Data protection in research

The concept of personal data is expansive: according to the General Data Protection Regulation (GDPR) personal data refers to all information relating to an identified or identifiable natural person. Natural persons are considered identifiable, if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, an opinion, a job title, image or audio, or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity. 

Note that also interviews and survey responses may include personal data in case the respondent can be identified by direct reference to the responses, or by combining information from the responses or other available sources. 

Special categories of data are those revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic or biometric data which are processed for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

• Also: personal data relating to criminal convictions and offences or related security measures

Processing personal data means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as

• collection,
• recording,
• organisation,
• structuring,
• storage,
• adaptation or alteration,
• retrieval,
• consultation,
• use,
• disclosure by transmission,
• dissemination or otherwise making available,
• alignment or combination,
• restriction, erasure or destruction

If you are processing personal data in connection with your study, you need to comply EU's General Data Protection Regulation (GDPR) and Finnish Data Protection Act. These need to be complied also if your data is likely to include personal data, even if the collection of personal data is not the primary purpose of your study.

Please use this form to check, whether your research has all relevant documents:

DownloadData Protection check list

More information about personal data and identifiable data in the Data Management Guidelines of Finnish Social Science Data Archieves.

The GDPR and national data protection legislation set principles for processing personal data. All processing are guided by the following principles: 

• Lawfulness, fairness and transparency

Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject

• Purpose limitation

Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes

• Data minimisation

Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

• Accuracy

Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay

• Storage limitation

Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject

• Integrity and confidentiality

Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

 

1. Define your research goal and the purpose for processing personal data

The purpose for processing personal data must be carefully planned and defined to meet the requirements under data protection laws. When you are processing personal data for research purposes, you must ensure that personal data is only collected for a specific, explicit and lawful purpose. Processing data later on for a purpose that is not compatible with the original purpose is not allowed. Please note that phrases such as “for purposes of future research” or “personal data may be used for research purposes” are not clear enough to identify the purpose of processing personal data.

The purpose for processing personal data is usually defined in the research plan, which identifies, for example, the research goals, data and methods. The research plan must also list the categories of personal data that must be collected to carry out the study and indicate why they are necessary.  

2. Define the personal data to be collected and the sources of personal data

The categories of personal data include, for example, name, personal identify number, place of residence, profession, genome and voice. 

The sources of data include, for example, data subject, customer records, tissue samples and photos. 

3. Minimise the amount of personal data to be processed

You may only process personal data for research purposes if your research cannot be carried out using anonymised data. You must limit your processing to data that is absolutely necessary for carrying out your research. The data protection regulations apply to all data about identified or identifiable natural persons.

The necessity of collecting personal data for research purposes must be assessed as early as possible before your project begins. You must attempt to minimise the amount of personal data to be processed. You may only process personal data that is necessary to fulfil the original purpose. Besides the amount of personal data, you must also consider the categories of personal data that you will be processing.

You can limit the risks associated with processing by minimising the amount of personal data to be processed, for example, by using pseudonymised or anonymised personal data.  

Anonymisation means that the re-identification of the data subject is irreversibly and effectively prevented. When considering whether your data subjects can be re-identified, you must consider whether a third party could have access to data that would allow that party to convert the anonymised data into an identifiable form. A simple removal of names and other identifiers will not always render data anonymous.

Pseudonymisation refers to the processing of personal data in such a manner that the personal data can no longer be attributed to a specific person without the use of additional information. Such additional information must be kept carefully separate from personal data.

You must anonymise or pseudonymise the data as soon as possible, for example, after combining your data. Personal data may only be processed when it is not possible to fulfil the purpose of processing (such as research) in any other way. 

Data undergoes a sequence of stages from its initial collection to deletion at the end of its useful life. Your research plan should define whether your project is a one-off study or a longitudinal study necessitating a longer retention period.     

The data controller must specify the retention periods of personal data. Data should not be held for longer than is necessary and should not be kept just in case you need it in the future.

When planning a research project, consider the following questions:

• How long will I need to process personal data for actual research purposes?
• How long must I retain the data after completing the project, for example, to verify the results?
• What will I do to my research data after I no longer need to retain the data for research purposes?

If it is not possible to set a specific deadline, the retention period must be otherwise defined in a measurable way (e.g. by defining the cohort and follow-up time in detail).  

In the end of your research, erase, anonymise or archive your data.    

A research project may involve a number of partners with different roles, such as one or more research institutions, principal investigator, customer, researcher, and other staff members who carry out the actual processing activities. The roles of different stakeholders and the responsibilities of the data controller must be clearly defined before research begins.  

Data controller is the individual, company, public authority or community that determines the purposes and means of the processing of personal data. The data controller is responsible for compliance with data protection laws throughout the data lifecycle. The role of data controller is assigned to impose the responsibility for GDPR compliance on the party that has the power to influence processing activities. 

If you are independently working on a thesis, you will act as the data controller. This means that you are responsible for protecting the privacy of your data subjects and for complying with data protection laws. As data controller, you also have a duty to inform your data subjects of your processing activities.

If you are writing your thesis for a University project and are employed by the University while working on your thesis, the University will act as the data controller. If your thesis is commissioned by a company, the company will generally act as the data controller.

Factors that affect the assigning of responsibilities for processing personal data:

1. Are there one or more parties planning the research project and its purpose?

• The purposes and means of processing are solely determined by the data controller.
• In the case of joint controllers, the parties work together to determine the purposes for which and the means by which personal data is processed and are mutually responsible for GDPR compliance. As set out in Article 26 of the GDPR, joint controllers must in a transparent manner determine their respective responsibilities to ensure compliance with the obligations under the GDPR. The obligation to inform data subjects and the arrangements enabling data subjects to exercise their rights must be clearly described. The roles and responsibilities of each joint controller must be documented, and the information must be made available to data subjects.

2. Will the researcher carry out all processing activities or is it necessary to employ a third party to act as data processor?

• The data controller may purchase services related to data processing from a data processor. The data processor acts on behalf of and on the instructions of the data controller. The processor may only process personal data according to the instructions provided by the controller. The data controller determines the purposes and means of processing.
• As set out in the GDPR, the data controller and processor must sign a contract or other legal document that governs the processing activities. The contract or document must specify the scope and duration of processing activities, the nature and purpose of processing, the categories of personal data to be processed, the groups of data subjects, and the rights and responsibilities of the data controller. Article 28 of the GDPR sets out more detailed provisions on the responsibilities of the data controller and processor and the terms that must be included in the contract signed between the parties.

When personal data is processed for research purposes, the lawful basis for processing under the GDPR may be:

6.1 Voluntary, specific, informed and explicit consent provided by a data subject.

Please be aware that consent cannot be chosen as the lawful basis if the data subject is placed at a disadvantage, for example, because of an illness or disability, old age or if the data subject is a minor.

In a research context, consent is not necessarily connected to the lawful basis for processing. Consent may be related to:

• research ethics (such as consent to participate)
• interference with other rights (interference with the bodily integrity of data subjects by taking, for example, a blood test requires consent), or
• protection measures

6.2 Exercise of the legitimate interests of the data controller or a third party if it is possible based on a so-called balance test.

Based on the GDPR or national data protection laws, the lawful basis for processing may also be:

6.3 The data controller’s legal obligation.

For example, a data controller overseeing a clinical drug trial has a legal obligation to store specific data for a period of 25 years. The European Data Protection Board has issued a statement that discusses the lawful basis for processing activities performed in the context of clinical drug trials.

6.4 Tasks carried out by the data controller in the public interest.

Under the Data Protection Act (1050/2018), personal data may be processed for the purpose of historical and scientific research and for statistical purposes in the public interest if the processing is necessary and proportionate considering the goals that the processing seeks to achieve (4 §). The data controller has an obligation to demonstrate that the processing activities are necessary and proportionate. Special emphasis must be placed on data minimisation and the limitation of the data retention period.

Protect data from unauthorised access and use information systems approved by the university

Always protect personal data with at least a username and a password.

Make sure you have a lawful reason for transferring personal data outside the EU/EEA.

Research is often undertaken in collaboration with international partners, and it may be necessary to transfer personal data outside of Finland during a research project. Under data protection laws, personal data must remain protected when it is transferred to third countries. These requirements also apply to pseudonymised personal data.

Data protection laws strive to facilitate the transfer of personal data within the EU/EEA. Personal data may be transferred to EEA countries by following the same principles that apply to transfers inside Finland. Because the GDPR allows for some national leeway, you must remember that the regulations governing processing activities, the protection of personal data and the restrictions that apply to research may vary between EU/EEA countries. 

If you need to transfer personal data outside of the EEA, the processing must be lawful in Finland and the transfer of data must be carried out in compliance with the principles set out in the GDPR. The data controller must ensure that there is a lawful basis for the transfer, if personal data is transferred outside the EU/EEA during a research project.

It may be necessary to transfer data during a research project, if, for example, the project involves multiple partners from different countries, the research data can only be analysed in a different country, or the research data must be processed using a technical platform located in a different country.

Risk assessment

A concise assessment of risks associated with processing personal data must always be completed before processing personal data. This assessment will enable you to identify the level of risk and the measures you must take to ensure the secure processing of personal data. Tip: see the risk assessment guidelines on the website of the Office of the Data Protection Ombudsman.

Please be aware that you must complete a concise risk assessment before processing any personal data, not just special category data (=sensitive data).

The potential risks must be assessed from the perspective of your data subjects. Assess and record the following points in your risk assessment:

1. What freedoms and rights of data subjects could be at risk?
2. What damage could be incurred by data subjects from the processing of their personal data?
3. What measures can I take to eliminate or reduce the risks?

You can use the University’s risk assessment form (in the end of this page) to record your assessment. Attach this form to your project documents.

Personal data breaches can have a range of adverse effects on data subjects, such as loss of data or unauthorised disclosure of personal data.

The damages may be financial (such as fraud or identity theft), physical (such as violence or a threat thereof) or non-material (such as damage to reputation or loss of confidentiality of personal data). The level of risk depends on the likelihood and severity of the risk.

Source: Office of the Data Protection Ombudsman, accessed 13.5.2020

You can take a variety of organisational and technical measures to address the potential risks (such as access control, access authentication and encryption).

When you complete a risk assessment, you must also assess the level of risk that remains after you have implemented the necessary protection measures.

Data Protection Impact Assessment (DPIA)

If your concise risk assessment indicates that your processing activities are likely to result in a high risk to the rights and freedoms of data subjects, you will be required to carry out a DPIA.  Tip: see the impact assessment guidelines on the website of the Office of the Data Protection Ombudsman.

Please note that conducting a DPIA is also a legal requirement for certain specified types of processing. Go to the ombudsman’s website above and see the paragraph titled Impact assessment in the case of the processing scenarios specified in the General Data Protection Regulation.

If Tampere University acts as the data controller, you must contact the data protection officer (dpo [at] tuni.fi) before conducting a DPIA.

Documenting your risk assessment and DPIA

Both your concise risk assessment and DPIA (if one is required) must be documented.

There is no definitive template that you must follow when conducting your concise risk assessment. You can use your own template or, for example, record the process in your research plan, grant proposal or request for an ethical review. You can also use the University’s risk assessment template (in the end of this page). Attach the completed form to your project documents.

If a DPIA is required due to the high level of risk, you must use specific software to record your DPIA process. For this reason, you must always contact the data protection officer (dpo [at] tuni.fi) before conducting a DPIA.

Draw up a data processing agreement and/or data controller agreement if needed.

In order to inform the research subjects, a privacy notice is drawn up, which is brought to the research subject's attention in connection with the information sheet. In the information sheet you can mention from whom the privacy notice can be obtained upon request. The privacy notice of a project is published on the website of the project, if one has been created. Otherwise, the privacy notice is kept in the possession of the person responsible for the project and it is delivered, for example, by e-mail to the requester.

Draw up a privacy notice (template in the end of this page), which will be given to the informant together with an information sheet. Privacy notice may include same information as the information sheet (see Data Management Guidelines, section Information layers). According to TAU's Data Protection Policy, the legal basis for processing personal data should primarily be scientific research within general interest.

When the data are collected from public sources, the privacy notice and a short information sheet of the research is to be  published either on the website of the research group or website of data protection team.

 

• Document all processing activities and make sure to comply the data protection principles.
• Inform the research participants about all changes in processing activities and keep the documents updated.
• In the case the University acts as the data controller, save the documents (privacy notices, DPIA, agreements) in the university's records management system.

Check before beginning your project that all necessary data protection issues have been noted.

DownloadChecklist

DownloadPrivacy notice research TAU

DownloadPrivacy notice research (TAMK)

DownloadPrivacy notice instructions (pdf)

DownloadPrivacy notice for thesis (TUNI)

DownloadPrivacy notice for thesis instructions (pdf)

DownloadInformation sheet

DownloadConsent form for adults

DownloadConsent form TAMK

DownloadInformation sheet TAMK

DownloadData protection impact assessment (DPIA)

DownloadDPIA preassessment

DownloadData processing agreement DPA (Word document)

DownloadJoint controller agreement

 

DownloadBalance test

In the context of research, the word consent has three distinct meanings: 

a) consent to participate in non-medical research in compliance with ethical standards

b) consent to participate in medical research (Finnish Medical Research Act, 6 §, 9.4.1999/488) 

c) consent as a lawful basis for processing personal data (the EU’s General Data Protection Regulation, article 6:1a).

Please be sure not to confuse informed consent to  participate in a research study (items a and b above) with consent as a lawful basis for processing personal data. An informed consent form signed by research participants does not necessarily mean that consent is the lawful basis for processing their personal data. Instead of consent, it might be better to say that an individual agrees to participate in a research study, unless you will be carrying out medical research. Provisions governing informed consent in connection with medical research are set out in legislation. 

Consent is rarely used as a lawful basis for processing personal data while undertaking scientific research. In a research context, the lawful basis for personal data processing activities is usually public intrest. However, there are cases where consent is the only possible lawful basis, and then you must ensure that the provided consent meets the GDPR requirements. Relying on consent as a lawful basis for data processing is not without risks, because processing activities must be stopped if consent is withdrawn. The data collected about the individual may have to be destroyed if he or she withdraws consent.   

When the research meets the criteria for scientific research, the legal basis under the Data Protection Regulation for processing personal data must be Article 6 (1) (e) and Section 4 of the Data Protection Act, which state that the processing of personal data is necessary for scientific research in the public interest.

In this case, if the data subject withdraws his or her consent to participate in the study, it is not necessary to delete the personal data already collected from the study material. The collection of new personal data after the withdrawal of the consent to participate is not permitted.

The transfer of personal data outside the European Economic Area (EEA) requires careful planning. 

The General Data Protection Regulation (GDPR) sets out provisions that govern the transfer and disclosure of personal data. Information about the different options for ensuring compliance with the data protection requirements when transferring personal data outside the EU/EEA is available on the European Commission’s website. Of all the transfer options, the two most common mechanisms are possible: an adequacy decision and standard contractual clauses.  

If a non-EU country (such as UK, Israel, Japan, New Zealand, Switzerland), a specific region or one or more sectors (such as commercial organisations in Canada) has been deemed by the European Commission to provide an adequate level of protection for personal data, no separate consent is required for the transfer. This is called an adequacy decision.    

The European Commission’s adequacy decisions are available here. 

If there is no adequacy decision, data may be transferred in compliance with the standard contractual clauses confirmed by the European Commission. There are different sets of standard contractual clauses depending on the receiver’s role: controller to controller, and controller to processor. The standard contractual clauses aim to ensure that appropriate safeguards are put in place to provide a similar level of protection for the personal data of European citizens when their data is processed outside the EU/EEA, regardless of the legislation of the recipient country. The standard contractual clauses must be included in the contract as they are without making any changes to the wording. The document that sets out the standard contractual clauses may only be changed by adding information that identifies the contracting parties or is provided in the appendices.

A decision taken by the Court of Justice of the European Union in July further highlights the necessity of assessing, together with the receiver, whether the standard contractual clauses are enough to provide an adequate level of protection for data in the non-EEA country under the GDPR.

Possible additional safeguards may include, for example, the pseudonymisation and the encryption of data. Instructions issued by the Data Protection Ombudsman are available here.

Transfer of personal data to the UK

The Commission has adopted an adequacy decision for the United Kingdom regarding its data protection. Personal data can thus be transferred to UK on the basis of this adequacy decision from 28th June, 2021 on. More about the adequacy decision here.

https://vastuullinentiede.fi/en/doing-research/do-you-use-social-media-data-your-research

GDPR requirements when writing a master’s thesis

Students can utilise data stored in different registers in the course of their master’s thesis project in compliance with the General Data Protection Regulation as long as the following requirements must be met:

1. Students possess sufficient data protection skills.
2. There is a lawful basis for processing personal data.  
3. The research plan has been approved.

Sufficient data protection skills 

When students process personal data in the course of writing their thesis, they are responsible for ensuring that personal data is processed lawfully. Tampere University recommends refusing a research plan that entails the processing of personal data, unless a student demonstrates sufficient knowledge of the regulations governing the processing of the types of personal data described in the research plan.

Personal data may only be processed for specified, explicit and legitimate purposes. The lawful basis for processing personal data must always be discussed with students before they begin to collect or otherwise process personal data. The principal investigator or supervisor of a thesis project should discuss the purpose, scope and manner of processing activities with the student in advance to assess the student’s ability to process personal data in compliance with the GDPR. This discussion must be documented.

Students may be required to take part in data protection training before they begin to process personal data or receive permission to undertake their study.  

Lawful basis for processing (GDPR, Article 6)

There must always be a lawful basis for processing personal data. When conducting a register-based study, the lawful basis for processing can generally be either scientific research in the public interest or legitimate interests of the data controller or a third party. A balancing test must be carried out if legitimate interest is identified as the lawful basis for processing personal data.

Students must first consult with their supervisor to assess whether their proposed master’s thesis meets the criteria for scientific research. The characteristics of scientific research include, among other things, an appropriate research plan, sufficient scientific qualifications of the project staff, the requirements of autonomy and openness, and the main scientific goals of the study. For example, if a thesis is made up of articles that are intended to be published in peer-reviewed publications, the purpose of processing may be scientific research in the public interest.

Notes must be taken during the meeting where the student and supervisor discuss whether the proposed thesis meets the criteria for scientific research. These notes must be appended to the research plan and privacy notice.

If the thesis supervisor and student conclude that the proposed thesis meets the criteria for scientific research, the purpose of processing may be scientific research in the public interest. As a rule, Tampere University will then act as the data controller during the thesis project.

If the supervisor and student conclude that the thesis does not meet all the criteria for scientific research, the lawful basis for processing personal data may be the legitimate interests of the data controller or a third party.

Please be aware that if you choose to rely on legitimate interests as the lawful basis for processing personal data, you are taking on extra responsibility for considering and protecting the rights and freedoms of the people whose data you are processing. Data subjects’ personal data may not be processed if their rights and interests override the interests of the data controller or a third party.

A so-called balancing test is carried out to determine whether the interests of the data controller of a third party are legitimate. The balancing test weighs the interests of the controller or a third party against the interests and fundamental rights of data subjects. A document describing the results of the balancing test must be stored in the University’s records management system alongside the research plan and privacy notice (tau [at] tuni.fi).

Approved research plan

The stage of a student’s studies will be considered when assessing the types of personal data that the student can process and whether processing is necessary to carry out the thesis project.

The notes taken during the meeting where the student and supervisor discuss whether the proposed thesis meets the criteria for scientific research as well as a document confirming that the research plan has been approved must be appended to the request for permission to conduct the study. The research plan must answer the following questions: What is the purpose of processing personal data? How will personal data be collected? Where and how will personal data be stored? How long will personal data be kept? How will personal data be securely destroyed or archived? 

If the criteria listed above are met, Tampere University can act as the data controller for personal data processed during a master’s thesis project. 

Medical students

When a medical student performs a thesis as a part of a larger research group, the controller of that study is being determined according to the main study. The student cannot be him/herself an independent controller of that study registrar, because the purposes and means of processing the personal data of the research have been defined by the principal investigator of the research group.

Bachelor’s theses

Bachelor’s theses do not generally meet the criteria for scientific research. This means that the lawful basis for processing personal data in the course of writing a bachelor’s thesis cannot be scientific research in the public interest.

A bachelor’s thesis may be based on surveys, interviews or observational research, in which case consent can be identified as the lawful basis for  processing personal data. As a rule, students act as data controllers when they are working on their bachelor’s thesis.

Read more:
Data protection in research (instructions and templates)
Instructions for students concerning data protection
Instructions for supervisors concerning data protection