“Personal data” is defined as any information that relates to an identified or identifiable living individual. To determine whether a person is identifiable one must consider the foreseeable technological evolution and the possible combination with other data by the investigator or third parties. That includes both identifying data (first and last names, home address, etc.) and any other type of data that, on its own or combined with other types of data, can be used to identify persons (images; voice recordings; physiological, economic, cultural, social data, etc.).
When processing personal data, researchers must comply with the European General Data Protection Regulation (GDPR) and with the applicable national legislation. Among other aspects, GDPR requires that researchers collect and process only the amount and types of data necessary to carry out their research project; that participants are informed about the way their data will be processed and about their rights; or that appropriate security measures are established to avoid data leaks or unauthorized access to data.
Personal data revealing a natural person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data, or data concerning health, a person’s sex life, or sexual orientation are considered special categories of data.
More legal constraints apply when processing special categories of personal data. Thus, special categories of personal data should not be processed unless indispensable and stricter security measures have to be implemented.
Even if you do not save participants’ names or contact information, if the data you collect, alone or in combination with other data sources, may still allow you or others to identify the participants, then you are processing personal data.
Please note that, even if it is determined that a dataset does not contain personal data at a point in time, that may change later due to the increasing amount of information accessible through the Internet and the expanding capabilities of new algorithms such as AI.
Anonymization is a process that completely removes the possibility of identifying participants. After anonymization, it is impossible to determine to whom the data refers.
Pseudonymization, by contrast, is a reversible process. Typically, a numeric or alphanumeric code is assigned to each participant, and a key linking the codes to the identifying data is stored separately. The pseudonymized dataset must not contain identifying data, but the identities of the participants can be easily recovered by combining the experimental dataset with the key file, which must be stored under higher security measures in order to reduce the risks associated with processing the pseudonymized dataset.
For biomedical or clinical research projects, contact CEIm. For research projects involving animals, contact CEEA-PRBB. Furthermore, CIREP does not review projects that have already been completed or are underway.
CIREP does not review research projects retroactively. Therefore, you must apply for review before your project begins (that is, before the new data collection and/or the processing of secondary data begin). The meeting calendar and tentative submission dates in order for your application to be considered at a given meeting are listed here.
PhD students are not required to apply for ethical approval. However, they can apply if they know that they will need ethical clearance to publish their research project or to ensure that their methods follow appropriate ethical guidelines in their research area.
If they choose to submit an application to CIREP, students should work closely with their advisors to prepare the required documentation, and it is the advisor who should sign the application. Please note that PhD thesis may not need to be reviewed if they are part of a larger project that obtained ethical clearance previously.
In case of collaborative projects not led by UPF, CIREP can waive the review requirement if the lead partner has already obtained approval from their institution’s ethics committee and the UPF researchers commit to follow the established protocol. To obtain a review waiver letter, email [email protected]
Ideally, the review process should take around six or seven weeks from application registration to approval. However, the duration is affected by a variety of factors. You can find a tentative timeline and more information here.
The integrated review includes requests and/or recommendations that you need to address before your application can be approved. You should modify your application materials as requested by the Committee. We ask that you use a different font color or the track changes function to indicate the changes that you introduce. Additionally, you should include responses to the requests in the integrated review document. The requests are justified and stated clearly. However, if you have any doubts, you can contact us at [email protected] for clarification.
Revised applications are typically reviewed within one week upon receipt. If all the points raised by the Committee have been addressed satisfactorily, the project is approved. In some cases, the revised application needs to be discussed by the whole Committee in a meeting and/or other rounds of revisions may be necessary.
You will receive notifications when your application is received and registered and when an integrated review is ready for you. To inquire about the status of your application during the review process, you can email us at [email protected]
At the end of the review process you will receive a certificate of ethics clearance issued by CIREP. If your project involves personal data processing, you will also receive a certificate of compliance with applicable data protection regulations signed by UPF’s Data Protection officer.
Obtaining consent from participants is a basic principle of research ethics. As a general rule, you should always seek and document consent from those people who will contribute to your studies. Consent can only be waived in very exceptional cases.
The use of social media data poses certain challenges from an ethics perspective. While it may appear to be publicly available, social media data is created by and belongs to real individual persons who could be harmed by being unknowingly included in a study. In addition, the fact that some people choose to make their social media accounts public does not give researchers a free hand in using their data. Users’ reasonable expectations of privacy should be considered. In addition, one should consult the platform’s terms and conditions to verify that the research plans do not violate them.
As a general rule, you should always seek consent from those people who will contribute to your studies. If there are important obstacles that prevent you from obtaining consent, please contact us at [email protected] before you prepare your application.
When the participants recruited for the research project are unable to consent (be it due to their age or other characteristics or circumstances), consent from their parents or legal guardians must be obtained. Note that researchers are responsible for ensuring that they obtain the assent of those participants who lack the capacity to provide consent.
People between 14 and 17 years old can legally provide consent to having their personal data processed, but it is recommended that both their consent and their parents or legal guardians’ are obtained.
If you need to introduce changes to a protocol approved by CIREP, please notify the Committee at [email protected] by resubmitting the approved documents with the changes you would like to introduce clearly marked. You should notify your intention to introduce changes before you actually implement them.