CUREG 2.0

13. If I collect personal data as part of my research, what should I look out for?

Preamble:

The university law does not provide a legal basis for the processing of research data and therefore the Law on Public Information, Access to Documents, and Protection of Personal Data (LIPAD) applies to the activities of the university (and therefore to its employees). This cantonal law governs the processing of personal data, sensitive personal data, or the establishment of personality profiles in the context of a research project, except for research projects that fall within the scope of the Federal Act on Research involving Human Beings (HRA) and that are submitted to the Cantonal Research Ethical Committee (CCER).

Consequently, all research projects that do not fall within the scope of the HRA and that involve the collection of non-anonymous data are affected by the LIPAD.

Personal data is defined as any piece of information or group of information that allows for the unequivocal identification of a natural or legal person under private law, such as the identity, date of birth, postal address, e-mail address, etc.

Sensitive personal data and personality profiling are a specific category of personal data that require additional steps. For more details, please refer to the FAQ n° 15.

By processing, we mean (art. 4; letter e – LIPAD): “any operation relating to personal data – regardless of the means and procedures used – in particular the collection, storage, use, modification, communication, archiving or destruction of data.”

Thus, a certain number of principles must be respected, here we list the main ones:

  • Principle of proportionality (art. 36 LIPAD): you may only collect personal information that is useful for your purposes: for example, if you need the age but the exact date of birth (01.01.1962) is not useful, then you should not ask for it.

 

  • Purpose principle (art. 35 al. 1 LIPAD): you must tell your participants what information you want to collect about them and the purpose of its collection i.e., why you are collecting this information. This must be done at the time of collection of this information. You may use the data collected ONLY for the purposes originally stated to the participants.

 

  • Principle of security (art. 37 LIPAD): you are obliged to protect this information against any unlawful processing and to ensure its confidentiality by putting in place appropriate protective measures.

 

  • The principle of the right to forget (destruction of data – art. 40 LIPAD): as soon as this information is no longer necessary for your purposes, you must destroy For example, as soon as the name or contact information of a person is no longer useful, this information must be deleted from your files, notes, documents, etc.

 

Since November 16, 2021, it is no longer necessary to declare files containing personal data to the cantonal Data Protection and Transparency Officer (PPDT). Thanks to the actions taken by UNIGE’s DPO[1] in consultation with UNIGE’s legal affairs department and the CUREG, a generic declaration of files to the catalogue from the cantonal authority is now sufficient for all research projects evaluated by the CUREG and in which personal data are processed. The PPDT has agreed given that the controls relating to the processing of personal data in a research context carried out by the CUREG and the DPO are well supervised.

[1] Alain Jacot-Descombes was appointed as UNIGE’s Data Protection Officer (DPO) in April 2021.