Laws and regulations on data management and FAIR data
Research integrity
ZonMw’s data management and FAIR data policy and instructions are in accordance with the Netherlands Code of Conduct for Research Integrity. This Code of Conduct is a joint initiative of the Royal Netherlands Academy of Arts and Sciences, the Netherlands Federation of University Medical Centres, the Dutch Research Council, TO2 (the federation of Dutch applied research institutes), the Netherlands Association of Universities of Applied Sciences and Universities of the Netherlands. It is about good research practices. To promote and safeguard these, institutions have a ‘duty of care’ to provide a suitable working environment.
-
Data management
Data management is one of the duties of care of an institution (chapter 4). This relates to data administration, storage, publication, dissemination and access. These are important preconditions to making data (and other research resources) reusable.
ZonMw’s instructions on data management and FAIR data are based on the assumption that in ZonMw-funded projects these preconditions are met and that researchers adhere to them in their work.
-
Retention period
The code does not prescribe a standard retention period but leaves it up to the discipline concerned: “Ensure that all data, software codes and research materials, published or unpublished, are managed and securely stored for the period appropriate to the discipline(s) and methodology concerned” (section 4.4, under 13).
Health-RI’s ELSI Servicedesk website has a page about the retention period of data and human tissue in scientific research: Wat is de bewaar- en opslagtermijn van gegevens en lichaamsmateriaal in het kader van wetenschappelijk onderzoek? (not available in English)
ZonMw may provide specific guidelines for individual programmes or projects.
-
Access to data
ZonMw’s policy and instructions on making available (and providing access to) data is supported by the Code of Conduct: “Ensure that, in accordance with the FAIR principles, data is open and accessible to the extent possible and remains confidential to the extent necessary” (section 4.4, under 14).
Dealing with personal data and human tissue responsibly
In biomedical and health research, a lot of – generally sensitive – data, images and human tissue of many subjects are processed. Patients and citizens participating in health research count on the safe and careful processing of their personal data and human tissue, in a manner that respects their rights and interests.
-
Legal framework
The Dutch version of the General Data Protection Regulation, the AVG, applies to personal data. Processing personal data is only allowed if there is a legal basis to do so. Health research involves special personal data . A legal basis that applies to this is that a research subject must expressly consent with the processing of their personal data.
-
Background to the legal framework
The AVG is leading in a legal sense. At the same time, in some respects the AVG leaves room for additional legislation. This legislation can be found in the Dutch GDPR Implementation Act (UAVG). Rules governing the confidential handling of medical data are laid down in the Medical Treatment Contracts Act (Wgbo). In addition, a law is being prepared on the administration of human tissue and medical-scientific research. The Code of Conduct jointly elaborates these.
-
Norms for handling personal data
COREON’s code of conduct on health research (2022) contains a number of concrete norms available to researchers for the handling of personal data and human tissue in health research. The Code of Conduct does not remove the many legal and legislative constraints relating to privacy in health research. COREON and Health-RI (see the programme for removing constraints; in Dutch obstakel-verwijder-traject) are working on possible ways to solve these issues.
Permission to process personal data
Research requires permission from the patients and/or citizens involved. The ELSI Servicedesk provides information on permission and objection procedures (in Dutch).
Measures to protect personal data
Protective measures are intended to prevent the leaking and/or abuse of personal data. This can be done by anonymising or pseudonymising sensitive personal data. The ELSI Servicedesk provides information on data protection (in Dutch).
Assessment by the Medical Ethics Review Board or the Central Committee on Research Involving Human Subjects
In medical-scientific research (including biomedical and health research), you may be required to have your study reviewed for compliance with the Medical Research Involving Human Subjects Act (WMO). The ELSI Servicedesk provides information on reviewing research (in Dutch) that is or is not subject to the WMO.
Ownership and collaboration
In the case of public-private partnerships, researchers must abide by ZonMw’s rules on co-financing and record agreements with partners in a collaboration agreement. Here you can find more information about what needs to be considered for data sharing and collaboration.
Embargo
ZonMw allows a three-month embargo period for sharing data, or providing access to data, for reasons such as a publication being in the works. In case a patent is being prepared, this period is allowed to last up to nine months.
- Information on cofinancing on the ZonMw website.
- Guidance on property rights (in Dutch).
For more information, please consult
- COREON’s code of conduct on health research (2022)
- The Dutch Data Protection Authority
- The Central Committee on Research Involving Human Subjects (in Dutch)
- Health-RI’s ELSI Servicedesk (in Dutch) for biomedical and health research
- The National Coordination Point Research Data Management (LCRDM), with practical information on the RDM advice and tips page.
- The tasks in the data life cycle of the RDM kit on sensitive data.
- International: Protection of personal data varies per country. Within the EU the differences are not that big, because all Member States subscribe to the EU General Data Protection Regulation (GDPR). The Dutch version of the GDPR, the AVG, is based on this. Other rules apply outside the EU. This means that passing on personal data from the EU, including the Netherlands, to a country outside the EU is only permitted if this country or the organisation involved guarantees sufficient protection.