Data protection in research

The concept of personal data is expansive: according to the General Data Protection Regulation (GDPR) personal data refers to all information relating to an identified or identifiable natural person. Natural persons are considered identifiable, if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, an opinion, a job title, image or audio, or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity. 

Note that also interviews and survey responses may include personal data in case the respondent can be identified by direct reference to the responses, or by combining information from the responses or other available sources. 

Special categories of data are those revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic or biometric data which are processed for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

• Also: personal data relating to criminal convictions and offences or related security measures

Processing personal data means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as

• collection,
• recording,
• organisation,
• structuring,
• storage,
• adaptation or alteration,
• retrieval,
• consultation,
• use,
• disclosure by transmission,
• dissemination or otherwise making available,
• alignment or combination,
• restriction, erasure or destruction

If you are processing personal data in connection with your study, you need to comply EU's General Data Protection Regulation (GDPR) and Finnish Data Protection Act. These need to be complied also if your data is likely to include personal data, even if the collection of personal data is not the primary purpose of your study.

More information about personal data and identifiable data in the Data Management Guidelines of Finnish Social Science Data Archieves.

The GDPR and national data protection legislation set principles for processing personal data. All processing are guided by the following principles: 

• Lawfulness, fairness and transparency

Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject

• Purpose limitation

Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes

• Data minimisation

Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

• Accuracy

Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay

• Storage limitation

Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject

• Integrity and confidentiality

Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

1. Define your research goal and the purpose for processing personal data

The purpose for processing personal data must be carefully planned and defined to meet the requirements under data protection laws. When you are processing personal data for research purposes, you must ensure that personal data is only collected for a specific, explicit and lawful purpose. Processing data later on for a purpose that is not compatible with the original purpose is not allowed. Please note that phrases such as “for purposes of future research” or “personal data may be used for research purposes” are not clear enough to identify the purpose of processing personal data.

The purpose for processing personal data is usually defined in the research plan, which identifies, for example, the research goals, data and methods. The research plan must also list the categories of personal data that must be collected to carry out the study and indicate why they are necessary.  

2. Define the personal data to be collected and the sources of personal data

The categories of personal data include, for example, name, personal identify number, place of residence, profession, genome and voice. 

The sources of data include, for example, data subject, customer records, tissue samples and photos. 

3. Minimise the amount of personal data to be processed

You may only process personal data for research purposes if your research cannot be carried out using anonymised data. You must limit your processing to data that is absolutely necessary for carrying out your research. The data protection regulations apply to all data about identified or identifiable natural persons.

The necessity of collecting personal data for research purposes must be assessed as early as possible before your project begins. You must attempt to minimise the amount of personal data to be processed. You may only process personal data that is necessary to fulfil the original purpose. Besides the amount of personal data, you must also consider the categories of personal data that you will be processing.

You can limit the risks associated with processing by minimising the amount of personal data to be processed, for example, by using pseudonymised or anonymised personal data.  

Anonymisation means that the re-identification of the data subject is irreversibly and effectively prevented. When considering whether your data subjects can be re-identified, you must consider whether a third party could have access to data that would allow that party to convert the anonymised data into an identifiable form. A simple removal of names and other identifiers will not always render data anonymous.

Pseudonymisation refers to the processing of personal data in such a manner that the personal data can no longer be attributed to a specific person without the use of additional information. Such additional information must be kept carefully separate from personal data.

You must anonymise or pseudonymise the data as soon as possible, for example, after combining your data. Personal data may only be processed when it is not possible to fulfil the purpose of processing (such as research) in any other way. 

Data undergoes a sequence of stages from its initial collection to deletion at the end of its useful life. Your research plan should define whether your project is a one-off study or a longitudinal study necessitating a longer retention period.     

The data controller must specify the retention periods of personal data. Data should not be held for longer than is necessary and should not be kept just in case you need it in the future.

When planning a research project, consider the following questions:

• How long will I need to process personal data for actual research purposes?
• How long must I retain the data after completing the project, for example, to verify the results?
• What will I do to my research data after I no longer need to retain the data for research purposes?

If it is not possible to set a specific deadline, the retention period must be otherwise defined in a measurable way (e.g. by defining the cohort and follow-up time in detail).  

In the end of your research, erase, anonymise or archive your data.    

A research project may involve a number of partners with different roles, such as one or more research institutions, principal investigator, customer, researcher, and other staff members who carry out the actual processing activities. The roles of different stakeholders and the responsibilities of the data controller must be clearly defined before research begins.  

Data controller is the individual, company, public authority or community that determines the purposes and means of the processing of personal data. The data controller is responsible for compliance with data protection laws throughout the data lifecycle. The role of data controller is assigned to impose the responsibility for GDPR compliance on the party that has the power to influence processing activities. 

If you are independently working on a thesis, you will act as the data controller. This means that you are responsible for protecting the privacy of your data subjects and for complying with data protection laws. As data controller, you also have a duty to inform your data subjects of your processing activities.

If you are writing your thesis for a University project and are employed by the University while working on your thesis, the University will act as the data controller. If your thesis is commissioned by a company, the company will generally act as the data controller.

Factors that affect the assigning of responsibilities for processing personal data:

1. Are there one or more parties planning the research project and its purpose?

• The purposes and means of processing are solely determined by the data controller.
• In the case of joint controllers, the parties work together to determine the purposes for which and the means by which personal data is processed and are mutually responsible for GDPR compliance. As set out in Article 26 of the GDPR, joint controllers must in a transparent manner determine their respective responsibilities to ensure compliance with the obligations under the GDPR. The obligation to inform data subjects and the arrangements enabling data subjects to exercise their rights must be clearly described. The roles and responsibilities of each joint controller must be documented, and the information must be made available to data subjects.

2. Will the researcher carry out all processing activities or is it necessary to employ a third party to act as data processor?

• The data controller may purchase services related to data processing from a data processor. The data processor acts on behalf of and on the instructions of the data controller. The processor may only process personal data according to the instructions provided by the controller. The data controller determines the purposes and means of processing.
• As set out in the GDPR, the data controller and processor must sign a contract or other legal document that governs the processing activities. The contract or document must specify the scope and duration of processing activities, the nature and purpose of processing, the categories of personal data to be processed, the groups of data subjects, and the rights and responsibilities of the data controller. Article 28 of the GDPR sets out more detailed provisions on the responsibilities of the data controller and processor and the terms that must be included in the contract signed between the parties.

When personal data is processed for research purposes, the lawful basis for processing under the GDPR may be:

6.1 Voluntary, specific, informed and explicit consent provided by a data subject.

Please be aware that consent cannot be chosen as the lawful basis if the data subject is placed at a disadvantage, for example, because of an illness or disability, old age or if the data subject is a minor.

In a research context, consent is not necessarily connected to the lawful basis for processing. Consent may be related to:

• research ethics (such as consent to participate)
• interference with other rights (interference with the bodily integrity of data subjects by taking, for example, a blood test requires consent), or
• protection measures

6.2 Exercise of the legitimate interests of the data controller or a third party if it is possible based on a so-called balance test.

Based on the GDPR or national data protection laws, the lawful basis for processing may also be:

6.3 The data controller’s legal obligation.

For example, a data controller overseeing a clinical drug trial has a legal obligation to store specific data for a period of 25 years. The European Data Protection Board has issued a statement that discusses the lawful basis for processing activities performed in the context of clinical drug trials.

6.4 Tasks carried out by the data controller in the public interest.

Under the Data Protection Act (1050/2018), personal data may be processed for the purpose of historical and scientific research and for statistical purposes in the public interest if the processing is necessary and proportionate considering the goals that the processing seeks to achieve (4 §). The data controller has an obligation to demonstrate that the processing activities are necessary and proportionate. Special emphasis must be placed on data minimisation and the limitation of the data retention period.

Protect data from unauthorised access and use information systems approved by the university

Always protect personal data with at least a username and a password.

Make sure you have a lawful reason for transferring personal data outside the EU/EEA.

Research is often undertaken in collaboration with international partners, and it may be necessary to transfer personal data outside of Finland during a research project. Under data protection laws, personal data must remain protected when it is transferred to third countries. These requirements also apply to pseudonymised personal data.

Data protection laws strive to facilitate the transfer of personal data within the EU/EEA. Personal data may be transferred to EEA countries by following the same principles that apply to transfers inside Finland. Because the GDPR allows for some national leeway, you must remember that the regulations governing processing activities, the protection of personal data and the restrictions that apply to research may vary between EU/EEA countries. 

If you need to transfer personal data outside of the EEA, the processing must be lawful in Finland and the transfer of data must be carried out in compliance with the principles set out in the GDPR. The data controller must ensure that there is a lawful basis for the transfer, if personal data is transferred outside the EU/EEA during a research project.

It may be necessary to transfer data during a research project, if, for example, the project involves multiple partners from different countries, the research data can only be analysed in a different country, or the research data must be processed using a technical platform located in a different country.

Risk assessment

A concise assessment of risks associated with processing personal data must always be completed before processing personal data. This assessment will enable you to identify the level of risk and the measures you must take to ensure the secure processing of personal data. Tip: see the risk assessment guidelines on the website of the Office of the Data Protection Ombudsman.

Please be aware that you must complete a concise risk assessment before processing any personal data, not just special category data (=sensitive data).

The potential risks must be assessed from the perspective of your data subjects. Assess and record the following points in your risk assessment:

1. What freedoms and rights of data subjects could be at risk?
2. What damage could be incurred by data subjects from the processing of their personal data?
3. What measures can I take to eliminate or reduce the risks?

You can use the University’s risk assessment form (in the end of this page) to record your assessment. Attach this form to your project documents.

Personal data breaches can have a range of adverse effects on data subjects, such as loss of data or unauthorised disclosure of personal data.

The damages may be financial (such as fraud or identity theft), physical (such as violence or a threat thereof) or non-material (such as damage to reputation or loss of confidentiality of personal data). The level of risk depends on the likelihood and severity of the risk.

Source: Office of the Data Protection Ombudsman, accessed 13.5.2020

You can take a variety of organisational and technical measures to address the potential risks (such as access control, access authentication and encryption).

When you complete a risk assessment, you must also assess the level of risk that remains after you have implemented the necessary protection measures.

Data Protection Impact Assessment (DPIA)

If your concise risk assessment indicates that your processing activities are likely to result in a high risk to the rights and freedoms of data subjects, you will be required to carry out a DPIA.  Tip: see the impact assessment guidelines on the website of the Office of the Data Protection Ombudsman.

Please note that conducting a DPIA is also a legal requirement for certain specified types of processing. Go to the ombudsman’s website above and see the paragraph titled Impact assessment in the case of the processing scenarios specified in the General Data Protection Regulation.

If Tampere University acts as the data controller, you must contact the data protection officer (dpo [at] tuni.fi) before conducting a DPIA.

Documenting your risk assessment and DPIA

Both your concise risk assessment and DPIA (if one is required) must be documented.

There is no definitive template that you must follow when conducting your concise risk assessment. You can use your own template or, for example, record the process in your research plan, grant proposal or request for an ethical review. You can also use the University’s risk assessment template (in the end of this page). Attach the completed form to your project documents.

If a DPIA is required due to the high level of risk, you must use specific software to record your DPIA process. For this reason, you must always contact the data protection officer (dpo [at] tuni.fi) before conducting a DPIA.

Draw up a data processing agreement and/or data controller agreement if needed.

Draw up a privacy notice (template in the end of this page), which will be given to the informant together with an information sheet. Privacy notice may include sama information as the information sheet (see Data Management Guidelines, section Information layers). According to TAU's Data Protection Policy, the legal basis for processing personal data should primaly be scientific research within general interest.

• Document all processing activities and make sure to comply the data protection principles.
• Inform the research participants about all changes in processing activities and keep the documents updated.
• In the case the University acts as the data controller, save the documents (privacy notices, risk assessment, DPIA, agreements) in the university's records management system. You can send the documents to be saved in the university's generic email address tau [at] tuni.fi

Check before beginning your project that all necessary data protection issues have been noted.

Data processing agreement (DPA)

In the context of research, the word consent has three distinct meanings: 

a) consent to participate in non-medical research in compliance with ethical standards (see the guidelines provided by the Finnish National Board on Research Integrity TENK)

b) consent to participate in medical research (Finnish Medical Research Act, 6 §, 9.4.1999/488) 

c) consent as a lawful basis for processing personal data (the EU’s General Data Protection Regulation, article 6:1a).

Please be sure not to confuse informed consent to participate in a research study (items a and b above) with consent as a lawful basis for processing personal data. An informed consent form signed by research participants does not necessarily mean that consent is the lawful basis for processing their personal data. Instead of consent, it might be better to say that an individual agrees to participate in a research study, unless you will be carrying out medical research. Provisions governing informed consent in connection with medical research are set out in legislation. 

Consent is rarely used as a lawful basis for processing personal data while undertaking scientific research. In a research context, the lawful basis for personal data processing activities is usually public task. However, there are cases where consent is the only possible lawful basis, and then you must ensure that the provided consent meets the GDPR requirements. Relying on consent as a lawful basis for data processing is not without risks, because processing activities must be stopped if consent is withdrawn. The data collected about the individual may have to be destroyed if he or she withdraws consent.   

The transfer of personal data outside the European Economic Area (EEA) requires careful planning. 

The EU’s General Data Protection Regulation (GDPR) sets out provisions that govern the transfer and disclosure of personal data. Information about the different options for ensuring compliance with the data protection requirements when transferring personal data outside the EU/EEA is available on the European Commission’s website. Of all the transfer options, the two most common mechanisms are possible: an adequacy decision and standard contractual clauses.  

If a non-EU country (such as UK, Israel, Japan, New Zealand, Switzerland), a specific region or one or more sectors (such as commercial organisations in Canada) has been deemed by the European Commission to provide an adequate level of protection for personal data, no separate consent is required for the transfer. This is called an adequacy decision.    

The European Commission’s adequacy decisions are available here. 

If there is no adequacy decision, data may be transferred in compliance with the standard contractual clauses confirmed by the European Commission. There are different sets of standard contractual clauses depending on the receiver’s role: controller to controller, and controller to processor. The standard contractual clauses aim to ensure that appropriate safeguards are put in place to provide a similar level of protection for the personal data of European citizens when their data is processed outside the EU/EEA, regardless of the legislation of the recipient country. The standard contractual clauses must be included in the contract as they are without making any changes to the wording. The document that sets out the standard contractual clauses may only be changed by adding information that identifies the contracting parties or is provided in the appendices.

A decision taken by the Court of Justice of the European Union in July further highlights the necessity of assessing, together with the receiver, whether the standard contractual clauses are enough to provide an adequate level of protection for data in the non-EEA country under the GDPR.

Possible additional safeguards may include, for example, the pseudonymisation and the encryption of data. These mechanisms may be used in any case.

Instructions issued by the Data Protection Ombudsman are available here.

Transfer of personal data to the UK

The Commission has adopted an adequacy decision for the United Kingdom regarding its data protection. Personal data can thus be transferred to UK on the basis of this adequacy decision from 28th June, 2021 on. The decision is in force for four years.

More about the adequacy decision here.