Personal data are any information relating to an identified or identifiable natural person and encompass all data from which a natural person can be identified either directly or indirectly.
Direct identifiers are information that is sufficient on its own to identify a natural person. Examples are a person’s name, personal identity code, address, email address, telephone numbers, username, user-id, facial image (e.g. profile picture, video footage showing the face), voice pattern, fingerprint, and manual signature.
Indirect identifiers include gender, age, education, professional status, nationality, location data, career history, system log data, marital status, and vehicle registration number.
Some types of information are identified as strong indirect identifiers. See the list of strong indirect identifiers in Anonymisation and Personal Data by the Finnish Social Science Data Archive (FSD).
Sensitive personal data are special categories of personal data and classified as being on the increased information security level (See “Instructions for handling and storing data and documents on different information security levels” in Information Management at Hanken). The following categories are classified as sensitive personal data by the General Data Protection Regulation of the European Union (GDPR, Art. 9 (1), Art. 10): racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, data concerning a natural person’s sex life or sexual orientation, or data relating to criminal convictions and offences, or related security measures.
If you are collecting any information from individuals or about individuals (e.g., consumers, company managers), assume that it is personal data. Pseudonymised data are also personal data.
More information about what constitutes personal data, see What is personal data? by the Office of the Data Protection Ombudsman.
Here is one example of the situations where data are not adequately protected: University failed to sufficiently protect sensitive personal data.
If you are processing personal data, follow the procedures below to maintain high ethical standards and comply with relevant legislations and regulations:
(1) Before data collection (during research planning phase)
1. Plan what data you need and implement data minimization and privacy by default principles
Define the objectives of your study and the clear, specified need for collecting personal data. Collect only the minimum amount of personal data necessary and proportionate to accomplish the tasks of the study. Personal data should not be collected just in case that they might be useful in the future.
Conduct a data minimisation review for the whole process of data management, including defining the amount of personal data collected, the extent to which they may be accessed, further processed and shared, the purposes for which they are used, and the period for which they are kept.
2. Write and update a data management plan (DMP)
A DMP is a formal document that describes how and what research data will be handled during and after the research project, and elaborates the key measures for ethical and legal compliance, as well as for FAIR data production.
Researchers can use Hanken’s DMP template or other Public DMP templates (with Hanken’s DMP guidance integrated) in DMPTuuli to write and update a DMP. See DMPTuuli with Hanken's DMP guidance and DMP template in the LibGuide on Research data management (RDM).
The DMP you create with DMPTuuli serves at the same time as a Record of Data Processing Activities, which you can share with participants/subjects/respondents of your research.
Send the whole DMPs or the parts on data protection to Hanken’s Data Protection Officer (DPO, email@example.com). In Hanken’s and Academy of Finland's DMP templates, the sections 1.1 on data description, 2.1 on ethical compliance, 4.1 on data storage and backup, 4.2 on access control, and 5.1 on open and archiving data have content related to data protection.
3. Evaluate risks to data subjects
3.1 Get ethical advice and ethical review when needed
If sensitive personal data are processed in the research project, researchers can contact Hanken’s Research Integrity Advisor (firstname.lastname@example.org) for advice and Data Protection officer (DPO) email@example.com) for guidance.
If your study is one of the six types described in Ethical review, fill in the e-form Request for an ethical review for an empirical study and submit to Hanken’s Research Ethics Committee. Submit your data management plan (DMP) as an attachment to request for the ethical review. Indicate the date in the DMP when a request for ethical review was submitted to Hanken’s Research Ethics Committee.
3.2 Carry a data protection impact assessment (DPIA) when needed
A data protection impact assessment (DPIA) must be done if the planned personal data processing is likely to pose a substantial risk to research participants. This situation is likely to occur when you process large amounts of data, personal data of the children under the age of 15, or sensitive personal data.
A data protection impact assessment (DPIA) should be performed by consulting Hanken’s Data Protection Officer (DPO, firstname.lastname@example.org). A DPIA should describe the nature, scope, context and purposes of data processing, identify and assess risks to data subjects, and define adequate additional measures to mitigate the risks. In the DPIA, you identify the need for a DPIA, describe the nature of data and data processing including data collection, analysis, storage and disposal, specify how much data will be collected and processed, what types of processing might involve risks, the sources of risk and nature of potential impact on data subjects, and identify additional measures to reduce or eliminate the risks identified as medium or high ones.
Collecting any sensitive personal data such as health-related information needs explicit consent from the data subjects. Processing such personal raw data should be proportionate to the research aim pursued and respect the essence of the right to data protection. The data are to be protected with encryption and strict access control.
(2) Data collection and analysis (during active research phase)
4. Clarify the legal basis for processing personal data and inform your research participants
Justify why you have the right to collect, handle, and preserve personal data. A basic principle regarding the collection and storage of personal data is the need for personal data in a study (scientific research carried out in the public interest as defined in Finnish Data Protection Act).
In addition, researchers shall ask for informed consent of the research participants. Basically, there are two situations when collecting personal data:
This applies when you collect secondary data from online forum/social media and you need to ensure that data processing is fair to all the data subjects involved, and that their fundamental rights are respected in compliance with ethical and privacy principles and relevant terms and conditions of the platform. When applicable, the DPO’s contact details ought to be given to the data subjects involved in the collection and processing of the data from online forum/social media.
See Collecting personal data and Security instructions for handling recorded interviews in the LibGuide on Research data management (RDM).
You can modify and use Hanken’s consent message template (.docx file) to inform your research participants. The content of the consent message covers at least the following information:
The consent messages are kept on file and are available upon request by all data subjects, research funders, and data protection supervisory authorities.
5. Ensure secure data storage, backup, and transferral during research
For secure storage and backup of active research data during usage, researchers use:
Established and well-known infrastructures are mostly a more secure alternative for storing research data than, for example, the hard disc on the researcher’s personal computer, both in terms of data security and from a confidentiality perspective.
If you transfer personal data outside of Hanken:
Unless you have entered into a Data Processing Agreement (DPA) with another system/service provider, you should NOT use other systems and internet clouds, for example, iCloud, Dropbox, Google Docs, publicly available Onedrive (for consumers), or other survey platforms than Webropol. Do not send or share data via an ordinary, non-secured email. Researchers can ask for advice from Hanken’s Data Protection Officer (DPO) to ensure that other storage and archive solutions meet requirements for data protection.
If you work with sensitive personal data, you can use CSC's Sensitive Data Services for Research including Sensitive Data Connect (SD Connect, for sensitive data storage and sharing) and Sensitive Data Desktop (SD Desktop) which are designed to support secure sensitive data management through web-user interfaces accessible from the user's own computer.
Protect the data with strict access control and encryption if you work with sensitive personal data or confidential data such as trade secrets and information concerning national security.
For data from and to non-EU countries, all research members shall maintain high ethical standards and comply with relevant legislations, regardless of the country in which the research is carried out and data are collected and processed. Any data transferred from and to non-EU countries shall fulfil relevant conditions and regulations. Processing and data transfers of personal data should only reside inside the European Union and be limited to the research.
Data processors who conduct translation/interpretation or transliteration/transcription work, and the research partners who conduct the analysis of raw data – which contains any personal or individual-specific data, or are based on any individual informants – shall sign a Data processing agreement (DPA). Use Hanken’s Template for Data Processing Agreement (DPA).
You can use Hanken’s video platform Panopto to transcribe research data, for both audio files and video files. Please note that you are responsible for not sharing the research data with anyone else in Panopto. See Transcribing qualitative data.
More information, see Data storage, backup and transferal in the LibGuide on Research data management (RDM).
6. Inform data subjects about changes and update documentation
Personal data may only be processed for the purposes which have been informed to the research participant prior to the beginning of the processing (by the consent form). If you need to process personal data for other purposes, you should inform the research participants on these new purposes and update all documents prior to the processing.
7. Anonymize data prior to publishing and archiving
Completely anonymous data do not exist, but by using various techniques and tools and following well-executed procedures, you can achieve a result where individual persons cannot be identified with reasonable effort based on the information provided, e.g., by combining different indirect identifiers, or by combining the data with information from other external sources.
Make an anonymisation plan which describes the anonymisation measures and evaluates the disclosure risk of data subjects’ personal data. The anonymisation plan also works as documentation on how the data have been processed. You can use the Anonymisation plan template in Anonymisation and Personal Data by the Finnish Social Science Data Archive (FSD) to write an anonymisation plan.
For sensitive personal data involving pseudonymisation or anonymisation, it is necessary to conduct a Data protection impact assessment (DPIA) in order to ensure an appropriate level of data protection and minimise risks to the data subjects’ rights.
It is recommended to avoid using open-ended questions to collect background information such as education or occupation. Instead, use a structured form to prevent interviewees from giving free-form responses that often contain identifiers. In categorising background information, utilise existing social classifications such as those Classifications by Statistics Finland.
The first anonymisation measure is usually to remove direct and strong indirect identifiers from your data. Use pseudonyms, aliases or codes so the data subjects are not identifiable without the use of separately stored additional information. Information on the original values and techniques used to create the pseudonyms and codes should be kept organisationally and technically separate from the pseudonymised data.
Removing direct and strong indirect identifiers, however, is rarely sufficient to make the data anonymous. It is possible to identify an individual by combining the background variables. See the detailed description of anonymisation principles and techniques for both quantitative data and qualitative data in Anonymisation and Personal Data by FSD and learn what to do for successful anonymisation.
As publicly available information is constantly increasing, it is important to regularly assess whether a once anonymised dataset continues to be anonymous and conduct residual risk assessments.
(3) After active research phase
8. Data erasure and data publishing
Personal data that are no longer needed to conduct the research should be disposed as soon as possible. For example, direct identifiers such as names, email addresses, and social security numbers should be removed immediately after they are no longer necessary to carry out the research. Storage limitation reduces risks related to personal data processing.
You need to make sure that personal data, dispensable data files, temporary files created when programs are used, and all their back-ups be deleted within due time when they are no longer needed, and that the deleted data cannot be recovered.
Deleting files using operating system tools, or even reformatting a hard drive, will not irretrievably destroy the data. It is important to permanently destroy any data that includes personal, sensitive or confidential data after data storage is no longer necessary. Ask for help and support from Hanken’s Data Security Manager (email@example.com) and DPO (firstname.lastname@example.org) for secure data disposal measures.
Anonymised data are published and archived in a data repository for shared use when possible. Data with personal information can only be published anonymised. Pseudonymised data are still personal data, and therefore cannot be opened without explicit consent for that purpose. Before archiving the research data, pseudonymous data should be made anonymous by irretrievably destroying the separately kept identifying information (for example, decryption keys, codes, applications or techniques used to pseudonymise the data).
If the open accessibility of a dataset is not possible for justified reasons, the metadata of the dataset can be published openly available. It is strongly recommended to use Fairdata Qvain metadata tool to describe and publish your (meta)data.
The consent of the research participant is required for the opening of the material from which the research participant is directly or indirectly identifiable. In some cases, the material may be shared for the originally intended purpose. If you plan to share or reuse data which include personal information, contact Hanken’s DPO email@example.com.
More information, see:
Personal data is any information relating to an identified or identifiable natural person. Examples of personal data can include, but are not limited to, name, address, email address, IP address, picture, and personal identity code.
The main principles of data protection laws state that personal data must be processed lawfully, fairly and in a transparent manner to protect the rights of the data subjects. Furthermore, personal data must be
A data subject is any person whose personal data is being collected, held or processed.
Rights of the data subjects include:
In addition to data subjects, there are two other fundamental roles in data protection: data controllers and data processors.
A data controller determines the purposes for which and the means by which personal data is processed. Hanken is for example a data controller when providing higher education for its students.
A data processor processes personal data only on behalf of the controller. The data processor is usually a third external party, for example a cloud service provider who provides online services for Hanken. According to Data Protection Laws, a data controller is required to sign Data Processing Agreements with its data processors to ensure protection of outsourced processing and storing of personal information.
The alternative lawful purposes for collecting and processing are:
More information about the main principles of data protection can be found from Data protection principles by the Office of the Data Protection Ombudsman.
In case of a personal data breach in Finland, the Office of the Finnish Data Protection Ombudsman must be notified within 72 hours by the Hanken’s Data Protection Officer (firstname.lastname@example.org).
In most cases, the obligations of the Data Controller are shared between the individual researcher or the principal investigator and Hanken. That implies that there is a need for joint and shared measures to ensure informing the data subjects, defining legal basis for processing, protecting the personal data, and to keep records of processing activities.
The lawful purpose for processing personal data in research at Hanken is normally public tasks (scientific research) or consent of the data subjects. If the research cannot be defined as scientific research with aims for publications for the advancement of science or with aims to train for scientific methods, a consent must be acquired by the data subjects. Model templates for collecting consent are available on the privacy pages on www.hanken.fi/privacy (requires log in).
To inform the data subjects about their rights, the researcher should use wordings of the templates mentioned above. The most important issues are that the data subjects
To register legal basis and to keep records of processing activities, Hanken has developed e-forms and templates:
With the help of these forms and templates, Hanken and the researcher can show compliance with the data protection laws.
Contact Hanken's Data Protection Officer email@example.com for advice regarding data protection.
You need to fill in the ethical review request e-form and submit to Hanken’s Research Ethics Committee if your study is one of the six types:
Submit your data management plan (DMP) as an attachment to request for the ethical review. Indicate the date in the DMP when a request for ethical review was submitted to Hanken’s Research Ethics Committee.
If you have questions concerning ethical review, contact Hanken's Research Integrity Advisor: Anu Helkkula, firstname.lastname@example.org.
Video: Ethical review in the human sciences in Finland by TENK
All research shall comply with the Finnish National Board on Research Integrity (TENK) guidelines Responsible conduct of research and procedures for handling allegations of misconduct in Finland (2012). The RCR guidelines are available in Finnish, Swedish, and English.
In addition to the RCR guidelines, TENK has issued guidelines on the ethical principles to be followed as well as ethical review to be arranged for research in the humanities and social and behavioural sciences The ethical principles of research with human participants and ethical review in the human sciences in Finland (2019) in Finnish, Swedish and English.
When engaging in international collaboration, researchers shall follow the European Code of Conduct for Research Integrity by ALLEA, the European Federation of Academies of Sciences and Humanities and any other applicable ethical guidelines.
Researchers shall bear the responsibility for ethical and moral concerns and decisions involved in the research and during the interaction between the researcher and research participants. Follow Hanken's ethical guidelines and good data protection practices to maintain high ethical standards and comply with relevant legislation. See the procedures of personal data management in research at Hanken.
If you have questions concerning ethical guidelines, contact Hanken's Research Integrity Advisor: Anu Helkkula, email@example.com.
If you have questions concerning data protection, contact Hanken's Data Protection Officer firstname.lastname@example.org.
Legal issues related to data management include data protection policy, data-sharing agreements, data ownership, open data licenses, secondary data usage copyright permissions and other Intellectual Property Rights (IPRs) issues. Agreements on data ownership and other intellectual property rights must be concluded before commencing any actual research activities.
Use a license when opening your data for reuse (e.g. research data, code, software). Licensing your open research data means that you clearly define the reuse terms and possible restrictions to the future reuse of your data. This way, you are in control of who has rights to reuse the data, and how. Use machine-readable licenses that follow international standards, preferably Creative Commons. Besides Creative Commons licences, there are also specific licensing models for research data.
More information, see: