The processing of personal data and data protection are a key part of data management.
If personal data is included in the project data, the project must comply with the EU General Data Protection Regulation (GDPR) and the Finnish Data Protection Act. The data protection legislation defines the conditions under which personal data can be processed.
Therefore, it is important to identify when personal data is processed and what practices need to be followed.
The following issues and practices are key to the processing of personal data in the project:
According to the definition of the EU General Data Protection Regulation, personal data is any information by which an individual can be identified. Data is identifiable if it contains, for example, contact details of the subjects, recorded interviews or photographs taken at an event. A questionnaire may also contain personal data if the data can be combined to identify the person answering the questionnaire or a third party.
Direct identifiers
Information that is sufficient on its own to identify a person is referred to as direct identifiers. These include, but are not limited to:
Strong indirect identifiers
Strong implicit identifiers are any single piece of information that allows a person to be identified with reasonable ease. Examples include:
Indirect indentifiers
Indirect identifiers are data which, on their own, are not sufficient to identify a person, but which, when combined, can enable the identification of a person. Examples of indirect identifiers include:
Special categories of personal data
Personal data belonging to special categories of personal data are at the core of privacy and therefore, in principle, their processing is prohibited. The processing of special categories of personal data is specifically regulated in the Data Protection Act.
Special or sensitive data are those which reveal the identity of a person:
Before you start collecting data and personal information, please clarify the following points and describe them in the project's privacy notice.
There must always be a legal basis for the processing of personal data in accordance with the GDPR. Article 6 of the GDPR lists six different grounds for processing personal data. One of them must always be met. The most common grounds for processing in research projects are consent and public interest.
For non-scientific research projects, as well as for academic theses, the most common ground is the voluntary consent of the individual to the processing of his/her personal data for the purposes of the research design. Consent must be recorded and revocable, in which case the personal data based on consent must be deleted.
For scientific research in higher education, the processing of personal data may also be based on a public interest in accordance with the research plan of the project. In such cases, personal data may be collected without the individual's explicit consent to the processing of his or her data. If the research project involves the participation of actors with commercial purposes, the applicability of the public interest criterion must be assessed on a case-by-case basis, in particular from the point of view of the publicity, objectivity and autonomy of the research.
Find out more about the processing grounds under the General Data Protection Regulation
When collecting personal data for a project, it must be determined who is responsible for the processing of personal data and the methods of protection for the research project. This is the controller, who is responsible for ensuring that the processing of personal data is lawful.
In general, the data controller for a project is the organisation responsible for collecting the data for the project. As a general rule, the controller is therefore the person responsible for the project as a whole.
Joint controllership is also possible if the actors in the joint project define the purposes and the methods of processing of the personal data they will jointly process for the purposes of the study. In this case, a joint controller agreement must be concluded, setting out in detail the tasks and responsibilities for the processing of personal data.
The processing of personal data is only legitimate when it is necessary for a specific purpose and there is a processing ground for the processing of personal data. Before starting to collect personal data, it is necessary to go through the research design and possible research questions and to ensure that all data collected are necessary for the purpose of the research.
So why is the personal data needed for the purpose of the research in question?
Personal data may be obtained directly from the individuals themselves or, where justified, from other personal data files. According to the GDPR, the personal data collected must be adequate, relevant and limited to what is necessary for the purpose of the processing.
On the basis of data minimisation, only personal data that are relevant for the purpose of the research should be collected. Thus, it must be considered in advance whether the personal data are necessary or whether they can be omitted altogether.
It is also important to determine how long the personal data will be needed and, if necessary, to consider how to pseudonymise (code) or anonymise the personal data during the data analysis phase. It is also necessary to define how and at what point the personal data will be finally destroyed when they are no longer needed for any purpose.
Individuals have rights to, among other things, access their personal data and ask for it to be corrected if necessary. Their rights also vary depending on how the personal data was collected and on what legal basis.
The exercise of data subjects' rights must be considered separately in situations where the data have been collected from the individuals themselves or obtained from other registers for a research project. Similarly, a process should be established for cases where an individual withdraws consent to the processing of their personal data. There should also be an agreed contact point for individuals who wish to exercise their rights.
Participants must be informed in a clear and understandable way about the research and their involvement in it. In addition to the research information sheet, the subject must be informed of how his/her personal data will be processed during the research project. The processing of personal data is most commonly described in a privacy notice, which explains why and how personal data will be processed during the research project. It also explains if the research data will be further used or stored in a data archive after the project. It is also important to describe how individuals can exercise their rights in relation to their data, for example, where they can contact if they want to check what data has been collected about them.
If necessary, make use of Laurea's Research Information Sheet and use Laurea's Data Privacy Notice Sheet for projects, which can be customised to suit the target group or electronic format if necessary.
In addition to informed consent, you must be asked for your consent to the processing of your personal data where the processing is based on consent. Please note that the two types of consent have different meanings.
If the research project collects personal data on the basis of consent, the individual has the right to request the erasure of their data on the basis of consent if they decide to discontinue their participation in the research. If, on the other hand, the processing of personal data is based, for example, on scientific research in the public interest, there is no need to delete previously provided data, even if the person stops the research.
Consent must always be verifiable and genuinely given on a voluntary basis. Refusal to give consent must not be to the detriment of the data subject.
If necessary, make use of the Laurea consent form.
Regardless of the type of personal data collected in a project, it is a good idea to assess the risks associated with the processing of personal data as part of other risk management. Risks may arise, for example, in the event of accidental loss, disclosure to third parties or unauthorised use of personal data during or after the project. The misuse of personal data may cause distress or embarrassment, sometimes even financial loss or loss of security. The risks may also have adverse effects on the controller if it is discovered that the rights of the individual have been violated or data protection legislation has not been complied with.
Where sensitive personal data, data relating to criminal offences, personal data of vulnerable groups or other high-risk data are processed in the course of the research, the necessity and proportionality of the processing must be assessed, ensuring that all data are strictly necessary for the purposes of the research and that alternative ways of collecting the data are not feasible. In this context, the risks arising from the processing of personal data and the measures taken to minimise the impact of the risks must be documented.
In such cases, a prior ethical review may also be necessary. Read more about ethical prior checking.
Laurea-kirjasto | Saavutettavuusseloste | Laurea Library | Accessibility statement