Ethics and Data Management

The ITHACA research team follows a specific protocol for the confidential and anonymous collection and treatment of all collected data.

1. Collected datasets are separated from personal identity information during the phase of collection or transcription.
2. Anonymization is ensured in different ways in relation to the different research tools.
   1. Questionnaires are collected ensuring complete anonymization; they can be collected in folders where the participants deposit the questionnaires autonomously, through an anonymized online site or trough return-envelopes.
   2. In audio-recordings and video-recordings, all names of the interviewees are deleted in all transcriptions and replaced by a number combined to three letters, indicating gender, role and country.
3. All personal information is kept in a separate file and is no longer linkable to the results (it is treated in an aggregated way).
4. Raw data are only accessible to authorized researchers affiliated to ITHACA project.
5. Processed data do not include reference to personal data, in order to prevent identification.
6. Without consent of the interviewees, the original audio-recordings and video-recordings of interviews and focus groups are not used.
7. Some parts of video-recorded or audio-recorded activities can be included in the restricted data of the website at the following conditions of consent.
   1. If a restricted use is only permitted by the subjects, the data are encrypted using available technology.
   2. If consent is denied, the recordings are not included and used.
8. Individuals cannot be singled out in datasets; two records cannot be linked within datasets or between two separate datasets; no information can be inferred in these ways.
9. No sensitive personal data is shared with third parties.
10. Incidental findings concerning sensitive data are deleted.
11. In case of withdraw from the study, the data referred to the interviewee previously collected are destroyed, unless already used in the framework of the research.

The ITHACA project follow ethics and data management principles:

• Sensitive personal data that participants provide to authorised researchers are only accessible to research teams. The staff members are coached and trained before being allowed to access confidential or personal data.
• Restricted data are never sent via email.
• Restricted data are encrypted during transmission over the network, using encryption measures strong enough to minimize the risk of the data’s exposure.
• Redundancy of restricted data are eliminated.
• Server-side scripts such as PHP, JSP, or ASP.NET are excluded
• All personal and sensitive data held electronically are stored centrally and only by authorised researchers.
• Sensitive personal and confidential data are never stored on portable devices.
• All portable devices, used to collect data during the research activities, are password- protected to prevent unauthorised use and unauthorised access to the database.
• The data models adopted to encode the archival metadata in XML format are: EAD, to encode the description of the archival resources; EAC-CPF, to encode the description of the archival authority records.
• Accounts to the database are only provided to authorised staff members.
• Application code is reviewed for SQL injection vulnerabilities.
• No Spyware is allowed on the application, web or database servers.
• Secure authentication to the database is used.
• External service providers employed by Departments/Centres are subject to strict procedures for accessing sensitive personal data established through formal contracts.
• A certified repository is used.

It is important to highlight that all collected data and information (e.g. comments shared during laboratories, working groups, focus groups) of those participants who have expressed their will to be pseudonomysed/anonymised remain separated by data that identify participants (i.e. name, surname, email, status, gender) and shared without any reference to the person who expressed them. In those cases where research participants have expressly accepted to be referred to with their name/surname and other relevant data, they sign a waiver and will have the possibility to check the material to be published and rectify it, if needed.

The same applies to workshops held with policy makers, practitioners and trainees, who can also express their choice whether to adhere or not to pseudonomysation/anonymisation, as foreseen in the informed consent form. In case they accept to be referred to with their name/surname, they are linked to their personal data and made public.In this case, participants signs a waiver and will have the possibility to check the material to be published and rectify it, if needed.

ITHACA devotes special attention to the following risks:

• • data breaches;
  • hacking activities;
  • infections/corruptions of data;
  • lack of secure access control measures;
  • lack of secure data transfer control measures;
  • access to users non-authorised by ITHACA researchers;
  • direct client access;
  • unauthorised sharing of personal data or research data collected;
  • data exposure;
  • data storage in portable devices;
  • cybersecurity threats;
  • unauthorised acquisition of information (data breach);
  • identity fraud.

All data are collected and processed in compliance with EU rules concerning personal data protection, approved by the Regulation (EU) 2016/679 of the European Parliament and of the Council (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free moavement of such data, as well as with the full body of internal legislation in force.

The ITHACA ethics protocols and data management procedures are valid during and after the EU funding.

Concerning intellectual property, the project follows the guidelines published by the European Commission for H2020 and Horizon Europe projects. 

For ethics and data management requests, the ITHACA Coordinator team and the Ethics mentor can be contacted via email (ithacahorizon@unimore.it).