Instructions for students concerning data protection
General data protection guidelines for students working on their thesis
University students may process personal data, for example, when working on their thesis or other assignments. The purpose of these guidelines is to ensure that students who process personal data are fully aware of data protection principles and their roles and responsibilities in protecting the privacy of data subjects.
The University is responsible for data protection relating to its educational information systems and processes. However, all members of the Tampere Universities community are required to become familiar with the University’s data protection policy before starting or continuing processing activities. All the members of our community have an obligation to comply with data protection laws and the University’s policy and regulations governing data protection and information security.
These guidelines supplement the University’s data protection policy and other related regulations.
Thesis writers as data controllers
The role of data controller is assigned based on who determines the purposes for which and the manner in which personal data is processed. If you are independently working on a thesis or other assignment, you will act as the data controller. This means that you are responsible for protecting the privacy of your data subjects and for complying with data protection laws. As data controller, you also have a duty to inform your data subjects of your processing activities. Please contact the faculty member supervising your thesis or other assignment with questions about processing personal data.
If you are writing your thesis for a University project and are employed by the University while working on your thesis, the University will act as the data controller. If your thesis is commissioned by a company, the company will generally act as the data controller.
You must describe your processing activities in your research plan.
You must agree on processing activities with the PI of your thesis research, your thesis supervisor (or your teacher if you are working on a regular student assignment) before you start collecting or processing personal data. If you will process personal data while working on your thesis, you must describe the purpose, scope and nature of your processing activities in your research plan.
Lawful basis for processing data when conducting thesis research
As BSc and MSc students working on their thesis are still learning how to conduct research, the purpose of processing personal data is usually thesis research and the lawful basis for processing is consent.
If the thesis supervisor and student agree that the thesis meets the criteria for scientific research, the purpose of processing activities may also be scientific research in the public interest. The criteria for scientific research include, among other things, that the results are released into the public domain and evaluated by the scientific community, the research complies with the principles of scientific autonomy, and the researcher is sufficiently qualified to undertake scientific research. For example, if a thesis is made up of articles that are intended to be published in peer-reviewed publications, the purpose of processing may be scientific research in the public interest.
As thesis research may be carried out as part of a more large-scale University-led project, the lawful basis for processing may also be scientific research in the public interest. When the University carries out research projects, the University is generally designated as the data controller.
Prepare a detailed plan of your processing activities as early as possible. If you will collect personal data as part of your thesis, include the plan describing your processing activities in your research plan. Consider at least the following questions:
- What is my purpose for collecting personal data?
- What is the minimum amount of personal data I need to fulfil my purpose (minimisation principle)?
- How will I collect personal data?
- Where and how will I store personal data?
- How long will have to retain personal data?
- How will I securely dispose of or archive my data?
You must agree on the processing of personal data with your PI, primary thesis supervisor (or teacher in case of other assignments) before starting to process (such as collect) personal data.
After receiving consent, collect personal data as set out in your research plan:
You must draw up a privacy notice and, if necessary, a participant information sheet and consent form before starting to collect personal data.
If you are conducting a survey, you may only use the University-designated electronic survey tools. The preferred tools are O365 Forms and LimeSurvey. If possible, offer your respondents the opportunity to answer your survey anonymously. If possible, do not send a link to your survey directly to individual people. Even when creating a mailing list, you are processing personal data. The recommended approach is to send a link to your survey to the generic email address of your target organisation or target group to be forwarded to prospective respondents.
Carry out your research as described in your plan:
You must always anonymise personal data before processing the data if knowing the identity of the data subject is not necessary for your study.
Make sure that no individual person can be identified in your thesis without his or her consent.