Privacy

Qualitative interviews – free checklist for data protection

01. August 2024 4 minutes reading time

How to conduct your interviews in compliance with the GDPR

Qualitative interviews usually contain personal data, and these need to be handled with care. Unfortunately, this is going to be a long checklist, so let’s get straight to it without much introduction:

1. preparation

Download the declaration of consent file and adapt it to your specific project. Add project information, aim of the research and address data. Print out the document twice so that you can hand one over and keep one.

2. obligation of data secrecy

All persons who help you and see the data must be bound to data secrecy, including friends or family members. A sample of the independent federal and state data protection authorities can be found here.

3. informing the interview partners

Inform your interview partners in advance about the contents of the declaration of consent: that you would like to record, transcribe and analyze the interview. Explain the purpose of the research, who will have access to the data and how you will handle data protection. Briefly explain the points in your declaration of consent and explain individual passages if asked.

Have the interviewees sign the declaration of consent and keep a copy of it. If interviewees are under the age of 16, the consent must be signed by their parents (additional information is provided by the Bavarian State Office for Data Protection Supervision here

If special categories of personal data are involved, additional data protection requirements must be observed (information from the independent federal and state data protection authorities can be found here. Hand out a copy of the declaration of consent to the interviewees.

5. Record, transfer and save a qualitative interview

Make sure that the storage location for the recordings of the qualitative interviews is within the scope of the GDPR (European Union – EU or European Economic Area – EEA). The university’s network drive or local data carriers on password-protected computers are ideal here. Sending unencrypted e-mails is not suitable for confidential data. For the transfer of personal data to a country outside the EU/EEA – e.g. when uploading to American servers – please note the additional data protection requirements. If in doubt, it is better not to do this. Information from the independent federal and state data protection authorities can be found here.

The data must also be protected by technical and organizational measures, in particular against unauthorized access. The minimum level of security should be a non-publicly accessible computer with a current, supported operating system (i.e. no Windows Vista, macOS High Sierra or older). Up-to-date anti-virus software, firewall and a password-protected account that is not used privately should be available. Of course, the access data may only be known to authorized persons. You can find additional information on data security here.

6. clarify transfer to external parties

If you want to outsource the transcription or processing (e.g. coding), it is mandatory to conclude a “commissioned processing agreement”. This also applies to external hosters or service providers, e.g. for online surveys. These must already be determined before the interviews, as they must be listed in the declaration of consent. In particular, it must be ensured that any subcontractors also comply with data protection standards. General information from the independent federal and state data protection authorities on commissioned processing can be found here.

7. delete securely

After the end of the project or the agreed retention period, make sure to delete the data securely. Moving to the recycle bin or “normal” deletion alone is not enough, as the data could usually be restored without much effort in these cases. The Federal Office for Security and Information Technology provides technical information on how to delete data correctly on its website. Secure deletion can be realized using free software.

This also applies in particular to the memory of recording devices! Especially if the devices are on loan (e.g. from a university media center), the recordings must also be securely deleted from there.

8. document everything

All steps, including deletion etc., must be documented. How such documentation must look in concrete terms is not regulated in detail. For example, you can create a short Excel list or a text file. The important thing here is that you can prove in the event of an audit that all of the above points have been considered and taken into account.

9. if something goes wrong: information obligations

If there is a reasonable suspicion that data has been lost or has fallen into the hands of unauthorized persons, there may be a legal obligation to immediately inform the supervisory authority (usually the state data protection officer) and the persons whose data is affected (additional information is provided by the Bavarian State Office for Data Protection Supervision ).

10. do not be deterred!

First of all, there is a lot to consider. Various points must indeed be taken into account in the declaration of consent. Therefore, follow templates or patterns. You can use our template, for example, or ask at your university’s methods center.

 

The latest posts

4 minutes reading time
Documentary method – Proposal for the use of QDA software.

A simplified example, implemented with f4analyse. Introduction Here we show an example of the technical implementation of the evaluation steps …

3 minutes reading time
Automatically convert Zoom meetings to text

Zoom is a wonderfully practical tool for online meetings. And since the meeting is held on the computer, it can …

3 minutes reading time
How can I reduce the transcription time? 7 tips for fast transcription

Typing up interviews is and remains an annoying and tedious job. There is a lot of potential to save yourself …

Back to overview