Data Protection in Teaching and Research
What data protection rules apply to the collection and processing of personal data for research purposes (including for student projects)?
Legal Grounds for Data Processing
The processing (i.e. collection, storage, disclosure, deletion, etc.) of personal data by the university as a public institution requires either a direct legal basis (e.g. Sec. 7 Student Regulations, Sec. 42 Staff Regulations) or the legal assignment of a task to the university which can only be performed by processing personal data (called an indirect legal basis, such as a research contract, Sec. 1 University Statutes).
Consent is not sufficient for the university to process personal data. However, consent is required when the legal basis permits processing in general, but not the processing of specific data referring to an individual person (see informed consent).
In addition, data may only be processed for a specific purpose, the processing must be proportionate (e.g. appropriate, necessary for the specific purpose, and reasonable for the data subject) and the principles of data minimization and transparency must be followed (for more information, see informed consent). Projects involving vulnerable persons (e.g. children) or in special settings (e.g. anonymous data collection) are subject to additional rules.
Data Protection Review
The purpose of a data protection review is to identify potential risks before the collection and processing of personal data and to minimize them where possible.
In university life, data protection reviews particularly come into play before research projects and before the introduction of new digital services for teaching, research, or administration. The primary goal of these reviews is to determine whether the nature of the data or the processing of the data entails a high risk to the rights and freedoms of the data subject.
If the risk remains high despite the implementation of protection measures, or the data is being processed using new technologies or a very large number of people are affected (> 10,000), the project must be submitted to the canton's data protection officer for a prior consultation.
You can learn more on the data protection reviews web page.
Commissioned Data Processing
The University of Basel is responsible for personal data processing in teaching, research, and administration (aka the “data controller” or “controller”).
As a rule, third parties external to the university may be commissioned for this purpose (called “data processors” or “processors”). However, the university remains responsible for the data processing and must safeguard the data by means of a commissioned data processing contract (CDPC).
The University may conversely be the data processor for another controller; in this case, it will be bound by a CDPC.
Commissioned data processing may consist of e.g., use of a cloud, IT support from an external provider, use of transcription software, or data collection by an external market research institute.
In research, the exchange of (health-related) data and (biological) material between university and other institutions is also regulated by contractual agreements (see in this respect e.g. Unitectra, SPHN or the GrantsOffice).
Due to the complexity of some collaborations and the diversity of the situations in question, specific advice and an individual contract should be obtained for each case.
Please contact the Data Protection Officer's team by email: firstname.lastname@example.org
University Ethics Committee (UEK)
The University Ethics Committee (UEK) is a standing committee of the Senate with the mandate to ensure that the principles of ethical research are followed at the University of Basel.
At the request of researchers, the UEK assesses whether research proposals at the University of Basel are ethical, with the exception of research projects that fall under the scope of the Swiss Federal Human Research Act and must be approved by the Ethics Committee of Northwest and Central Switzerland (EKNZ).
An ethics self-assessment can help you clarify whether your project requires the approval of the University Ethics Committee (UEK), the Ethics Committee of Northwest and Central Switzerland (EKNZ), or whether a review of compliance with data protection regulations by the Data Protection Officer is sufficient ( data protection review).
Data Protection Statement for Websites & Forms
Anyone who operates a website collects and processes personal data belonging to the site's visitors. For this reason, a website always requires a data protection statement which transparently discloses which personal data is processed, for what purpose, for how long, and by whom (e.g., hosting provider, web analytics services, etc.). The data protection statement must advise the website's visitors of their rights, such as the right to information about the collected data and the right to revoke any consent given.
The data protection officer will assist in drafting the data protection statement; contact the team by e-mail.
In addition to the automatic data (log files) collected by every website, additional personal data may be collected by web forms such as contact or registration forms for newsletters or events. If you use such web forms, even only temporarily, you need an additional data protection notice. Please refer to the information sheet available for download.
If you have questions, you can contact the Data Protection Officer's team by email at any time.