The EU's General Data Protection Regulation and the Data Protection Act oblige thesis workers if personal data are processed in the course of their work.The processing of personal data and data protection are an essential part of data management. If personal data is processed in the thesis, the provisions of the EU General Data Protection Regulation (GDPR) and the Finnish Data Protection Act must be followed. Data protection legislation defines the conditions under which personal data can be processed.
The survey data itself may contain personal data, but personal data may also be contained in the documents needed to collect the data, such as the consent forms of the respondent. Please note that personal data may also be generated by a survey that is intended to be anonymous, if the survey is carried out using a web form that records, for example, the IP address of the respondent, or if the survey contains open-ended response options. Image and sound are also personal data.
Students are obliged to take care of data protection when working on their thesis. The thesis supervisor is responsible for advising the student on data protection issues.
It is therefore important to identify when personal data are processed in the thesis and what practices need to be followed.
The following issues and practices are central to the processing of personal data in a thesis:
The EU's General Data Protection Regulation defines personal data as any information by which an individual can be identified. Data are identifiable if they contain personal data that allow the identification of individuals.
Information that alone is sufficient to identify a person is referred to as direct identifiers. These include:
Strong implicit identifiers are any single piece of information that can reasonably be used to identify a person. Examples include:
Indirect identifiers are data that, on their own, are not sufficient to identify a person, but which combined can enable the identification of a person. Examples of indirect identifiers include:
Personal data belonging to special categories of personal data are at the heart of privacy, and the processing of special categories of personal data is governed by the Data Protection Act. In principle, special categories of personal data cannot be processed in theses.
Specific or sensitive information reveals the following about the person:
Specific personal data also include, for example, a person's involvement in substance abuse treatment or child protection, or information relating to criminal convictions.
If you process personal data in your thesis, someone is always responsible for it. The person responsible defines and instructs you on the purpose for which the personal data is needed, how it is collected and what data is needed for that purpose in general. This is the controller, who can be held liable if data protection legislation is breached at any stage of the development process.
Who is the controller of your thesis data?
|
The processing of personal data is only legitimate when it is necessary for the specified purpose and there is a processing ground for the processing of personal data. Before starting to collect personal data, the thesis plan and possible research questions must be reviewed and it must be ensured that all the data collected are necessary for the purpose of the thesis. Please note that the purpose of the use of personal data cannot be 'the thesis' but the objectives stated in the thesis plan, which will be achieved by collecting the personal data in question
The processing of personal data always requires a processing ground in accordance with Article 6 of the GDPR.
In thesis data, the processing ground is often the consent of the data subject.
For more information on the grounds for processing, please visit the website of the Office of the Data Protection Ombudsman:
Participants must be told clearly and understandably about the purpose of the thesis and their role in it. In addition to the research information sheet, the participant must be informed about how his or her personal data will be processed during the thesis. The processing of personal data is most commonly described in a privacy notice, which explains why and how personal data are processed. This will also include information on whether the data will be further used. It is also important to describe how individuals can exercise their rights in relation to their data, for example, where they can contact if they want to check what data has been collected about them.
You can use Laurea's privacy notice template for thesis, if needed. Laurea's thesis privacy statement template or explain the processing of personal data in another way that takes into account the target audience.
In addition to informed consent, the individual must be asked for consent to the processing of personal data where the processing of personal data is based on consent. Please note that these two types of consent have different meanings. If personal data are collected on the basis of consent in a thesis, the person has the right to request the erasure of his/her data based on consent.
Consents must always be verifiable and genuinely given voluntarily. Refusal to give consent must not be to the detriment of the subject.
You can make use of Laurea's consent form where appropriate.
Regardless of the type of personal data collected in a thesis, it is a good idea to assess the risks and precautions associated with the processing of personal data. Risks may arise, for example, in the event of accidental loss, disclosure to third parties or unauthorised use of personal data during or after writing the thesis. Disclosure or misuse of data can cause a person distress or embarrassment, sometimes even financial loss or loss of security. The risks may also have adverse effects on the data holder if it is found that the rights of the individual have been violated or data protection legislation has not been complied with.
As a general rule, theses cannot process high-risk data, such as sensitive personal data, data related to crime or personal data of vulnerable groups. However, in some cases, for example if a Master's thesis is carried out as part of a project cooperation, there may be a situation where the student processes such data. In these cases, the necessity and proportionality of the processing must be carefully assessed, ensuring that all data are strictly necessary for the purposes of the research and that alternative ways of processing the data are not feasible. In the same context, the risks arising from the processing of personal data and the measures taken to minimise the impact of the risks must be documented by assessing the likelihood of the risk and the severity of the impact and prioritising the measures according to the risk score. In such cases, a prior ethical review may also be necessary. Read more about ethical review.
Read more about the Data Protection Impact Assessment (DPIA) on the Office of the Data Protection Ombudsman's website.
Laurea-kirjasto | Saavutettavuusseloste | Laurea Library | Accessibility statement