Code of conduct for using  personal data in research

The number of different data files greatly increases in the digitizing society. Big data occurs in all elements of society: from health to economics, from education to science. Not only are new data created, but new combinations are also made of existing data. In addition, the infrastructure and processing techniques are adapted.

Many scientific researchers uses personal data. After the introduction of the Personal Data Protection Act (Wet Bescherming Persoonsgegevens), the VSNU has drawn up a code of conduct for scientific research. The Code of Conduct provides as prescribes that researchers use personal data for research purposes only, i.e. for the purpose of a scientific publication. Individuals may never be recognizable in these publications.

You can find the code of conduct here (Dutch Only). The attachment to the Code of Conduct can be found here.

New code of conduct
In May 2018, the new General Data Protection Regulation (GDPR) will enter into force. The Dutch term used is the Algemene Verordening Gegevensbescherming (AVG). Together with the fact that the environment in which researchers  work has changed drastically in recent decades the VSNU, together with experts,  is working on a new code of conduct.

Purpose code of conduct
The purpose is to draw up a new code of conduct that should contribute to the proper application of the GDPR. In addition, the code will provide practical tools for board members, researchers and research support staff.

The plan is to be in line with the new code of conduct in November 2017. There may be further adjustments following the Dutch implementing act AVG, discipline specific codes of conduct and additional guidelines from the Dutch Data Protection Authority (Dutch DPA).
Call for consultation
We call on experts and researchers to supply the writing team with questions and suggestions. During late 2017, consultation sessions will be organized at a few universities, together with the National Coordination Point Research Data Management. On October 24th and 26th, the first two sessions will be held: on October 24th at the University of Amsterdam and on October 26th at Erasmus University Rotterdam. Another session will take place at Utrecht University on November 13th.

More information about the GDPR can be found here:

·    Dutch Data Protection Authority (Dutch DPA):
·    National Coordination Point Research Data Management


Reinout van Brakel

Director Accountability

+31 (0)6 27 03 63 49