Develop a Data Management Plan which governs the handling of PII in the research project and beyond (DMP-PII). It should address:
the type and nature of PII
compliance requirements (including necessary forms for obtaining consent, and ethics clearance, if applicable)
legitimate research objectives that will be advanced by the PII
foreseeable risks and consequences if participants are identified from the data
privacy protection measures (or lack thereof) for collection, storage, transfer and publishing
process for obtaining informed consent
timeframe or trigger for archiving or deletion of PII
Employ stricter standards for research involving vulnerable populations such as children or illiterate participants or sensitive data such as ethnicity or religious beliefs
Undertake due-diligence of datasets previously collected by you or third parties to ensure you are entitled/permitted to use for your research project
Consult the legal, IRB or ethics clearance committee or any other relevant institutional group for specific institutional, local, regional or national policies and regulatory frameworks that may apply to PII in the context of your work
Don’t leave the handling of PII and privacy protection as an after-thought, plan ahead!
Don’t forget to checklocal laws and donor or third-party requirements in addition to institutional policies governing research ethics and privacy protection (seek expert support if unsure!)
Don’t ignore ethical practices/standards, if your institution does not have an ethics framework or clearance process in place self-assess!
In assessing whether information is capable of identifying someone (i.e. PII) don’t limit your focus to direct identifiers, also consider indirect/quasi identifiers. Appreciate this will depend on the context of the research project, the data in question and external data which is or may become otherwise available (i.e. there is no exhaustive list).
In assessing risk of harm don’t forget to consider potential harm to the participant’s community or groups of individuals that can otherwise be identified or associated with the participant