Policy for the management and conservation of project documents


POLICY FOR THE STORAGE AND FILLING OF THE DOCUMENTS RELATED TO RESEARCH PROJECTS CONCERNING THE HUMAN BEING AT CIMeC
Introduction
On September, 30th, 2021, the Dean issued a decree, n. 981, titled “Compliance and instructions related to the treatment of personal data” which, among other issues, specified the duties for the people responsible for the scientific research projects (Appendix 2).
Each person responsible for a research project (the Scientific Manager) that involves the treatment of personal data is also appointed to complete the following tasks (according to article 12 of the University Rules for data protection):
- Filling in a privacy form for all research projects (including those not subject to the evaluation of the ethical committee of the university), before the beginning of the research;
- Select the people responsible and authorized for the treatment of personal data, instruct them about the specifics of the research project, and periodically monitor their work and their training in relation to data protection;
- Verify if the research project necessitates one or more system Administrators. If that is the case, they need to be presented to the person in charge of the department (the director of CIMeC) so that they can be officially designated;
- Provide the participants to the study with information about the treatment of sensible data according to articles 13 and 14 of GDPR, and obtain consent to the treatment of data;
- When the personal data needs to be shared with external organisations, verify the need to sign a sharing agreement or nominate a person in charge of the treatment of data (if necessary, with the support of the Office for research services, the University office for Privacy and the RPD), send a copy to the office for privacy, and record the data in the designated section of the Register for the treatment of personal data (art. 30, par. 1 and 2 of GDPR);

- Define the period of storage of the documents, based on the duration of the research project;
- Deposit the documents of the research project (privacy form, information and consent form) at the office of the relevant department, who will store it for five years from the planned end of the research;
- Take part in courses and workshop events on the treatment of personal data.
The university will monitor the fulfilment of the tasks, including by means of periodical audits.
Appendix 2 of the decree provides specific information about funded research projects, where the treatment of personal data is a central element (e.g. activities where data is obtained with new technologies, medical, genetic, or sociological researches, researches with underage subjects, or with subjects bearing/affected by diseases, etc.), where the research may present a high risk for the rights and freedom of the subjects involved, and where the data may need to be transferred to research partners and/or a third subject outside the EU.

1. Field of application
The policy outlined in this document is applied to all research projects at CIMeC, both when they are subject to evaluation by the ethical research committee of the university (from here on referred to as “CER”) and when they are not, but they still involve the treatment of personal data.
The objective is to abide by the norm where “the appointee presents the project to the university or research institution or scientific society, who then are responsible for the storage, as confidential information (since consulting the project is only possible in order to apply the regulation for data protection) for five years from the planned end of the research”.
At the start of the project, the data must be stored as follows:

- Digital format: all the documents related to the project and the research team that have been presented and approved by CER (evaluation request form, appendices, approval forms and subsequent modifications of the project)
- Hardcopy: all documents signed by the volunteers who took part in the research, which contain personal information (authorization to the report, consent form, information on the treatment of data for scientific purposes and consent form, information on the treatment of personal and particular data for scientific purposes and consent form).

2. Submission of the documents related to beginning projects
2.1 Research projects submitted to CER for approval
The research protocols are presented to CER in digital format. Communications and documents exchange between the Scientific Manager responsible for the project, the CER office, the CIMeC office are by email.
The documents related to the research protocol in the final version as approved by CER (evaluation request form and appendices) are signed electronically by the CIMeC director and the Scientific Manager and stored in digital format by the CIMeC office on the university server and in the dedicated IT system of CIMeC, where research projects and the booking of laboratories (CLARA) are managed, and access is reserved to authorised personnel.
Documents which have not been signed electronically must show a scanned holographic signature and the identity card of the people who have signed.

2.2 Research projects NOT submitted to CER for approval
The Scientific Manager for the research project must present the privacy form for the project and the related appendices (information on data treatment and consent) to the CIMeC office, who will be responsible for its storage for five years from the planned end of the project. The process for the signature and storage of the documents are the same as presented in the previous paragraph.

3. Storage of the documents related to privacy
For all projects (both submitted and not submitted to CER for approval), it is the Scientific Manager who must store the integral documentation on privacy until the end of the project (consent forms, etc.) with confidentiality and by adopting basic security measures for the treatment of data in research projects.
In order to facilitate this task, once a year (or more if necessary) the Scientific Manager must:
- Deposit the documentation on privacy (information, consents, etc.) at the CIMeC office, who will store it confidentially (according to the confidentiality agreement as well as the current regulation in terms of data protection and university instructions);
- Obtain any other documentation related to privacy from the other researchers involved in the project (doctoral students, etc.) before the end of their contract at CIMeC.
The documentation must be provided to the CIMeC office in a file labelled as follows:
- Title of the project
- Name of the Scientific Manager
- Start and end date of the project
together with the form provided in Appendix 1.

4.Submission and storage of the documentation at the end of the research project
At the end of the project, the Scientific Manager must submit the documentation on privacy to the CIMeC office according to the instructions above, who will store it in its archives for five years; the Scientific Manager will have to delete the personal data or make them anonymous.
At the end of the five years for the storage, the documentation will be moved to the archives of the university and maintained according to the regulations in terms of storage and disposal of archive documents.
The storage and potential disposal of the documents (according to regulations) is the task of the Office for Archive, Protocols and Postal Service of the university.

The documents stored in electronic format on the server and on CLARA are stored for the same duration as the hardcopy.
For further information, please consult INFOSERVZI (log on as UNITN user):
- Data protection (general): https://intranet.unitn.it/infoservizi/protezione-dei-dati-personali
- Guidelines (specific) for data protection in scientific research: https://intranet.unitn.it/infoservizi/attivita-di-ricerca-scientifica;
- Decree 30/09/2021 Compliance and instructions for the treatment of personal data: https://intranet.unitn.it/system/files/download/infoservizi-mobilita/5369/2-drsettembre2021adempimentiistruzioniprivacy.pdf