Management of the data collected is based on the guidelines described in the CIMeC General Data Protection Regulation, which applies Regulation (EU) 2016/679 “General Data Protection Regulation” (hereinafter “GDPR”), to scientific research. The two essential points to be considered when handling data are:
1) For any research project, the responsibility for the data processing procedure is assigned to the project PI; it is therefore essential that the PI, together with collaborators, define data processing right from the preparatory stages of the research project; a description of the procedure necessary for the PI to define data processing and the general CIMeC data-processing guidelines are detailed in the CIMeC General Data Protection Regulation.
2) Personal data processing is subject to severe privacy protection restrictions, violation of which entails legal risks for both the PI and CIMeC. Luckily, pseudonymisation and anonymisation allow for a far freer management of data, exempt from the restrictions to personal data processing. It is therefore best to comply with the dictates of the GDPR, which require the pseudonymisation/anonymisation of data as soon as possible along the treatment chain.
In addition, specific guidelines for the Experimental Psychology Laboratories follow, alongside suggestions on how to implement the necessary security protections for each stage of data processing.
Data collected and processed
The following types of data are collected and processed at the EPL:
- EEG data: the EEG recordings of participants, if named with a pseudonym code (a convention that prevents the identification of the subject without using additional information), become pseudonymised data;
- Physiological data: the timely recordings of the performance of certain physiological parameters (e.g. ECG, EEG, EGG, EMG, EOG, respiration, temperature, etc.), if named using a pseudonym code, become pseudonymised data;
- Eye movement/kinematic data: recorded data does not include the videos used to track the movement, meaning that saving with a pseudonym code again makes the data pseudonymised;
- Video data: video recordings of participant conduct. Because it is possible to identify a participant from video files, this data is not anonymous, even if named with a pseudonym code. Pseudonymisation is nevertheless recommended because it increases the protection of personal data;
- Reconciliation file: document associating the pseudonymisation code (and therefore collected data) with the contact and personal data of the participant;
- Pseudonym code: form that prevents the identification of the subject without using additional information.
The data collected at the EPL can be saved temporarily to the laboratory computers, but the processing and storage of the data is the exclusive responsibility of the researcher.
Data processing procedure
Researchers must adhere to the following guidelines:
- They are to access the laboratory computers using their UNITN credentials. They accept responsibility for managing all data present in their folders, limiting the storage space occupied and avoiding depositing personal data, apart from that strictly linked to the study being conducted, as per the indications given below;
- They are to name all files relating to the collected data (behavioural, EEG, physiological, eye movements, kinematic, video) with a pseudonym code;
- They are to enter participants’ personal data and the associated file names into the reconciliation file on the CIMeC share or, in exceptional cases in which it is difficult to immediately access such files, on a laboratory PC, making sure that this data is integrated into the reconciliation file on the share and deleted from the laboratory PC at the end of the trial session and, no matter what, by the end of the working day;
- The video data collected by the system for behavioural studies is saved on a video camera SD card. At the end of each trial session, video data must be copied to a protected folder of the CIMeC share, separate from that containing the reconciliation files, and must be deleted from the SD card;
- The data collected by the EEG recording system is saved to a folder on the acquisition PC. At the end of each trial session, this data must be copied to a protected folder of the CIMeC share, separate from that containing the reconciliation files, and must be deleted from the acquisition PC. If pseudonymised, EEG data can also be saved to a protected folder of a CIMeC PC, as long as the PC disk is encrypted, access to the PC is possible only via a sufficiently strong username and password in line with the university policy and a backup has been saved to the CIMeC share;
- For physiological data, the tracking of eye movements and kinematics, the indications given at the previous point for EEG data must be applied;
- CIMeC refuses all and any liability for the storage of data saved to the laboratory computers;
- As soon as possible (especially quickly, if participants are not expected to be called back for a subsequent trial session), delete the reconciliation file. At this point, the pseudonymised data becomes anonymised and is no longer subject to any protection restrictions.
If the data processed under the scope of the research should be breached, to such extent as to entail the loss, destruction or undue dissemination of personal data, a report must be made to the Data Protection Authority in the manner set out by the UniTrento procedure, available here: https://www.unitn.it/ateneo/2077/privacy-e-protezione-dei-dati-personali.
Back to EPL home page
Back to EPL home page