Skip to content

Module 1: Strategies for Handling Personal Data

This page is currently under construction

The training curriculum is currently undergoing final revisions and quality checks. All materials will be released shortly. Until the official release, please refrain from using, distributing, or implementing any part of these resources.

Learning Objectives

  • Learning Objective 1 (LO1): Identify personal data.
  • Learning Objective 2 (LO2): Recognise techniques for preserving privacy of individual data subjects.

Total Module Duration

2 hours

Learning Objective 1

LO1: Identify personal data.

Learning Activities

  • Lecture (30 mins): Define personal data in research, and explain the different types of personal data (directly identifiable and indirectly identifiable) and special categories of personal data. Also highlight what the General Data Protection Regulation (GDPR) states in relation to the right to protection of personal data (Resource 1).
  • Exercise (30 mins): The instructor can provide the learners with a semi blank list (Resource 4) and ask them to reflect on how some of this information can be combined with other data points to identify someone.

Materials to Prepare

  • Lecture introducing personal data in research.
  • List for exercise along with prompts to get learners thinking.

Instructor Notes

Lecture:

  • The lecture could start with a short interaction with the learners on what they think constitutes personal data, for instance: names, addresses, e-mail addresses, IP addresses. Resources 1–3 can be used as inspiration for some questions for this learning objective or Learning Objective 2 in this module.
  • Outline the definition of personal data: Resource 1 has a good definition that the instructor can use as a base.

Exercise:

  • The instructor can use Resource 4 or excerpts of Resource 5 to prepare an exercise where learners can discuss the different types of personal data and the how easy it is to overlook different kinds of personal data.
  • The purpose of the exercise is to deepen the learners understanding of personal data before moving to the next module where practical aspects of preserving personal data will be discussed.

Resources

Materials for creating the lecture slides:

  1. Course: GDPR 4 Data Support (English) | DANS. https://danstraining.moodlecloud.com/course/view.php?id=7. Accessed 22 Apr. 2025.
  2. Data Protection Quiz. https://www.urmconsulting.com/data-protection/data-protection-quiz. Accessed 22 Apr. 2025.
  3. Data Privacy Day Quiz. https://take.quiz-maker.com/QZMY1I9. Accessed 22 Apr. 2025.

Input for the exercise:

  1. "+200 Examples of Personal Data | RGPD.COM.". https://rgpd.com/basics/200-examples-of-personal-data/. Accessed 22 Apr. 2025.
  2. Case Studies - ODPA. https://www.odpa.gg/information-hub/books-podcasts-stories/stories/. Accessed 22 Apr. 2025.

Learning Objective 2

LO2: Recognise techniques for preserving privacy of individual data subjects.

Learning Activities

  • Lecture (30 mins): The lecture should contain information on the following topics: anonymisation versus pseudonymisation in research.
  • Case study (30 mins): Request the learners to discuss a real life research project and how personal data was handled and stored in this case. Alternatively the instructor could prepare a case study and ask learners to brainstorm about handling and storing personal data.

Materials to Prepare

  • Lecture on anonymisation versus pseudonymisation.
  • Case study on handling personal data (Resource 10 has some cases that can be used).

Instructor Notes

Lecture:

  • The goal of this module is to build a general awareness of the pros and cons of different strategies for mitigating the risk of exposing personal data, while still being able to utilise the data in research. The instructor can cover the following in the presentation:
    • Anonymisation and pseudonymisation of data and the associated risks: When is a dataset considered anonymous and the difference between anonymisation and pseudonymisation (Resources 1, 2). The instructor can also discuss misunderstandings of anonymisation (Resource 3). The risks of re-identification can be discussed.
    • If the instructor wants to go into more depth, then the following topics can be covered: Differential privacy in research, overview and privacy robustness assessment of different data storage systems, federated learning and its implications to personal data protection, secure multiparty computation. There are some additional resources provided in Resources for inspiration (Resources 5–10).
    • An additional topic that can be explored could be the different types of storage options, databases, file storage systems for handling sensitive data.
    • The instructor can also highlight the risk/fines for breach of GDPR (Resource 4) – the examples from the resource can also serve as good discussion points and examples of when personal data was not processed correctly.

Exercise:

  • The instructor should introduce a real life example to discuss how personal data should be processed. Resource 10 introduces various case studies that can be shared for discussion on processing personal data. Although the cases focus on the ethics, they can be used as a starting point for discussions around personal data.

Resources

Materials for creating the lecture slides:

  1. Course: GDPR 4 Data Support (English) | DANS. https://danstraining.moodlecloud.com/course/view.php?id=7. Accessed 22 Apr. 2025.
  2. UCL. "Anonymisation and Pseudonymisation." Data Protection, 24 Apr. 2019, https://www.ucl.ac.uk/data-protection/guidance-staff-students-and-researchers/practical-data-protection-guidance-notices/anonymisation-and.
  3. European Data Protection Supervisor, 10 Misunderstandings related to anonymisation, https://www.edps.europa.eu/system/files/2021-04/21-04-27_aepd-edps_anonymisation_en_5.pdf.
  4. [DPM. "20 Biggest GDPR Fines so Far 2025]." Data Privacy Manager, 3 Mar. 2025, https://dataprivacymanager.net/5-biggest-gdpr-fines-so-far-2020/.

Inspiration:

  1. Griet Verhennenman, How GDPR fosters pseudonymisation in academic research. The perspective of a university hospital DPO. https://www.edps.europa.eu/system/files/2021-12/06_griet_verhenneman_en.pdf.
  2. Erotokritou et al. (2024). Simplifying Differential Privacy for Non-Experts: The ENCRYPT Project Approach. ICCR London. https://doi.org/10.5281/zenodo.13960367.
  3. A Practical Beginners' Guide to Differential Privacy - CERIAS Security Seminar, Purdue University. https://www.youtube.com/watch?v=Gx13lgEudtU.
  4. Mollakuqe E, Hamdiu E, Fishekqiu NS et al. Comparison of cloud storage in terms of privacy and personal data - Sync, pCloud, IceDrive and Egnyte [version 1; peer review: awaiting peer review]. Open Res Europe 2024, 4:128. https://doi.org/10.12688/openreseurope.16631.1.
  5. European Data Protection Supervisor, Federated Learning. https://www.edps.europa.eu/press-publications/publications/techsonar/federated-learning_en.
  6. Zapechnikov 2022 Secure multi-party computations for privacy-preserving machine learning, Procedia Computer Science, (213)2022, 523-527, https://doi.org/10.1016/j.procs.2022.11.100.

Input for the exercise:

  1. UK Government Web Archive. https://webarchive.nationalarchives.gov.uk/ukgwa/20211223140711/https://esrc.ukri.org/funding/guidance-for-applicants/research-ethics/ethics-case-studies/. Accessed 22 Apr. 2025.