the right to request corrections to incorrect data (§ 44 BlnDSG, 2018).
• Researchers must ensure the security of personal data. This includes protection against unauthorized access or data loss, which can be achieved through secure server storage, backups, and access restrictions (see articles on data storage and data security).
• Personal data must be deleted once it has fulfilled its research purpose. Exceptions include data intended for reuse in future research, which must first be anonymized or pseudonymized unless explicit consent for storing and reusing non-anonymized data has been obtained (see articles on anonymization and pseudonymization).

Since written consent forms themselves contain personal data (such as a signature), they must be stored separately from the actual research data.

If obtaining consent is not possible, personal data must be prepared at the time of collection – e.g., through anonymizationAccording to the German Federal Data Protection Act (BDSG § 3, para. 6 in the version valid until May 24, 2018), anonymization is understood to mean all measures for modifying personal data in such a way 'that the individual details about personal or factual circumstances can no longer be assigned to an identified or identifiable natural person, or can only be assigned to an identified or identifiable natural person with a disproportionate investment of time, cost and labor.” Anonymized data is therefore data that does not (or no longer) provide any information about the person concerned. As such, it is not subject to data protection or the General Data Protection Regulation (GDPR). Read More – to minimize the risk of identification. This presents an ongoing challenge: balancing the collection of comprehensive and precise data necessary for later analysis with ensuring the protection of study participants (RatSWD, 2020).

Evidence in Data Affairs

Data Protection