Management of the data collected at the BabyLab is based on the guidelines described in the CIMeC General Data Protection Regulation, which applies Regulation (EU) 2016/679 “General Data Protection Regulation” (hereinafter “GDPR”), to scientific research. The two essential points to be considered in data management are:
1) For any research project, the responsibility for the data processing procedure is assigned to the project PI; it is therefore essential that the PI, together with their collaborators, defines data processing rights from the preparatory stages of the research project.
2) The processing of personal data is subject to strict restrictions protecting privacy, breach of which entails legal risks for both the PI and CIMeC. Luckily, pseudonymisation and anonymisation allow for a far freer management of data. It is therefore best to comply with the dictates of the GDPR, which require the pseudonymisation/anonymisation of data as soon as possible along the treatment chain.
For a description of the procedure necessary to define data processing by the PI and for the general CIMeC data processing guidelines, refer to the CIMeC Data Protection Regulation. Below is a description of the specific guidelines of the BabyLab, with operative suggestions to implement the necessary security protection for each stage of data processing, including the aim to pseudonymise/anonymise data as quickly as possible in the processing chain, releasing the restrictions on personal data processing.
Data collected and processed by the BabyLab
The following types of data are collected and processed by the BabyLab:
EEG data: EEG recordings of participants – if named with a pseudonym code (a procedure that prevents the identification of the subject without using additional information), this data becomes pseudonymised.
Video data: video recordings of participant behaviour – because it is possible to obtain the identity of the participant from the video files, this data is not anonymous, even if named with a pseudonym code. Pseudonymisation is still always recommended because it increases the protection of the personal data.
Reconciliation file: document associating the pseudonymisation code (and therefore the collected data) with the contact and personal data of the participant. Personal data.
The data collected at the BabyLab (behavioural, EEG, video) can be temporarily saved to the BabyLab computers, but processing and storage of the data is the exclusive responsibility of the researcher.
Data processing procedure.
Researchers must adhere to the following guidelines:
- They are to access the laboratory computers using their UNITN credentials. They accept responsibility for managing all data in their folders, limiting the storage space and avoiding depositing personal data, apart from that strictly linked to the study being conducted, as per the indications given below.
- They are to name all files relating to the collected data (behavioural, EEG, video) with a pseudonym code.
- They are to enter participant data and associated file names into the reconciliation file on the CIMeC share or, in exceptional cases in which it is difficult to immediately access such files, on a laboratory PC, making sure that this data is integrated into the reconciliation file on the share and deleted from the laboratory PC at the end of the trial session and, no matter what, by the end of the working day.
- The video data collected by the system for behavioural studies is saved on a video camera SD card. At the end of each trial session, video data must be copied to a protected folder of the CIMeC share, separate from that containing the reconciliation files, and must be deleted from the SD card.
- The EEG and video data collected by the system for EEG studies is saved to a folder of the PC used for EEG data acquisition. At the end of each trial session, this data must be copied to a protected folder of the CIMeC share, separate from that containing the reconciliation files, and must be deleted from the PC acquiring EEG data. If pseudonymised, EEG data can also be saved to a protected folder of a CIMeC PC, as long as the PC disk is encrypted, access to the PC is only possible via a sufficiently strong username and password in line with university policy and a backup has been saved to the CIMeC share.
- CIMeC refuses all and any liability for the storage of data saved to the laboratory computers.
- As soon as possible (especially quickly if participants are not expected to be called back for a subsequent trial session), delete the reconciliation file. At this point, the pseudonymised data becomes anonymised and is no longer subject to any protection restrictions.
Back to: BabyLab Home Page