The purpose of this policy is to describe how and why the Luxembourg Agency for Research Integrity (LARI) uses personal information, how we go about protecting privacy and to ensure that individuals are aware of their rights and choices regarding this information. We will be clear about what data we collect, hold and what is done with it. LARI aims to protect the users of LARI’s services, in particular those using our Ethics Consult Service and to protect LARI’s staff, volunteers, other individuals and subscribers.
Data protection principles
LARI needs to keep certain information about employees, volunteers, service users and suppliers to allow it to monitor performance, achievements, and health and safety, for example. It is also necessary to process information so that staff can be recruited and paid, services supplied, events organised and legal obligations complied with. To comply with the law, information must be used fairly, stored safely and not disclosed to any other person unlawfully. To do this, LARI must comply with data protection regulations as defined in Articles L.261-1 and L.261-2 of the Labour Code, as well as the General Data Protection Regulation (EU General Data Protection Regulation 2016 (GDPR) (EU 2016/679).
LARI and all staff, volunteers or others who process or use any personal information must ensure that they follow these principles at all times. In order to ensure that this happens, LARI has developed this policy.
- Comply with both the law and good practice.
- Respect individuals’ rights.
- Be open and honest with individuals whose data is held.
- Provide training and support for staff and volunteers who handle personal data, so that they can act confidently and consistently.
In addition to being open and transparent, LARI will seek to give individuals as much choice as is possible and reasonable over what data is held and how it is used.
This policy is effective from 6 November 2018.
Who we are
LARI is a non-profit organization, offering support to the public, researchers and organisations to promote research ethics and research integrity. Please visit our “About LARI” page to learn more about what we do.
How we collect information about individuals
We collect individual’s data from the following sources:
Directly from individuals
We may collect individual’s data when someone contacts us directly. Examples include when:
- they request information about us;
- they attend LARI events such as training workshops or conferences;
- an individual becomes a LARI volunteer, is a member of staff, or is staff, student or other individual associated with a subscribing institution; and/or,
- an individual contacts LARI for confidential advice or ethics consultation.
- when LARI performs a misconduct investigation
When an individual uses our website, we collect personal information using “cookies”. These are small text files that are placed on your computer/e-device to help the site provide a better user experience. In general, cookies are used to retain user preferences, store information for things like shopping carts, and provide anonymised tracking data to third party applications like Google Analytics. However, you may prefer to disable cookies on this site and on others. The most effective way to do this is to disable cookies in your browser (e.g., Firefox, Chrome, Explorer). We suggest consulting the Help section of your browser or taking a look at www.aboutcookies.org which offers guidance for all modern browsers or http://www.youronlinechoices.eu/. Common website practice also allows us to receive information about the type of device you are using to access LARI’s website. Additionally, information about the operating system, device settings and as to why a crash happened.
Cookies may be either, persistent or session cookies. A persistent cookie will remain valid until a set expiry date specified in the cookie itself, is reached. A session cookie, on the other hand, will expire once the web browser is closed.
Third party cookies set by LARI
|ShareThis||This cookie allows you to use the ‘Share’ buttons on each page across various social networks such as Twitter. The cookie monitors web pages viewed, navigation and time spent on each page. The ShareThis service only personally identifies you if you have separately signed up with ShareThis and given them your consent.||_unam|
|Google Analytics 360||These cookies are used to collect information about how visitors use the LARI website. We use the information to compile reports and to help us improve the site. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come from to the site and the pages they visited.||_utma
|Wordfence||Wordfence WordPress Security plugin is used on the LARI website:
1. The plugin after it verifies the website visitor isn’t a Bot.
2. The cookie generated to confirm the user from Wordfence, Wordfence tracks a user’s duration so that so that the page views can be grouped together
LARI uses a number of third-party suppliers who set cookies on our website to allow them to provide us with services. More information about these suppliers and their privacy policies is listed below:
Information provided to us Indirectly
Information may be shared with us by a third party. An example of this maybe through a subscribing institution, or through an enquiry.
Information provided to us by other sources
Depending on your settings or the privacy policies for social media such as LinkedIn and Twitter, you may have given us permission to access personal information from those services.
What personal information may we collect
We collect, store and use the following kinds of personal information:
- contact details (including postal address, telephone number, e-mail address and/or social media identity);
- date of birth;
- bank or credit card details that were provided to make a payment or make expenses claims;
- if an individual applies to be a volunteer or to work for LARI, where necessary personal information will be used to process these applications and assess suitability (which may include for example employment status, and previous experience);
- information about activities on our website and about the devices used to access these, for instance IP addresses and geographical location;
- information about training events, topics and activities which we consider to be of interest to individuals;
- any other personal information that is provided to us.
How we use personal information
LARI will use personal information to:
- provide information and services within the remit of LARI, including research;
- keep a record of relationships between LARI and individuals;
- be able to respond to the consult and investigation services, to address complaints and queries made to LARI;
- understand how we can improve the remit of LARI by conducting surveys and analysis research;
- manage LARI training events, workshops and conferences;
- further our non-profit objectives;
- maintain and update records;
- register, administer and personalise subscriber online accounts;
- send correspondence and communications;
- administer our websites and to troubleshoot, perform data analysis, research, generate statistics and surveys related to our technical systems;
- test our technical systems to make sure they are working as expected;
- display LARI’s website in a way appropriate to an individual’s device;
- generate reports on the work of LARI, its work and events;
- safeguard our staff and volunteers;
- monitor LARI’s website use to identify visitor location, guard against disruptive use, monitor website traffic and/or personalise information which is presented to an individual;
- process an application for a job or volunteering position at LARI;
- conduct training, quality control, and quality improvement;
- audit and administer our accounts; and/or
- meet our legal obligations, for instance to perform contracts between individuals and LARI, or our obligations to regulators, government and/or law enforcement bodies.
LARI Ethics Consult Service, Investigations Service, Educational Services
LARI provides independent, expert and confidential advice regarding ethical dilemmas in the design and conduct of research. LARI also investigates allegations of research misconduct. These services are described in detail on our website, www.LARI.lu . Individuals from our member institutions are eligible for these services.
Personal information that is given to us when ‘an individual’ contacts our consult service or investigative service may be part of a data set that LARI may publish anonymised, aggregate data to illustrate the work of LARI. However, such information would not identify any individuals or organisations. A registry will store the consults and investigative work. For an example of a registry, please see this article: https://www.ncbi.nlm.nih.gov/pubmed/25758372
Similarly, LARI may publish or otherwise circulate case studies for use as training or educational material. Case studies will always be anonymised. Anonymous feedback from teaching events, workshops, and seminars may also be published.
In addition, LARI may create fictional scenarios for educational and training purposes. These illustrative ‘case study’ scenarios draw upon LARI’s experiences in assisting with issues of research integrity. No individuals or organisations are named in these scenarios.
For more information about the confidentiality provisions during a research misconduct investigation, please see our Rules of Procedure, https://lari.lu/lari-services/investigations-cri-rules-of-procedure/
How we use personal information to tell individuals about LARI
When individuals have asked to be sent information about LARI (inclusive of a LARI events, information on our work programme or for recruiting volunteers) we will contact the individual via email or verbally with the relevant information. Occasionally, we may include information for other organisations who support us in these communication in alignment with LARI’s remit. We operate an ‘opt-in only’ communication policy. An example of this is our newsletter, Compass, which is sent out to subscribers and individuals who have requested the newsletter, as well as to our member institutions (service subscribers).
Lawful basis for processing
Data protection laws mean that LARI must have a valid lawful basis in order to process personal data. The relevant legal bases described in the General Data Protection Regulation (EU Regulation 2016/679). At least one of the following must apply whenever LARI processes personal data;
Consent will normally not be sought for most processing of information about staff and volunteers, with the following exceptions:
- Staff details will only be disclosed for purposes unrelated to their work for LARI (e.g. financial references) with their consent.
- Volunteers and staff working from home will not normally have any means of contact made public. All contact will be routed through the LARI office. Consent will be sought for any exceptions, which would be on a case-by-case basis, and generally only to a specific service user.
- Information about volunteers will be made public according to their role, and consent will be sought for any publication of information which is not essential for their role. In general, LARI publishes short biographies and a picture of its Board, Coaches, and Commission for Research Integrity on the LARI website, www.LARI.lu . Other information on volunteers is not normally made public.
The consent of service users is sought in a variety of ways. For example, via emails acknowledging requests for assistance, and the terms and conditions/registration for booking a place on a LARI event/course/session.
- Seeking advice from LARI: when a person seeks advice from LARI, they choose what information they send to us when they contact us. Details about our consult and investigative services are located on our website, www.LARI.lu
- Events: when a person books a place at a LARI event, we ask them for their name and contact details. We use these to contact them in relation to the event, on their invoice (when applicable). Their name, email, title and organisation will be included in the delegate list which will be provided to all delegates at the event, and which may be made available to them electronically in advance. The delegate list is also available to speakers at the event.
Consent may be given verbally.
- Legal Obligation
LARI may use personal information to comply with its legal or regulatory responsibilities. For example, it maybe necessary to share personal information with the Commission Nationale pour la Protection des Données (CNPD) or the Comité National d’Ethique de Recherche Luxembourg (CNER).
- Vital Interest
Under specific circumstances of vital interest LARI may process personal information. The below gives an example of vital interest which may result in harm to an individual or research subject:
When an enquiry is received by LARI, it is assessed to determine whether:
- It concerns a situation that may require immediate action to prevent further risk or harm to research participants, patients or other persons, improper treatment of animal subjects of research, improper use or storage of human tissue, materials or personal data, or negative environmental consequences (a ‘Situation’).
- It may involve criminal activity.
If the enquiry fulfils any of the above criteria, the Secretary General, liaising with the Board Chair, takes appropriate action to address the issue(s) in question, informing the enquirer and recording the actions taken and the reasons for his/ her decisions in writing.
- If an enquiry involved criminal activity or a Situation, we would first strongly encourage the enquirer to report the matter to appropriate organisation(s), which we would identify for them.
- If this did not take place in a timely manner, LARI, despite its role as a confidential advisory body, reserves the right in such circumstances to make disclosures, in confidence if necessary, to relevant external bodies. Such a decision would be taken by the Secretary General and Board Chair, consulting with LARI’s Board, staff or volunteers with relevant expertise, and/or legal counsel, as appropriate. In some cases, LARI may be legally required to make such disclosures. We also reserve the right to disclose details of our advice and correspondence if that advice is later misrepresented by an enquirer.
If a third party would be able to work alongside LARI to resolve an enquiry, or would be a more appropriate source of support, then LARI would approach that body (e.g., Commission on Research Integrity, expert consultants).
- Legitimate Interests
LARI may use personal information if it is reasonably necessary to do so and in LARI/the individuals “legitimate interests”. LARI ensures the information is used fairly and does not impact on the individual’s rights. For example, the use of personal information to administer, review and keep an internal record of the people we work with, including volunteers and institutional contacts.
How we keep data safe
This section of the policy only addresses security issues relating to personal data and other confidential data. LARI is based in its own office, lockable and with an alarm system. The building in which LARI’s office is based (6, avenue des Hauts-Fourneaux, L-4362 Esch-sur-Alzette, Luxembourg) follows standard security practices for office buildings (i.e. lockable, has an alarm system, etc.). Access to the office areas of the building is via key card only. Regular exterior patrols are carried out each night by security and any incidents are investigated and recorded.
- Paper records are kept in cabinets in the LARI office.
- Electronic records are stored in the LARI office:
- All LARI-owned desktop computers, laptop computers and portable memory devices are encrypted and require a password to decrypt the contents.
- LARI-owned computers are further password-protected, with each user given a unique password. Users are given ‘administrator’ rights only when required by their duties.
- Users are allowed access to folders and files which are relevant to their work.
- Files which contain information deemed to be particular sensitive are password-protected.
- Files relating to LARI’s consult and investigative services are anonymised wherever possible (see above).
- Security system testing is done by anti-virus software
- Backed-up data is held securely off-site and in encrypted form. The risk of loss of irrecoverable data is regarded as low-to-medium.
Human resources, payroll and accounts payable information: these functions are carried out on behalf of LARI by staff of BDO (https://www.bdo.lu/en-gb/home-en ). Information relating to these functions is held in the BDO office, to a similar standard as above.
How long do we keep information?
LARI’s records retention schedule is given below, including the retention schedule for records relating to LARI’s consult and investigative services. LARI will follow the guidance on retention of records given in the JISC Infonet ‘HEI Records Retention Schedule’, available from: http://www.jiscinfonet.ac.uk/partnerships/records-retention-he/hei-rrs.
The retention schedule for records relating to LARI’s services is given below:
|The management in summary form of enquiries and requests for assistance directed to LARI’s consult and investigative services||Permanent||● Indexes
● Registers, Registry
|The management in detailed form of enquiries and requests for assistance directed to LARI’s consult and investigative services||Last action on enquiry/ request for assistance + 6 years *||● Reports
● Supporting material submitted by enquirer
● Reference materials
|The management in detailed form of informal enquiries directed to LARI’s consult and investigative services||Last action on enquiry/ request for assistance + 3 years *||● Enquiry notes
● Form letters or emails
|Feedback data||5 years||● Surveys|
* Note that retention for a longer period may be appropriate:
- If the enquiry/ request for assistance concerned a situation that may have required immediate action to prevent further risk or harm to research participants, patients or other persons, improper treatment of animal subjects of research, improper use or storage of human tissue, materials or personal data, or negative environmental consequences.
- If the enquiry/ request for assistance involved, or was reported to (by any party), a statutory regulator, the Police or other body with a legal responsibility to address the matter in question.
- If the enquiry/ request for assistance was used as the basis of a case study for educational and training purposes. Case studies will always be anonymised before publication.
- If the enquiry/ request for assistance, or the handling of the enquiry/ request for assistance, could be a basis for legal action against LARI.
Sharing information with other organisations
LARI will never sell or rent personal information to third parties. However, we may need to disclose information to third parties in connection with purposes set out in this policy, such as with organisations that fund, subscribe to, otherwise support LARI as well suppliers and sub-contractors who may process information on our behalf and IT/web based related support and services.
Where we are under a legal or regulatory duty to do so, we may disclose information to the police, regulatory bodies or legal advisors, and/or, where we consider it necessary to protect the rights, property or safety of LARI, its personnel, visitors, volunteers, advisory board, users or others.
When using suppliers who operation partially or fully outside the European Economic Area (EEA) – potentially within a country that may have different data protection laws. In this example, LARI will take steps to ensure they provide adequate level of data protection in accordance with Luxembourg law.
LARI has the policy of sharing lists (or carrying out joint or reciprocal mailings) only on an occasional and tightly-controlled basis. Details will only be used for any of these purposes where the Data Subject has been informed of this possibility, along with an option to opt in.
LARI undertakes to obtain external lists only where it can be guaranteed that the list is up to date and those on the list have been given an opportunity to opt in.
It is considered unlikely that LARI will carry out telephone marketing. However, if it ever does, it will only do so where consent has been given in advance, or the number being called has been checked for opting out of telemarking.
Whenever email addresses are collected, any future use for marketing will be identified, and the provision of the address made optional (opt in).
Keeping individual’s data up to date
LARI will regularly review its procedures for ensuring that its records remain accurate and consistent and, in particular:
- ICT systems will be designed, where possible, to encourage and facilitate the entry of accurate data.
- Data on any individual will be held in as few places as necessary, and all staff and volunteers will be discouraged from establishing unnecessary additional data sets.
- Effective procedures will be in place so that all relevant systems are updated when information about any individual changes.
Staff or volunteers who keep more detailed information about individuals will be given additional guidance on accuracy in record keeping.
Updating and rectification
Under Article 16 of the GDPR, individuals have the right to have inaccurate personal data rectified. If personal data about an individual is inaccurate the individual may request a rectification, either verbally or in writing, LARI will facilitate this request within one month of receipt. All request can be made to the Secretary General. To recognise a verbal request, LARI will contact the requester in writing to ensure a log is kept and the data is rectified.
LARI appreciates if subscribers, volunteers and suppliers keep us up to date of any changes in contact details. LARI will regularly inform contacts via email, SurveyMonkey® (www.surveymonkey.com) or MailChimp® (http://www.mailchimp.com) of any changes relating to policies and terms.
LARI respects the rights for individuals in relation to their personal information as provided in the GDPR. If you want to exercise any of the below rights, please contact the Secretary General, Katrina Bramstedt via email at secretarygeneral@LARI.lu or by writing to:
Luxembourg Agency for Research Integrity (LARI)
6, avenue des Hauts-Fourneaux
L-4362 Esch-sur-Alzette, Luxembourg
LARI will endeavour to respond fully to all requests within one month of receipt of your request, however if we are unable to do so we will contact you with reasons for the delay.
Where an ‘individual’ requests their rights to any points in the list below, they must contact LARI either verbally or in writing. LARI will facilitate this request within one month of receipt. All request can be made to the Secretary General. To recognise a verbal request, LARI will contact the requester in writing to ensure a log is kept of the ‘right to be forgotten’.
- The right of access
Individuals have the right to request a copy of the personal data that LARI holds about them. This is called a ‘subject access request’. We will provide these unless legal exceptions apply.
Subject access requests must be in writing (email is acceptable).
All staff and volunteers are required to pass on anything which might be a subject access request to the Secretary General without delay.
Where the individual making a ‘subject access’ request is not personally known to the Secretary General their identity will be verified before handing over any information.
LARI will not normally charge for processing a subject access request. If it does decide to charge for processing a subject access request, this will a) be no more than 10euro; and b) the fact that a charge will be made will be communicated to the person in question when they make a subject access request, along with the amount.
The required information will be provided in permanent form unless the applicant makes a specific request to be given supervised access in person.
- The right to rectification
Individuals have the right to have inaccurate or incomplete information we hold about them corrected. Please contact us if you feel we hold inaccurate or incomplete data about you and where applicable, LARI will correct any errors.
- The right to erasure
An individual may ask us to delete some or all of the personal information where it is no longer necessary for LARI to use it, where they have withdrawn consent, or where we have no lawful basis to keep it.
When personal data or confidential data is no longer required, or has passed its retention date, paper records must be shredded. If there is a significant amount of material which cannot be dealt with by normal shredding machines, this should be disposed of using a reputable disposal contractor.
Computerised records must be permanently deleted, with particular care taken that ‘hidden’ data cannot be recovered. LARI’s nominated IT contractor can advise on permanent deletion of computerised records.
- The right to restrict processing
Individuals have the right to request that LARI restrict the processing of their personal data in the following events: if some of the data we hold is wrong; LARI is not legally allowed to use it; when and individual needs us to retain the data in order for them to use it in a legal capacity; or they believe their privacy right overall our legitimate interests in the information for a specific task and they have made an objection to this.
- The right to data portability
An individual has the right to ask LARI to provide them or another service provider with some of the personal information that we hold about them to be presented in a readily available electronic form, to ensure that it can be transferred easily.
- The right to object
Article 21 of the GDPR gives individuals the right to object to LARI from processing their personal data. This effectively allows individuals to ask LARI to stop processing their personal data when we are processing your personal information based on our legitimate interests, scientific/historical research or for statistics.
- Rights related to automated decision-making including profiling
LARI does not use automated individual decision-making (making a decision solely by automated means without any human involvement); nor profiling (automated processing of personal data to evaluate certain things about an individual).
If an individual is unhappy with any aspect of how LARI is using their personal data, please inform LARI’s Secretary General.
A person also has the right to lodge a complaint about any use of their information with the Commission nationale pour la protection des données (CNPD).
Changes to this Policy
Please contact us if you have any queries, suggestions or comments regarding this policy, either via email to secretarygeneral@LARI.lu or by writing to us at:
Luxembourg Agency for Research Integrity (LARI)
6, avenue des Hauts-Fourneaux
L-4362 Esch-sur-Alzette, Luxembourg
Policy operational date: November 2018
Date of last review: new policy
Date of next review: December 2018