The VU provides a tool called DMPonline, which includes various funder templates as well as a VU specific template that has been approved by NWO and ZonMw. If you wish to use the VU DMP template in DMPonline, click on the "Create Plan" button, and then under "Select the primary funding organisation" check the tick box that says "No funder associated with this plan". This will cause the VU DMP template to appear.

If you need advice on your DMP, you can contact the FGB Research Data Stewards via the e-mail research.data.fgb@vu.nl.

Metadata are data about data and there are both discipline-specific and generic metadata. Generic metadata, or project-level metadata, provide details about what information your data contain, where and when the data were created, and by whom the data were collected/created, as well as information for a reuser of the data about what the terms of use are and how that reuser can get acess to the data. Discipline-specific or data-level metadata provide additional information that is specific and relevant to certain types of data and disciplines. Whether you use metadata standards (also known as metadata schema) or not, you will create metadata in your research: any codebooks, cleaning and analysis scripts, and other documentation about your research are all metadata. However, by using internationally recognized metadata standards for your research, you will ensure that you record and report sufficient information so that others can readily find your data, determine if they are allowed to access your data, and, ultimately, understand how to use your data.

For the purposes of your DMP, it is generally sufficent just to report which generic metadata standard you will use to describe your data and research project. CERIF, DataCite and Dublin Core are all good metadata standards that are frequently used to create generic metadata. Because it's VU policy to register all archived datasets in PURE, which uses CERIF, you can report in your DMP that you will use, at a minimum, the CERIF metadata standard. If you plan to archive your data in a trusted repository, the repository may require that you use a specific metadata standard that you can also report in the DMP. Additionally, if your research involves surveys, you can report in your DMP that you'll use the discipline-specific Data Documentation Initiative(DDI) metadata standard.

If you look up information about metadata standards, you will see a lot of information about machine-readable formats. These formatted metadata are usually created when you fill in a form about your data. For example, when you register your dataset in PURE, structured CERIF metadata is created behind the scenes. That means for your generic metadata, the most important thing you should do is find out what information you will need to report for a certain metadata standard and record that information during your research, even in a simple text file. Then you will have that information on hand when you need to report it later on. For more information on recording metadata, including templates for making your own machine-readable metadata, see this page from the CESSDA Research Data Management tutorial. For your discipline-specific metadata, if you have structured data and are using a codebook to describe all of your variables, you can try making a DDI codebook which can be read by both people and machines.

In addition to metadata standards, you may be asked in your DMP about what ontologies, terminologies and/or controlled vocabularies you will use. There is a lot of overlap between these topics and metadata standards and some of the concepts are quite complex. Ontologies have to do more with taking the information reported in a metadata standard and making that information understandable to machines. Most of the work happens behind the scenes, so unless you are being explicitly asked to figure out ontologies, don't worry too much about that concept. What you can report in your DMP are any standards for terminology or controlled vocabulary you plan to use. You may already apply the concept of controlled vocabularies in your research, e.g. in a survey where only a specific set of answers are allowed for questions about ethnicity, highest level of education or language proficiency. Something that will make your data more understandable to others is if you aim to use terminology and controlled vocabularies that are (inter)nationally agreed upon and well recognized in your discipline, rather than generating new vocabularies and terminolgy just for your research.

Castor EDC is a software tool that can be used to create data entry forms and manage databases. It is available for use by FGB researchers, but in order to use it properly at FGB, you must review the Castor "Spelregels".

Storage costs vary depending on which storage option you use. You will also need to determine the costs of storage during and after your research. You can get the most up-to-date information on storage costs on this page by selecting the storage solution you plan to use. A pop-up window will show you the costs. You can also find information on costs of storage solutions managed by the VU NeRDS program on this page. Note that grant providers don't usually cover the costs of storage after research (a.k.a. archiving), however the VU NeRDS program subsidizes the costs of archiving in YODA (this cost model is described here). Archiving up to 500 GB of data will be covered by the VU; anything above this amount should be billed to your department.

You can find information on how to meet your archiving requirements on this page summarizing the FGB Archiving Guidelines.

Every department has a paper archive and you can contact your department's secretaries to make use of these archives for your paper data.

The original paper copies should not be destroyed after the information has been digitized. Further explanation can be found in the FGB Archiving Guidelines.

The FAIR principles were developed to give structure and guidance in how to achieve good data management, especially for data that will be reused in the future (by you, your research team, or other third parties). There is no requirement that FAIR data be made publicly available, a.k.a. open. Additionally, just because a dataset is openly available, doesn't mean that it is FAIR. There are many datasets publicly available right now that are not reusable because there is insufficient documentation about the data to be able to fully understand, interpret and use that data.

The F in FAIR refers to findable data. This means that an individual can find the right dataset for their needs and purposes. VU researchers can improve the findability of their data by publishing metadata about their data on YODA or OSF, or by registering their data in PURE. It is a requirement at VU Amsterdam that all archived data be registered in PURE. If you publish metadata on OSF, this information will be imported into PURE automatically. It is not currently possible for metadata in YODA to be imported to PURE so you will need to register this information separately in PURE. It is imperative that data be registered in PURE so that VU Amsterdam can better monitor and report on data production activities at our institution.
Another consideration for findability that isn't specifically discussed by the FAIR principles, is to strive to make your data findable to you and your research team by using logical folder structures and file naming conventions for your datasets, scripts and documentation. This data management tutorial provides many useful tips for how to organize your work, name your files and structure your folders.

The A in FAIR refers to accessible data. This term leads to a lot of confusion, but it does NOT mean that your data must be publicly accessible. It means that there needs to be clear documentation regarding how the data can be accessed, if appropriate. If the GDPR applies to your data (which is the case for most data in the faculty), access to the data should only be given upon request. There are several things you will need to address when planning to manage access to the data:

• You'll need to make participants aware that data may need to be shared for verification purposes after the data been used in a research article
• You'll need to obtain consent from participants to the sharing and reuse of their data for new research purposes. They'll need to be sufficiently informed about:
  • What those new research purposes may be
  • The kinds of third parties the data may be shared with
  • Whether the data will leave the EU/EEA
  • How the data will be protected when shared with others
  You can get help with these issues by contacting the FGB Privacy Champions.
• You'll need to plan how to manage ongoing access to the data. You should document these plans, for example in your data management plan, and ensure that this documentation is findable well into the future.
• You'll need to determine how data can be safely shared with third parties. This includes drawing up data sharing agreements. You can get help with these agreements by contacting IXA.

The I in FAIR means data and metadata (data about data) should be Interoperable. Basically it means that both humans and computers can properly interpret and understand the data and metadata. One way to achieve this is using standards when creating metadata or by using vocabularly that is also used by other researchers in your field. See the question I'm writing a data management plan (DMP) and the template is asking about which metadata standards, metadata schema, ontologies, terminologies and controlled vocabulary I will use. What does this mean? for more information about metadata. In addition to creating metadata about your research data, you can also improve the interoberability of your data by using open-source software (e.g. R or Python) and data formats (e.g. csv, txt). If someone needs to use proprietary software to open and analyze your data files, then the data are less readily interoperable.
Additional infrastructure at the VU is being developed to support researchers in meeting the Interoperability requirement; this information will be communicated as this infrastructure becomes available. For now, focus on maintaining good documentation about your data, for example, by:

• Maintaining logbooks about data collection and cleaning
• Creating codebooks to describe variable names and value codes
• Saving all scripts, code or syntaxes used to clean and analyse your data.

Finally, the R in FAIR means reusable. In simple terms, it's a summary of the F, A, I aspects of the FAIR principles: if you meet those requirements, your data should be reusable. There are some more details that apply here, but those will be explained as the FAIR data infrastructure at the VU develops.

It is important to be aware that making your data FAIR does not guarantee that your data are of a high quality. Following the FAIR principles only ensures that data can be reused by others. The best way to ensure data quality is to effectively plan for research data management before starting your research. Take the time to think about which variables are necessary to answer your research question and whether the planned methods of collecting data for these variables could lead to unreliable results. For example, if you are creating a question in a questionnaire that contains both open text fields (e.g. "other, namely", "Comments") alongside questions with pre-defined answers, consider whether there is a risk of collecting conflicting information. There isn't a perfect way to deal with such issues; it ultimately depends on what information you need to answer your research question. If you plan ahead, however, you can choose different ways to collect the necessary information. Or you can develop a data cleaning protocol for managing any inconsistencies as they arise; a documented protocol will ensure that all members of your research team clean the data in a consistent manner. Finally, any data cleaning steps should be well documented using code or in a logbook so that there is a clear record of how data were modified prior to analysis. This helps with transparency and prevents any questions about academic misconduct from arising.

If your data are subject to the GDPR, you shouldn't make them publicly available, but you can publish information about the data and how they can be accessed (the "A" in FAIR-data). See the questions How can I meet the FAIR principles/Open Data requirements if my data are subject to the GDPR? and What are the FAIR principles? How can I apply them in my work at the VU? for information on how to make your data FAIR even if they cannot be made publicly available. Addressing the issue in this way should be sufficient for your funder or the journal.

Good research data management not only helps a research project run more smoothly, it can result in higher quality data and improve the validity and reproducibility of your study results. There have been cases where published studies have been retracted because the variables used in the analysis were mislabeled, leading to completely invalid and misleading results. Clear documentation could have helped to avoid this. Clear documentation also makes your data more understandable to yourself, your internal research team and any future users of the data.

Planning ahead with research data management helps you to ensure the privacy and security of your research data; for example, you may need to plan out a good method for collecting data outside the VU. Writing this down in a data management plan gives everyone in your research team a clear understanding of what their responsibilities are and shows any data protection authorities that you’ve considered the risks and taken appropriate and strategic measures to minimize these risks.

Data management planning can also help minimize the amount of work required to clean your data; for example, by building validation checks into your data entry forms, you prevent impossible values (e.g. age of 200) from being entered. Additionally, if you will be using questionnaires in your research and you take the time during data management planning to think about the structure of your questionnaire, you can determine where and when open text fields are absolutely necessary, minimizing the amount of text data that will need to be recoded into categorical data during data processing.

Finally, data management planning helps with preparing for archiving and publishing of research data. Data archiving after an article is published is a requirement of the VSNU Code of Conduct for Research Integrity. There have been numerous cases around the world where research publications have been retracted because the original data were not findable, meaning that the validity of the research findings could not be confirmed. Additionally, data should not only be archived to allow for verification of research findings, but also described clearly and effectively through documentation and metadata so that others who may need to check the data can fully understand the data and interpret them. Archiving takes a lot of work, but the stress of archiving can be reduced if you plan ahead for it during your data management planning (by thinking ahead about what parts of your research need to be archived, what documentation is necessary to understand the data and which archiving location should be used.)

These are just a few examples of how research data management plays a role in how smoothly your research project will run. It’s not necessary to know all of the details about data management at the start of your research, but it is important to document what is known at the start of a project and to regularly review and update the data management plan as more information becomes available.

You can find additional information about research data management on the faculty research data management support page .

This document provides a summary of what the GDPR means for you as a researcher.

This is a complex issue. The GDPR has broadened the definition of personal data to: “any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. It is the indirect identification of individuals that makes it difficult to say with certainty that data about people are anonymous because through the combination of several indirect identifiers or by coupling these identifiers with publicly available data a person could actually be quite easily identified. In a world of Big Data, AI and learning algorithms it's almost never possible to 100% guarantee anonimity when data about people are collected. Additionally the rules that the Dutch Data Protection Authority applies when considering if data are anonymous are quite strict. For data about people to be anonymous, the following three conditions must all apply:

1. Is must not be possible to single out a unique individual within the dataset
2. It must not be possible to couple together separate records on an individual
3. It must not be possible to infer, with significant likelihood, additional data values about an individual based on the data available in the dataset

Because of these very strict rules, the faculty advises all researchers using data about humans to treat such data as personal data under the GDPR. This means that all data about people should be protected with at least some security measures such as those suggested in this guide. Lower risk data (e.g. benign information about healthy adults) don't require as many or as strict security measures, but at a minimum these data should be saved in a pseudonymized manner (i.e. no names and contact information stored in the same dataset as the research data) and these data should be stored on and shared through VU approved facilities.

For more tips about personal data, pseudonymous data and anonymous data and when the GDPR does or doesn't apply, see this postcard from the National Coordination Point for RDM. Finally, if you think your data are anonymous, check first with the FGB Privacy Champions whether this is actually the case. If your data truly are anonymous, then the GDPR does not apply to you data.

No.

Newer privacy requirements in The Netherlands do not allow us to collect BSNs anymore. In the past, researchers whose studies offered financial compensation to participants were required to collect administrative information, including BSNs, and submit this information to VU Financial Affairs. This is no longer required. The Dutch Tax Authority has now changed its procedures and research participants are responsible for filing income from research participation (if the total annual compensation is above €1500).

It is also not allowed to collect BSNs for any other research purposes. If, for some reason, this information is imperative to your research, you must contact VU Legal Affairs prior to starting your research to determine whether there is any valid legal argument for you to collect BSNs.

You are not allowed to collect BSNs without the approval of the VU Legal Affairs department

The Data Protection Officer for the VU can be reached at functionarisgegevensbescherming@vu.nl.

Under the GDPR, it is no longer necessary to register the processing of personal data with the Data Projection Authority for the Netherlands. Instead a data processing registry must be maintained by the VU. In order to meet this requirement, you are asked to complete a data management plan (DMP) or registration form via DMPonline. First log in to DMPonline with your VUnet ID and then:

1. Select "Create plans"
2. Make sure Vrije Universiteit Amsterdam is listed under "Select the primary research organisation"
3. Under "Select the primary funding organisation" select the box that says "No funder associated with this plan"
4. Once "Which DMP template would you like to use?" appears select either:
   • The VU DMP template if you still need to write a data management plan. This is the default option for most cases and this DMP is approved by both NWO and ZonMw for their grant applications.
   • The GDPR registration form if you have already written a DMP without using DMPonline (or if you used a DMPonline template other than the "VU DMP template 2021 v1.3"). This option allows you to enter the necessary information for the processing register without have to write a new DMP.

Unfortunately, this isn’t really something that can be avoided, particularly when the information is coming from participants or their parents. With regards to institutional third parties such as schools, hospitals or clinics that you are working with, contact the institution to determine whether data will continue to be transferred in this way so that a safe method can be agreed upon. If data will continue to be shared with you in this way, you should set up data transfer methods in line with this guide. For example, it's possible to set up access to a SURFdrive file or create a guest user in SURFFileSender for third parties including for those that don't normally have access to SURF products. SURFdrive and SURFFileSender are safer methods than e-mail is that your partners can use if they need to share sensitive information with you.

If you receive a single e-mail containing sensitive information, simply contact the sender to say you have recorded the information in a safe location and deleted the e-mail. Advise the sender to delete the e-mail from their outbox and then let him or her know that e-mailing is not a particularly safe method for sending sensitive information; if sensitive information needs to be sent again in the future, advise the sender to first contact the research team to set up a safer method of transfer, such as with ZIVVER. You can find more information on ZIVVER on this IT Service Portal page. For additional information on ZIVVER, see this instruction manual: it explains how to use ZIVVER for obtaining digital consent, which is discussed further in the question How can I obtain consent from participants digitally, but also securely and in a way that follows the privacy rules?).

It is understandable that if A LOT of these kinds of e-mails are received, that they will not be addressed immediately. Just try to manage them in a timely manner; your research team can document in your research data management plan or data protection impact assessment what standard response you should send when receiving these e-mails and the time frame within which you will address these e-mails. The GDPR does not define any time frame to manage such situations; instead you simply need to document how you handle personal data, so it is your responsibility to define a reasonable time frame (for example, 2 weeks), then document that time frame and stick to it.

Under the GDPR, there are specific rules you must follow if you plan to share non-anonymous data outside of the EU/EEA. The most feasible options for meeting these rules are to send the data to a country that has an adequate level of data protection according to the European Commission. Note that in Canada, this only applies to commercial organizations and in the U.S., this only applies to commericial organizations that are certified under the Privacy Shield framework. If there is no equivalency status, then you can have the receiving party in the other country sign a Standard Contractual Clause. If none of these options are feasible, contact the FGB Privacy Champion for further assistance.

The first thing to check is whether the informed consent methods used prior to the GDPR meet GDPR requirements. This document includes information about the requirements for valid consent under the GDPR. If you determine that the manner in which consent was previously obtained is not valid under the GDPR and you still need to continue using participant data, then first try to contact participants (if you still have their contact information) to renew consent in a manner that is valid under the GDPR. If it is no longer possible to contact participants (e.g. all contact information has been deleted) then it is not absolutely necessary to renew consent under the GDPR, but you will need to document clearly in a data management plan or data protection impact assessment that it was impossible to contact the participants to renew consent under the GDPR rules and provide an explanation as to why this was impossible.

This question will need to be partially addressed by the FGB Ethical Committee (in Dutch the VCWE) during the ethical approval process; they can inform you about whether doing your research without obtaining consent can be ethically justified. With regards to privacy law, there is an option for data processing without explicit consent under the GDPR but it is important to discuss your desire to use this option with the FGB Privacy Champion as early as possible in your research planning.

It is generally preferred that consent be obtained with a paper consent form, but in many cases, it may be more appropriate to use digital consent. If your research is not medical in nature and not subject to any of the medical research regulations (namely, the WMO law, the GCP guidelines or the Medical Device Regulation), then there are no restrictions on using digital consent instead of paper consent. If you are conducting medical research and it is subject to any of the medical research regulations, you should check with the VUmc METC as to whether paper consent forms are required. As of mid-2022 digital consent is allowed in some cases of WMO-research, but you should always check with the METC if your research is allowed to use digital consent.

If digital consent is an option for you, the second thing you want to ensure is that you can obtain consent legally:

• Potential participants must have consented to their contact information being used for such a purpose before you contact them. For example, you could receive a list of potential participants that are recruited by an external partner, but first that external partner must have obtained consent to share the e-mail addresses with us so that we can contact the potential participants about participating in our study.
• You need to follow the advice from this checklist to ensure that the information you provide follows legal requirements
• You want to make sure you are contacting and obtaining consent from the correct person. The best way to do that is with a form of 2-factor authentication with the help of the ZIVVER tool. This instruction manual will help you with setting up ZIVVER and using it for obtaining consent.

If you are running a survey with a panel provider (see the question Do I need to set up a processing agreement with panel providers, such as MTurk or Prolific Academic? ), you should obtain consent using your questionnaire tool at the very start of your survey. Make sure the information provided to participants, as well as the way consent is obtained, follows the requirements of this checklist.

The ICO, the Data Protection Authority for the UK, created a checklist to help you determine which role(s) you will have for the planned data processing. You can also use this checklist to determine whether third parties that you are going to work with will function as joint controllers and/or processors. It's necessary to determine what everyone's role is because you can then determine if agreements between the various parties need to be signed and if so, which type of agreement.

Check first if the VU or FGB already has a contract with the company you wish to hire or with another company that provides a similar solution. The FGB Privacy Champions can help you with this. Also check if the faculty technicians (TO3) could create an in-house solution for you so that an external company doesn't need to be hired.

If a new company needs to be hired, use the standard VU model processing agreement, which you can obtain from the FGB Privacy Champion. The main text of this model agreement must not be changed, but the annexes at the end of the agreement need to be filled in. Contact the FGB Privacy Champion to review Annex 1 and contact the RDM support desk to get support from an IT expert who can review Annex 3 to check that the security measures of the company are sufficient. Be aware: it's very likely that the IT expert who will review Annex 3 will want to see a data classification about the data that will be collected or stored by the company you are hiring. This will help the expert in their assessment as to whether the security measures are sufficient. You can complete a data classification with this tool, although check first with your supervisor or research teammembers as to whether a data classification has already been completed.

Please note that some companies will wish to use their own model processing agreement. If it’s absolutely not possible to use the VU model then it may be possible to use the model of the company; however the FGB Privacy Champion will need to check the processor's model to make sure it meets the needs of the VU.

In all cases, setting up a processing agreement with an external company will take time, regardless of which model agreement is used. To help avoid trying to set up such agreements last minute, make sure to plan ahead in your data management planning as to whether an external company needs to be hired so that the process of setting up an agreement with that company happens well before data collection needs to begin.

If you are using a panel provider to recruit participants by having the provider share a link for your survey, there is no need to set up a processing agreement with that provider. The provider is in this case an independent controller, according to the GDPR, meaning they are responsible for the data they collect and maintain; the VU is also an independent controller and we are responsible for the data we collect through the surveys. But neither party sees that data of the other party so there is no need for an agreement. This applies even if the panel provider is located outside of the EU/EEA.

If you are using panel providers to recruit participants located outside the EU/EEA, be aware that other privacy laws may apply to the data collected; the VU is required to meet both GDPR requirements and international privacy laws when working with international participants. Finally, the only other thing to keep in mind when recruiting participants with panel providers is that you must ensure that you have a GDPR-compliant informed consent process at the start of the survey. Review this checklist to make sure your consent process is valid.

The VU has developed model agreements for situations where the VU functions as a joint controller with another party (see the question How can I determine what my role is (controller, joint controller or processor) under the GDPR? for further information on what a "controller" is). You can obtain this model agreement from the FGB Privacy Champion.

Additional agreements, such as collaboration agreements, may need to be set up when working with third parties. You can contact Legal Affairs for assistance with this process.

A good starting point to assess what kind of privacy agreements are necessary is to complete this checklist and see whether the VU and the third party are joint controllers. If they are joint controllers, a joint controller agreement needs to be signed; you can obtain a model agreement from the FGB Privacy Champion. You should also consider where the research data will be collected from and stored because if all data are maintained externally by the third party and the PhD candidate is employed by that third party, generally no joint controller or data sharing agreements are required. However, if the third party has no facilities for maintaining the data long-term after the research project is complete (namely for archiving the research data) data may need to be transferred to the VU at which point a data sharing agreement and potentially a joint controller agreement will be necessary. You can contact Legal Affairs for help with drawing up a data sharing agreement.

Make sure to also review the question I am an external PhD candidate/I am supervising an external PhD candidate. Can I make use of services licensed by the VU, such as Qualtrics or Survalyzer? for more information about the use of VU-licensed services by external PhD candidates.

This document provides guidance on how to handle privacy risks when students are using research data, including where and how the data should be stored. If the data are higher risk, but the guidance above isn't feasible, one solution is to de-identify the data before giving the student access so that privacy risks are reduced.

This is a complex question. Ultimately the VU would bear the brunt of the responsibility if a breach occurs. However students are responsible for handling data carefully according to the requirements of the VU. In order to ensure students behave appropriately while under VU supervision, students must carefully read, understand and sign confidentiality agreements before they work with research data. If students will be collecting or transporting data outside of the VU or they will be borrowing equipment from the TO3 Borrowing Service, they must also read this guide on security basics and this guide on physical transport of data so that they know how to carefully handle the data until they can store it in a safe VU location. It is also a good idea to develop a protocol for collecting data outside the VU that will be documented in the data management plan so that everyone collecting and transporting data knows what their responsibilities are; having clear, documented procedures that everyone must follow will minimize the risks of leaking data.

If the student will be conducting research under the sole supervision of the VU and there isn’t another third party (e.g. a hospital, long-term care centre, physiotherapy clinic etc.) involved in the data collection, then a confidentiality agreement can be obtained from your department or section head. He or she can also sign this agreement on behalf of the Director of Operations for the Faculty. If all data collection and data storage will take place at the location of a third party, and the only role for the VU is to provide supervision for the research internship, then the third party is responsible for setting up a confidentiality agreement with the student.

If both the third party and the VU are responsible for the data that the student will work with (i.e. data collection and/or storage happens at both the VU and the third party location) then the student must sign confidentiality agreements for both the VU and the third party. It is advised that the supervisor review the confidentiality agreement template in this situation to make sure that there isn't anything in the agreement that might a problem for the collaboration; if there seems to be a problem, contact the FGB Privacy Champion for advice.

Because of the type of research that is done at FGB, it's very likely that a DPIA will need to be carried out before you begin your research project. First you can check whether it's legally required that you complete a DPIA by completing a pre-DPIA. You can contact the FGB Privacy Champions for this pre-DPIA form; they can also provide you with the full DPIA form, as well as give advice and feedback on the completed form.

If your data are very high-risk, and it's not feasible to de-identify the data as a way of reducing privacy risks, then you should discuss this with the FGB Privacy Champions. You should also ask for support from an IT security expert, via the RDM support desk. They can assist you in thinking of alternative solutions and if necessary they can start the process of developing a custom data storage solution.

As of December 2020, the issues with Qualtrics under the GDPR have been resolved. It is now possible to collect personal data with Qualtrics for your research. FGB has also maintained the license for the alternative questionnaire tool Survalyzer. There are a variety of reasons why you may want to use one questionnaire tool over the other. Additionally, there are important steps you can take when using either of these questionnaire tools to make your data extra secure. For more information on these matters, please refer to this guide on the secure use of questionnaire tools.

No. The reason you can use your VUnet ID to log in to these services is so that they can be used for educational purposes. Google Drive remains an inappopriate solution for storing and sharing data that falls under the purview of the GDPR or any other sensitive types of data.

The most important thing you should do is clarify in the information letter shown to potential survey respondents how many times they are allowed to participate. Also state that responses to your survey that are clearly fraudulent (e.g. it's clear that a bot was used to repeatedly fill in the survey) will not be compensated.

Some survey programs, like Qualtrics, offer technical methods to help prevent fraud, however these methods are not very effective and if you use them, you will need to include additional information about cookies in the information you give to your participants. It is therefore recommended to not use these methods and instead simply monitor for signs of fraudulent responses, such as surveys completed repeatedly from very similar e-mail addresses and survey completion times that are impossible for a human to achieve.

If you suspect that a survey respondent is fraudulently responding to your survey, do not contact this person. Contact instead the FGB Privacy Champions for further assistance.

There are a variety of free online courses available to learn about the GDPR and privacy issues. These include:

• SURF: Privacy in Research
• GoodHabitz: GDPR Compliant*

*To make use of the GoodHabitz program, you may need to login via this VU page because the Single Sign On with your VU account doesn't always work directly when on the GoodHabitz site. Once logged in switch the language to English and then search for the topic "GDPR". If you'd prefer to study in Dutch, search for the topic "AVG".