Management of the data collected is based on the guidelines described in the CIMeC General Data Protection Regulation, which applies Regulation (EU) 2016/679 “General Data Protection Regulation” (hereinafter “GDPR”), to scientific research. The two essential points to be considered when handling data are:
1) For any research project, the responsibility for the data processing procedure is assigned to the project PI; it is therefore essential that the PI, together with collaborators, define data processing right from the preparatory stages of the research project; a description of the procedure necessary for the PI to define data processing and the general CIMeC data-processing guidelines are detailed in the CIMeC General Data Protection Regulation.
2) Personal data processing is subject to severe privacy protection restrictions, violation of which entails legal risks for both the PI and CIMeC. Luckily, pseudonymisation and anonymisation allow for a far freer management of data, exempt from the restrictions to personal data processing. It is therefore best to comply with the dictates of the GDPR, which require the pseudonymisation/anonymisation of data as soon as possible along the treatment chain.
In addition, specific guidelines for the Experimental Psychology Laboratories follow, alongside suggestions on how to implement the necessary security protections for each stage of data processing.
Data collected and processed
The following types of data are collected and processed at the EPL:
EEG data: the EEG recordings of participants, if named with a pseudonym code (a convention that prevents the identification of the subject without using additional information), become pseudonymised data.
Physiological data: the timely recordings of the performance of certain physiological parameters (e.g. ECG, EEG, EGG, EMG, EOG, respiration, temperature, etc.), if named using a pseudonym code, become pseudonymised data.
Eye movement/kinematic data: recorded data does not include the videos used to track the movement, meaning that saving with a pseudonym code again makes the data pseudonymised.
Video data: video recordings of participant conduct. Because it is possible to identify a participant from video files, this data is not anonymous, even if named with a pseudonym code. Pseudonymisation is nevertheless recommended because it increases the protection of personal data.
Reconciliation file: document associating the pseudonymisation code (and therefore collected data) with the contact and personal data of the participant.
Pseudonym code: form that prevents the identification of the subject without using additional information.
The data collected at the EPL can be saved temporarily to the laboratory computers, but the processing and storage of the data is the exclusive responsibility of the researcher.
Data processing procedure
Researchers must adhere to the following guidelines:
If the data processed under the scope of the research should be breached, to such extent as to entail the loss, destruction or undue dissemination of personal data, a report must be made to the Data Protection Authority in the manner set out by the UniTrento procedure, available here: https://www.unitn.it/ateneo/2077/privacy-e-protezione-dei-dati-personali.