10 Jun How Aeon Protects Your Personal Data
Privacy can mean different things in different contexts and cultures. It is therefore important to detail the purpose of the research according to the different understandings of privacy.
In 2017, the Supreme Court of India pronounced a landmark judgement declaring the right to privacy as a fundamental right under the framework of the right to life (Article 21) as per our Constitution.
Even though India recognizes the right to privacy within its constitution and there have been some amendments to the Information Technology Act (2000) that provide protections for the mishandling of personal information, there is no unified privacy law in place today.
We at Aeon, choose to go above and beyond to protect your privacy, regardless of if it is required by law or not.
For example, in ‘covert research’ researchers should take into account the meanings of public and private in the contexts they are studying. Covert observation should only proceed if researchers can demonstrate clear benefits of the research, when no other research approach seems possible and when it is reasonably certain that no one will be harmed or suffer as a result of the observation.
Data protection aims at guaranteeing the individual’s right to privacy. It refers to the technical and legal framework designed to ensure that personal data are safe from unforeseen, unintended or malevolent use.
Data protection, therefore, includes data collection, access to data, communication and conservation of data. In addition, a data protection strategy can also include measures to assure the accuracy of the data.
In the context of research, privacy issues arise whenever data relating to persons are collected and stored, in digital form or otherwise. The main challenge for research is to use and share the data and at the same time protect personal privacy.
We at Aeon take numerous steps to keep all data collected safe and secure. Data is our bread and butter and we understand the value and importance of each data point. We see your address or contact information as more than just data points.
When we are processing personal data, we do the following:
- 1. Plan what data we need
We understand the objectives of our studies both now and in the future. Thinking about what data we need and also what data we do not need. Thinking of how we can design the study in a way that your data is least identifiable while still accomplishing the study objectives. These data minimization and privacy by default principles are the core principles of Aeons Data collection policy.
- 2. Plan the entire life cycle of personal data processing
We plan the entire life cycle of personal data processing (e.g. collecting, storing, usage, research cooperation, further research, archiving, deletion) before you begin to collect or otherwise process any personal data. We use a DMP (Data Management Planning) checklist. Data management planning is one of the key processes in planning your research. A DMP should be considered a ‘living’ document – it is ideally created before or at the start of a research project, but updated when necessary as the project progresses. Planning for data management is therefore not a one-off event, but a process. The plan is a reference document for everyone working on the project – we make sure that we follow and revise it during our work, and when finishing a project.
DMP questions
- How the project proposes to collect data and use existing data
- How the project follows FAIR principles (findable, accessible, interoperable and reusable)
- The methodologies and standards that will be applied
- How the data will be curated and preserved
- The ownership and user rights of the data used or produced by the project
- How the data produced will be open for use by other researchers during the project and after its conclusion
- Research ethics and information security
- Costs of managing data.
Informed consent of human subjects to research is an essential part of data management. The appropriate anonymisation of personal information enables the opening of otherwise confidential research data. Make sure to prepare a description of the registration of personal information.
- 3. Take care of data security
We ensure adequate security measures and use only secure information systems throughout the entire process of the study.
- 4. Conduct a sensitive data assessment when needed
An assessment must be done if the planned personal data processing is likely to pose a substantial risk to research participants. This situation is likely to occur when you process large amounts of data or when you process personal data of the children or other sensitive personal data.
- 5. Define the legal basis for processing personal data (Consent forms)
We only process personal data if we have a legal basis.The choice of the legal basis is important because it affects your obligations and possibilities in the research. If you choose “consent” as the legal basis for processing, you must enable the participants to revoke the consent and you must be able to remove the personal data if the data subject requests this.
When consent is on a legal basis, we use a consent form that is filled out by the participants. We draft this consent form in a language that the common public can easily understand. We make sure that there is no conflicting information in the planned study documents and the consent forms.
- 6. Inform data subjects about changes and update documentation
Personal data may only be processed for the purposes, which have been informed to the research participant before the beginning of the processing (by Privacy notice templates). If you need to process personal data for other purposes, you must inform the research participants of these new purposes and update all documents before processing.
- 7. Anonymize data before archiving or publishing
Anonymised data is no longer personal data. We anonymise personal data to irreversibly prevent identification. In doing so, several elements are taken into account by data controllers, having regard to all the means “likely reasonably” to be used for identification.
If we wish to collect and reuse personal data that is not wholly anonymized, for example, interviews from professional experts in a certain field, we make sure to get full consent before we start collecting information, so that research participants can make fully informed decisions. We consider the use of pseudonymised data as personal data and allowing only restricted access is used as a measure to archive the data.
- 8. Storage period of personal data
We inform research participants about the storage period of their data primarily as an explicit time. If this is not possible, research participants are informed about the criteria according to which the storage period is determined.
Defining the storage period in a general way, i.e. that the personal data are stored for as long as needed to complete the purpose for processing, is not sufficient. Consequently, determining that personal data are stored for the duration of the research project, without defining any further criteria for the storage period, is avoided, if possible. Depending on the details of the research, separate storage periods may be needed for different categories of personal data. Additionally, if the research includes multiple purposes for processing personal data, it is appropriate to indicate separate storage periods for different purposes.
Aeon considers your data sacred and treats it as such. We respect each individual’s right to privacy when we collect and process data for our research.
Contact us for personalised research services.