Data Protection in Teaching and Research
What data protection rules apply to the collection and processing of personal data for research purposes (including for student projects)?
Research projects often rely on the collection and analysis of extensive data. It is not always obvious that personal data will be processed and certain data protection rules must be followed (such as informed consent). You can find more information in the “Legal grounds for data processing” below.
An ethics self-assessment can clarify whether your research project requires approval from the University Ethics Committee (UEK) or the Ethics Committee of Northwest and Central Switzerland (EKNZ). However, a simple review of compliance with data protection regulations may be sufficient (data protection review).
You can also find more information below about the various agreements needed for transfer and/or use of personal data and/or (biological) material (>commissioned data processing).
The Data Protection Officer's team will support and advise you in complying with data protection regulations for research projects.
Contact: datenschutz@unibas.ch
-
Legal Grounds for Data Processing
The processing (i.e. collection, storage, disclosure, deletion, etc.) of personal data by the university as a public institution requires either a direct legal basis (e.g. Sec. 7 Student Regulations, Sec. 42 Staff Regulations) or the legal assignment of a task to the university which can only be performed by processing personal data (called an indirect legal basis, such as a research contract, Sec. 1 University Statutes).
Consent is not sufficient for the university to process personal data. However, consent is required when the legal basis permits processing in general, but not the processing of specific data referring to an individual person (see informed consent). A template for the information sheet and informed consent form can be found on the website of the University Ethics Committee.
In addition, data may only be processed for a specific purpose, the processing must be proportionate (e.g. appropriate, necessary for the specific purpose, and reasonable for the data subject) and the principles of data minimization and transparency must be followed (for more information, see informed consent). Projects involving vulnerable persons (e.g. children) or in special settings (e.g. anonymous data collection) are subject to additional rules.The processing (i.e. collection, storage, disclosure, deletion, etc.) of personal data by the university as a public institution requires either a direct legal basis (e.g. Sec. 7 Student Regulations, Sec. 42 Staff Regulations) or the legal assignment of a task to the university which can only be performed by processing personal data (called an indirect legal basis, such as a research contract, Sec. 1 University Statutes).
Consent is not sufficient for the university to process personal data. However, consent is required when the legal basis permits processing in general, but not the processing of specific data referring to an individual person (see informed consent). A template for the information sheet and informed consent form can be found on the website of the University Ethics Committee.
In addition, data may only be processed for a specific purpose, the processing must be proportionate (e.g. appropriate, necessary for the specific purpose, and reasonable for the data subject) and the principles of data minimization and transparency must be followed (for more information, see informed consent). Projects involving vulnerable persons (e.g. children) or in special settings (e.g. anonymous data collection) are subject to additional rules.Links & Downloads
- Factsheet Informed Consent (PDF, 167 KB)
- Factsheet Anonymous Data Collection (PDF, 176 KB)
- Factsheet Consent Research Projects Involving Children (PDF, 455 KB)
- Template Information Sheet & Informed Consent (DOCX, 44 KB)
- Student Regulations (PDF, 279 KB)
- Staff Regulations (PDF, 229 KB)
- University Statutes (PDF, 113 KB)
-
Data Protection Review
The purpose of a data protection review is to identify potential risks before the collection and processing of personal data and to minimize them where possible.
In university life, data protection reviews particularly come into play before research projects and before the introduction of new digital services for teaching, research, or administration. The primary goal of these reviews is to determine whether the nature of the data or the processing of the data entails a high risk to the rights and freedoms of the data subject.
You can learn more on the data protection reviews web page.The purpose of a data protection review is to identify potential risks before the collection and processing of personal data and to minimize them where possible.
In university life, data protection reviews particularly come into play before research projects and before the introduction of new digital services for teaching, research, or administration. The primary goal of these reviews is to determine whether the nature of the data or the processing of the data entails a high risk to the rights and freedoms of the data subject.
You can learn more on the data protection reviews web page. -
Commissioned Data Processing
The University of Basel is responsible for personal data processing in teaching, research, and administration (aka the “data controller” or “controller”).
As a rule, third parties external to the university may be commissioned for this purpose (called “data processors” or “processors”). However, the university remains responsible for the data processing and must safeguard the data by means of a commissioned data processing contract (CDPC).
The University may conversely be the data processor for another controller; in this case, it will be bound by a CDPC.
Commissioned data processing may consist of e.g., use of a cloud, IT support from an external provider, use of transcription software, or data collection by an external market research institute.
In research, the exchange of (health-related) data and (biological) material between university and other institutions is also regulated by contractual agreements (see in this respect e.g. Unitectra, SPHN or the GrantsOffice).
Due to the complexity of some collaborations and the diversity of the situations in question, specific advice and an individual contract should be obtained for each case.
Please contact the Data Protection Officer's team by email: datenschutz@unibas.chThe University of Basel is responsible for personal data processing in teaching, research, and administration (aka the “data controller” or “controller”).
As a rule, third parties external to the university may be commissioned for this purpose (called “data processors” or “processors”). However, the university remains responsible for the data processing and must safeguard the data by means of a commissioned data processing contract (CDPC).
The University may conversely be the data processor for another controller; in this case, it will be bound by a CDPC.
Commissioned data processing may consist of e.g., use of a cloud, IT support from an external provider, use of transcription software, or data collection by an external market research institute.
In research, the exchange of (health-related) data and (biological) material between university and other institutions is also regulated by contractual agreements (see in this respect e.g. Unitectra, SPHN or the GrantsOffice).
Due to the complexity of some collaborations and the diversity of the situations in question, specific advice and an individual contract should be obtained for each case.
Please contact the Data Protection Officer's team by email: datenschutz@unibas.ch -
University Ethics Committee (UEK)
The University Ethics Committee (UEK) is a standing committee of the Senate with the mandate to ensure that the principles of ethical research are followed at the University of Basel.
At the request of researchers, the UEK assesses whether research proposals at the University of Basel are ethical, with the exception of research projects that fall under the scope of the Swiss Federal Human Research Act and must be approved by the Ethics Committee of Northwest and Central Switzerland (EKNZ).
An ethics self-assessment can help you clarify whether your project requires the approval of the University Ethics Committee (UEK), the Ethics Committee of Northwest and Central Switzerland (EKNZ), or whether a review of compliance with data protection regulations by the Data Protection Officer is sufficient ( data protection review).The University Ethics Committee (UEK) is a standing committee of the Senate with the mandate to ensure that the principles of ethical research are followed at the University of Basel.
At the request of researchers, the UEK assesses whether research proposals at the University of Basel are ethical, with the exception of research projects that fall under the scope of the Swiss Federal Human Research Act and must be approved by the Ethics Committee of Northwest and Central Switzerland (EKNZ).
An ethics self-assessment can help you clarify whether your project requires the approval of the University Ethics Committee (UEK), the Ethics Committee of Northwest and Central Switzerland (EKNZ), or whether a review of compliance with data protection regulations by the Data Protection Officer is sufficient ( data protection review). -
Data Protection Statement for Websites & Forms
For Websites
Anyone who operates a website collects and processes personal data belonging to the site's visitors. For this reason, a website always requires a data protection statement which transparently discloses which personal data is processed, for what purpose, for how long, and by whom (e.g., hosting provider, web analytics services, etc.). The data protection statement must advise the website's visitors of their rights, such as the right to information about the collected data and the right to revoke any consent given.
The data protection officer will assist in drafting the data protection statement; contact the team by e-mail.
For Forms
In addition to the automatic data (log files) collected by every website, additional personal data may be collected by web forms such as contact or registration forms for newsletters or events. If you use such web forms, even only temporarily, you need an additional data protection notice. Please refer to the information sheet available for download.
If you have questions, you can contact the Data Protection Officer's team by email at any time.For Websites
Anyone who operates a website collects and processes personal data belonging to the site's visitors. For this reason, a website always requires a data protection statement which transparently discloses which personal data is processed, for what purpose, for how long, and by whom (e.g., hosting provider, web analytics services, etc.). The data protection statement must advise the website's visitors of their rights, such as the right to information about the collected data and the right to revoke any consent given.
The data protection officer will assist in drafting the data protection statement; contact the team by e-mail.
For Forms
In addition to the automatic data (log files) collected by every website, additional personal data may be collected by web forms such as contact or registration forms for newsletters or events. If you use such web forms, even only temporarily, you need an additional data protection notice. Please refer to the information sheet available for download.
If you have questions, you can contact the Data Protection Officer's team by email at any time.Links & Downloads