Skip to Main Content

Research Data Management

Guidelines and procedures of personal data processing in studies and research at Hanken

The definition of personal data is broad under the General Data Protection Regulation of the European Union (GDPR, 2016/679)

Personal data means any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

  • Direct identifiers are information that is sufficient on its own to identify a natural person. Examples are a person’s full name, personal identity code, email address containing the personal name, and biometric identifiers (e.g., fingerprint, facial image, voice pattern or manual signature).
  • Indirect identifiers are information that on its own is not enough to identify someone, but can be used to deduce the identity of a person when linked with other available information. Examples are a person's age, gender, educational background, economic activity, occupational status, socio-economic status, household composition, income, marital status, mother tongue, nationality, ethnic background, place of work or study, and postal code.
  • Some types of information are identified as strong indirect identifiers which can be used to identify an individual fairly easily, such as a postal address, phone number, vehicle registration number, bibliographic citation of a publication by the individual, email address not in the form of the personal name, web address to a web page containing personal data, very rare disease, unusual job title, position held by only one person at a time (e.g., chairperson in an organisation), a student ID number, insurance or bank account number, and IP address of a computer. 

The following personal data are defined as special categories of personal data (sensitive personal data) by the GDPR (Art. 9-10): data revealing:

  • racial or ethnic origin,
  • political opinions,
  • religious or philosophical beliefs,
  • trade union membership,
  • genetic data,
  • biometric data for the purpose of uniquely identifying a natural person,
  • data concerning health,
  • data concerning a natural person's sex life or sexual orientation, 
  • personal data relating to criminal convictions and offences or related security measures.

More information about what constitutes personal data, see:

Personal data shall be processed lawfully, fairly, and in a transparent manner to protect the fundamental rights and freedoms of the data subjects. Here is one example of the situations where personal data are not adequately protected: University failed to sufficiently protect sensitive personal data, published on the webpage of the European Data Protection Board (EDPB).

If you collect and process any information from individuals or about individuals (e.g., consumers, company managers), assume that it is personal data, and follow the seven procedures below to maintain high ethical standards and comply with relevant data protection legislation:

(1) Before data collection (during research planning phase)

1. Plan what data you need

2. Evaluate risks to data subjects  

2.1 Request an ethical review statement when needed

2.2 Carry out a Data protection impact assessment (DPIA) when needed 

(2) Data collection and analysis (during active research phase)

3. Specify the legal basis and provide privacy notice

4. Ensure secure data storage, backup, and transfers  

5. Inform data subjects of changes and update documentation

6. Anonymize data prior to publishing and archiving

(3) After active research phase

7. Data erasure and (meta)data publishing

(1) Before data collection (during research planning phase)
1. Plan what data you need

If your research proposal involves the processing of any personal data, you shall have plans in place to demonstrate compliance with EU and national data protection laws for the entire data life cycle.

At the earliest stage of designing your research project, consider how you design your study so that your data can be the least identifiable while still accomplishing your research goals, and ensure that, by default, personal data will be processed with the highest privacy protection. These are called data protection by design and by default principles. 

Understand the objectives of your study and define the clear, specified need for collecting personal data. Collect only the minimum amount of personal data necessary and proportionate to the accomplishment of your research tasks. Personal data shall not be collected just in case that they might be useful in the future.

Conduct a data minimisation review for the whole process of data management, including defining the types and amount of personal data collected, the extent to which they may be accessed, further processed and shared, the purposes for which they are used, and the period during which they are kept. You shall minimise the processing as far as possible. 

2. Evaluate risks to data subjects  

2.1 Request an ethical review statement when needed

All research shall comply with relevant Ethical principles and guidelines and follow any applicable ethical review practices. Conduct an ethical self-assessment and identify and address ethics issues in your research proposal.

  • Check the six study types described in Ethical review to see if you need to request an ethical review statement by Hanken’s Research Ethics Committee. If your study is one of the six types, fill in the e-form Request for an ethical review for an empirical study and submit it to Hanken’s Research Ethics Committee.
  • When you submit your ethical review request, you always need to provide these attachments: a privacy notice and a consent form. Depending on your research, you may also need additional attachments, such as a Data management plan (DMP) where you indicate the date of your ethical review request, and/or a Data protection impact assessment (DPIA).

Please contact Hanken’s Research Integrity Advisor (anu.helkkula@hanken.fi) for advice.

More information: To identify ethics and data protection issues in your research project, you can read Ethics and data protection (by the EC for scientific community, especially for funding applicants) and try its Ethics and Data Protection Decision Tree.

 

2.2 Carry out a Data protection impact assessment (DPIA) when needed 

If a planned personal data processing is likely to result in a high risk to the rights and freedoms of the data subjects, a Data protection impact assessment (DPIA) shall be conducted prior to the processing. This may occur when the following data will be processed:

  • data processed on a large scale, for example, large amounts of personal data or data from more than 500 data subjects. 
  • personal data of children under the age of 15 or of other vulnerable data subjects such as employees, mentally ill persons, asylum seekers, the elderly, and patients. 
  • sensitive personal data or data of a highly personal nature such as special categories of personal data, electronic communications whose confidentiality should be protected, location data whose collection questions the freedom of movement, financial data that might be used for payment fraud, personal documents, emails, diaries, notes from e-readers equipped with note-taking features, and very personal information contained in life-logging applications.
  • a systematic and extensive analysis of personal data in the context of automated processing, including profiling, where this has a significant effect on the data subject.
  • systematic monitoring: processing used to observe, monitor or control data subjects, including data collected through networks or a systematic monitoring of a publicly accessible area. In these circumstances data subjects may not be aware of who is collecting their data and how the data will be used. It may also be impossible for individuals to avoid being subject to such processing in a public or publicly accessible space.
  • matching or combining datasets, for example, originating from two or more data processing operations performed for different purposes and/or by different data controllers in a way that would exceed the reasonable expectations of the data subject.
  • innovative use or applying new technological or organisational solutions, like combining use of finger print and face recognition for improved physical access control.
  • if special categories of personal data are to be processed AND there will be a derogation from the rights of the data subjects to access, rectify, restrict, and object. Note that in this situation, the DPIA shall be submitted to the office of the Data Protection Ombudsman before the processing is started, according to Section 31 of the Finnish Data Protection Act (1050/2018).
  • The supervisory authority in each member state shall establish and publish a supplementary guidance and list of processing operations for which a DPIA is required. In the EU Member State DPIA Whitelists, Blacklists and Guidance compiled by the International Association of Privacy Professionals (IAPP), you can find the blacklist from the Finnish supervisory authority: 

More information, see the nine criteria in the Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (the PDF file by the European Data Protection Board, pp.9-11). The Guidelines (pp.11-14) also present a longer list of scenarios in which a DPIA may or may not be necessary.

A processing meeting one or two of the criteria may require a DPIA to be carried out. A DPIA helps you identify and minimise the data protection risks of a project. The contents of a DPIA shall contain at least:

  • a systematic description of the envisaged processing, including its nature, scope, context, purposes, and lawful ground,
  • an assessment of the necessity and proportionality of the processing in relation to the purposes, 
  • identifying and assessing the risks that the processing may pose to the data subjects, and
  • defining adequate safeguard measures to prevent or mitigate these risks.

Depending on the nature and scope of your processing, you can conduct a full or light version of a DPIA. Use Hanken's DPIA template (for studies and research) to conduct a full version of DPIA, or answer directly to the four minimum required aspects for a DPIA.  

Contact dataethics@hanken.fi to conduct a DPIA.

(2) Data collection and analysis (during active research phase)
3. Specify the legal basis and provide privacy notice 

Personal data shall be processed lawfully with at least one of the six legal bases defined by the GDPR (Art. 6): consent, contract, legal obligation, protection of vital interests, public interest or official authority, and legitimate interests. You need to rely on at least one legal basis to justify why you have the right to collect, store, and handle personal data.

For research work conducted by researchers including PhD students, the legal basis is usually scientific research carried out in the public interest.

When collecting personal data, what researchers need to do to comply with good data management practices, data protection regulations, and research integrity includes:

Note that this consent (to participate in the research, required by ethical standards) is different from consent (to personal data processing, as a legal basis under the GDPR). The difference is acknowledged by TENK’s guidelines (p. 9).

  • Researchers use Hanken's Informed Consent template (in Englishin Finnishin Swedish) to obtain informed consent. Choose the language that your research participant prefers.

If you do not ask for informed consent from the research participants, or if your study is one of the other five types described in Ethical review, you need to request for an ethical review statement by Hanken’s Research Ethics Committee. 

  • (2) Provide privacy notice to research participants about the processing of their personal data. The GDPR (Art. 12-14) stipulates long lists of information that shall be provided to the data subjects, including the purposes and legal basis for processing, identity and contact details of the data controller and DPO, recipients of personal data, international data transfers, data retention and deletion plans, and data subjects’ rights. 

    • Researchers fill in and submit the e-form The Research's Privacy Notice (in Englishin Finnishin Swedish) and provide the privacy notice to the research participants to fulfil the information provision obligation.
  • After submitting the e-form, click "Save the completed form as a file." Edit the downloaded RTF file, so it can be suitable for your research participants.
  • After being submitted, this privacy notice e-form also functions as the Record of processing activities which fulfils the record-keeping accountability (GDPR, Recital 82 and Art. 30). 

 

For studies and thesis-writing by BSc/MSc/eMBA students, consent is usually used as the legal basis, unless the student is a member of a research project where one or more researchers (at the PhD level or above) are involved. When consent is used as a legal basis for processing personal data, the consent needs to meet the requirements of the GDPR. Consent to the processing of personal data should be a “freely given, specific, informed and unambiguous indication of the data subject’s wishes,” and “be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language” (GDPR, Art. 4 and 7). Data subjects have the right to withdraw their consent at any time. See Consent of the data subject by the Office of the Data Protection Ombudsman.

When collecting personal data, what students need to do to comply with data protection laws includes:

  • (1) Obtain the respondents' consent to the processing of their personal data as the legal basis for personal data processing.
    • Students use Hanken's Consent to the processing of personal data template (in Englishin Finnishin Swedish) to obtain consent. Choose the language that your respondents prefer. Keep the consent on file, as you may be obligated to demonstrate that it was obtained.
  • (2) Fill in and submit the e-form The Study's Privacy Notice (in Englishin Finnishin Swedish) and provide the privacy notice to the respondents about the processing of their personal data to fulfil the information provision obligation under the GDPR.
    • After submitting the e-form, click "Save the completed form as a file." Edit the downloaded RTF file, so it can be suitable for your respondents.
    • After being submitted, this privacy notice e-form also functions as the Record of processing activities which fulfils the record-keeping accountability under the GDPR. 

 

Special categories of personal data (sensitive personal data) are subject to specific processing conditions. Students and researchers need to rely on at least one of the ten exceptions or derogations to the prohibition in order to collect and process special categories of personal data:

  • Researchers usually use the derogation (j) – processing of special categories of personal data is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. 
  • Students usually use the derogation (a) – the data subject has given explicit consent to the processing of special categories of personal data to process special categories of personal data. This means that consent should not only be freely given, specific, informed and unambiguous, but also be explicit with a clear affirmative act by the data subject.

A Data protection impact assessment (DPIA) may be needed when students and researchers process special categories of personal data, data of a highly personal nature, and other specially protected personal data . See the instructions under "2.2 Carry out a data protection impact assessment (DPIA) when needed" and contact dataethics@hanken.fi

4. Ensure secure data storage, backup, and transfers

For secure storage and backup of active research data during usage, students and researchers use:

  • data storage services provided and maintained by Hanken, including the researcher's own account on the Hanken network like H:\, Microsoft Office365 applications (e.g., Onedrive for Business), Webropol or SPSS. 
    • If you collect personal data from online questionnaires or surveys, use the GDPR-compliant tools and platforms such as Webropol. Webropol's user instruction is available on the page of Hanken's IT services.  
    • You can use Hanken’s video platform Panopto to transcribe research data, for both audio and video files. Please note that you are responsible for not sharing the personal data contained in Panopto with anyone else. See Transcribing qualitative data.
  • Or data storage services provided by CSC such as IDA which is also for data archival. IDA is a Fairdata service for both data storage and data archival. The Fairdata services are offered by the Finnish Ministry of Education and Culture and produced by CSC – IT Centre for Science.

In addition to Hanken's and CSC's data storage systems, you can use your own password-protected personal computer and hardware (e.g., internal/external hard drives) and password-protected joint-use computers in a room located physically at Hanken with restricted access, to store and process data during research.

  • When using memory sticks or external hard drives, make sure that they are stored securely, for example, in locked closets/lockers, and that you erase the personal data stored on your memory sticks and USB disks immediately after use. You can also encrypt the data on memory sticks and external hard drives by using, for example, zip applications or Office365.
  • However, do NOT use, even on your own computer, such data storage that is connected to or backed up on Internet clouds (e.g., iCloud, Google Docs, DropBox), but only use local hard drives and data folders that are not backed up in Internet services/clouds.

Unless you have entered into a Data processing agreement (DPA) with another system/service provider who acts as a data processor, you shall NOT use other systems and internet clouds, for example, iCloud, Dropbox, Google Docs, publicly available OneDrive (for consumers) and other survey platforms than Webropol. A Data processing agreement (DPA) shall be signed between the data controller and data processor. Hanken’s DPA templates are available here (Data Processing Agreement template and Data Processing Appendix template (as part of an Agreement)).

 

If you transfer personal data outside Hanken:

  • Use OneDrive storage space in your Hanken-provided account for sharing files and collaborating with others. Use the “Specific people”-option to ensure data access control. 
  • If you save and store your data in IDA by CSC, use the safe data transfer and sharing measures offered by IDA. See 1.8 I want to share my research data, what should I do? in FAQ of the Fairdata services by CSC. 

  • You can use physical memory sticks or external hard drives, in cases where you or the other party do not have access to Hanken's data sharing systems. Make sure that data are stored securely, and that you erase the personal data stored on your memory sticks and on your USB disks immediately after the transfer. You can encrypt the data on memory sticks and external hard drives.

  • Note that you should NOT send or share data by an ordinary, non-secured email, or use systems that are not provided by Hanken or CSC, e.g., DropBox, Google Docs, and publicly available OneDrive (for consumers), for data transfers.

  • If you have a third party outside Hanken as the data processor who provides, for example, translation/interpretation, transliteration/transcription or raw data analysis services, you need to sign a Data processing agreement (DPA) with the data processor. Hanken’s DPA templates are available here (Data Processing Agreement template and Data Processing Appendix template (as part of an Agreement)).

  • For data transferred outside the EU/EEA, follow the European Commission's Rules on international data transfers (GDPR, Art. 44-50):

    • If the target country is on the list of the Commission's Adequacy decision, personal data can be transferred without any further safeguard being necessary. 
    • If the target country is not on the Adequacy list, you need to determine whether the transfer can be lawful under appropriate safeguards with one of the adopted mechanisms such as standard contractual clausesbinding corporate rules, certification mechanism, and codes of conduct.
    • There are also limited Derogations for specific situations. For example, as part of the scientific publishing process, it can be exceptional yet necessary to transfer personal data outside the EU/EAA to the publishers or peer reviewers to verify research results .

If personal data are transferred to non-EU/EEA countries, specify the countries' names in your privacy notice and the appropriate safeguards you plan to take to ensure that the level of data protection in compliance with the GDPR is not undermined. Contact dataethics@hanken.fi for advice, for example, conducting a Transfer impact assessment (TIA).

More information, see Transfers of personal data out of the European Economic Area by the Office of the Data Protection Ombudsman. 

 

If you work with sensitive personal data, use CSC's Sensitive Data Services for Research including Sensitive Data Connect (SD Connect, for sensitive data storage and sharing) and Sensitive Data Desktop (SD Desktop) which are designed to support secure sensitive data management through web-user interfaces accessible from the user's own computer.

Protect the data with strict access control and encryption if you work with sensitive personal data or confidential data such as trade secrets, politically sensitive information, information concerning national security, and data obtained in trust and confidence:

  • Be sure that your storage solutions are safe enough for the data.
  • Do NOT use cloud storage due to its insufficient data protection.
  • Do NOT use external hard drives as the main storing option.
  • Protect the data with encryption. If needed, particularly mobile devices, portable and external storage devices should be encrypted for use, e.g., by using Cryptomaror.
  • Data with direct identifiers, contact information, sensitive personal data, and confidential data should NOT be sent between research team members by email – not even Hanken’s email system.

 

You can ask for advice from Hanken’s Information security officer (datasakerhetschef@hanken.fi) to ensure that your storage and transfer solutions meet data protection requirements.

5. Inform data subjects of changes and update documentation

If there are changes in personal data processing, for example, if there are new, compatible processing purposes other than the initial purpose, if there are new recipients of the personal data (e.g., new research partners or translation or transcription service providers), or if there is an addition of new data variables to the categories of personal data compiled into the dataset, the privacy notice and other documentation shall be updated and the research participants be informed of the changes prior to the new processing. 

6. Anonymize data prior to publishing and archiving

It is stated by the Office of the Data Protection Ombudsman on Minimisation of personal data in scientific research that "[a]nonymisation and pseudonymisation should be performed as soon as possible, for instance right after the data have been aggregated."

Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to the individual involved without the use of additional information. Pseudonymisation can be done by removing or replacing identifiers with pseudonyms, aliases or codes. The additional information on the original values and techniques used to create the pseudonyms or codes shall be kept organisationally and technically separately from the pseudonymised data to ensure that the personal data are not attributed to an identified or identifiable natural person. (GDPR, Art. 4 (5))

The data remain pseudonymous and personal as long as the additional identifying information exist. That is, pseudonymised data can be attributed to a natural person by the use of the additional information and are still personal data

Pseudonymised data become anonymised when the separately kept identifying information used to create the pseudonyms or codes (e.g., decryption keys, codes, applications or techniques used to pseudonymise the data) has been irreversibly destroyed and cannot be linked to the pseudonymised data.

Anonymisation thus refers to the processing of personal data in a manner that the individual concerned cannot be re-identified. Anonymised data are no longer considered to constitute personal data and are not subject to the data protection regulations.

Completely anonymous data do not exist, but by using various techniques and tools and following well-executed procedures, you can achieve a result where individual persons cannot be identified with reasonable efforts based on your data, e.g., by combining different indirect identifiers in your data, or by combining your data with the information from other external sources.

The table by the FSD provides good tips for recognising direct, indirect, and strong indirect identifiers and how to anonymise research data by removing, changing or categorising these different identifiers. 

In categorising background information, utilise existing social classifications such as those Classifications by Statistics Finland.

For special categories of personal data involving pseudonymisation or anonymisation, it may be necessary to conduct a Data protection impact assessment (DPIA). See 2.2 Carry out a Data protection impact assessment (DPIA) when needed and contact dataethics@hanken.fi.

(3) After active research phase
7. Data erasure and (meta)data publishing

Personal data that are no longer needed for the original purpose should be disposed as soon as possible unless there are special reasons or legislation that require archiving. Storage limitation reduces the risks related to personal data processing. If it is not possible to determine the exact data retention period, specify the criteria used to determine that period to your research participants. 

Deleting files using operating system tools, or even reformatting a hard drive, will not irretrievably destroy the data. Save your files to OneDrive and use the deletion feature. Remember to empty the trash as well. Data in Webropol will be erased by the IT services shortly after a student's user ID is inactivated. You can ask for help and support from Hanken’s Information security officer (datasakerhetschef@hanken.fi) for secure data disposal measures.

More information, see:

Anonymised data are published and archived in a data repository for shared reuse whenever possible. According to Data Protection Act (1050/2018, Section 4 (4) and GDPR (point (e) of Art. 6 (1), if archiving research material containing personal data is necessary and proportionate to the aim of public interest pursued and to the rights of the data subject, it is lawful. Pseudonymised data are still personal data. Restricted access can be used as a measure to archive pseudonymised data. The research participants need to be informed of your open data plans in the privacy notice. 

If the open accessibility of a dataset is not possible for justified reasons, the metadata of the dataset can be published openly available. It is strongly recommended to use Fairdata Qvain metadata tool to describe and publish your (meta)data. See Data publishing and pre­ser­va­tion.

Some basic data protection concepts:

Data processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means (i.e., why and how) of the processing of personal data. The controller is primarily responsible for compliance with data protection laws throughout the data life cycle. The controller can allocate responsibilities according to the actual roles of the parties.

  • For personal data processing in research work by researchers including PhD students, data controllership shall be determined case by case, and the role of data controller or joint controller can be defined in the following cases:
    • If the researcher conducting the research is employed by Hanken, namely, if the research is conducted under an employment relationship with Hanken and as part of the employee’s work duties, Hanken is the data controller. 
    • If the research is not conducted under an employment contract with Hanken or not as part of a Hanken’s research project with supplementary funding, the researcher is the data controller. 
    • If the research is commissioned by a company or organization, the company or organization generally acts as the data controller.
    • When two or more controllers (e.g. Hanken, Aalto University, University of Helsinki) jointly determine the purposes and means of processing, they shall be joint controllers. 
  • For personal data processing in studies and thesis-writing by BSc/MSc/eMBA students, data controllership shall also be determined case by case:
    • If a student collects and processes personal data independently for her/his studies and there is no employment relationship between Hanken and the student, the student assumes the role of data controller.
    • If a student’s studies are conducted under an employment contract with Hanken or as part of a Hanken’s research project, Hanken is the data controller.
    • If the study is commissioned by a company or organization, the company or organization generally acts as the data controller.
    • There are also cases where joint controllership needs to be defined for the personal data processed for a student's study or thesis-writing.

Data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. A Data processor does not determine the purposes and means (i.e., why and how) of the processing of personal data. If your research project has a third party outside Hanken as a data processor who provides, for example, IT solutions for data collection or storage, translation/interpretation, transliteration/transcription or raw data analysis services, you need to sign a Data processing agreement (DPA) with the data processor. Hanken’s DPA templates are available here (Data Processing Agreement template and Data Processing Appendix template (as part of an Agreement)). 

 

More information, see:

Ethical principles and guidelines

All research carried out in Finland shall comply with the guidelines by the Finnish National Board on Research Integrity (TENK): The Finnish Code of Conduct for Research Integrity and Procedures for Handling Alleged Violations of Research Integrity in Finland 2023 (the PDF file in English, Finnish, and Swedish). The Implementation checklist for the 2023 RI guidelines helps the leadership of an organisation, research leaders, and individual researchers ensure that the main practices of research integrity are followed.

In addition to the RI guidelines, TENK has issued the guidelines on the ethical principles to be followed as well as ethical review to be arranged for research in the humanities and social and behavioural sciences: The ethical principles of research with human participants and ethical review in the human sciences in Finland (2019, in English, Finnish, and Swedish):

  • Please see the section below on Ethical review to check if you need to request an ethical review statement by Hanken’s Research Ethics Committee. 
  • When the research is carried out or research data are gathered outside Finland, researchers need to follow the ethical review practices in the target country.
  • Some publishers, journals, and data providers, e.g., Findata, may require an ethical review statement. 

When engaging in international collaboration, researchers shall follow the European Code of Conduct for Research Integrity (2023) by ALLEA, the European Federation of Academies of Sciences and Humanities, and any other applicable ethical guidelines.

Researchers shall bear the responsibility for ethical and moral concerns and decisions involved in the research and during the interaction between the researchers and research participants. Follow all the applicable ethical guidelines and good data protection practices to maintain high ethical standards and comply with relevant data protection legislation. See the section above on the Guidelines and procedures of personal data processing in research and studies at Hanken.

If you have questions concerning ethical guidelines and ethical review, contact Hanken's Research Integrity Advisor (anu.helkkula@hanken.fi). 

Ethical review

If your study is one of these six types, you need to fill in the ethical review request e-form and submit to Hanken’s Research Ethics Committee: 

  1. a study in which you will not be asking for informed consent from research participants (i.e., a study in which you will not inform the participants beforehand about the fact that they are being studied, or ask for their permission).
  2. a study in which you give research participants something to eat, drink, smell, or touch, as an intervention – or otherwise intervene their physical integrity.
  3. a study in which you will expose participants to exceptionally strong stimuli (e.g., shocking pictures).
  4. a study in which the subjects are children under the age of 15, or represent other vulnerable groups/populations (e.g., asylum seekers).
  5. a study which might risk causing long-term mental harm to participants (e.g., trauma, depression, sleeplessness) beyond risks encountered in normal life.
  6. a study which might risk causing physical harm or signify a security risk to subjects (e.g., studies concerning domestic violence).

When you submit your ethical review request, you always need to provide these attachments: a privacy notice and a consent form. Depending on your research, you may also need additional attachments, such as a Data management plan (DMP) where you indicate the date of your ethical review request, and/or a Data protection impact assessment (DPIA).

If you have questions concerning ethical review, please contact Hanken's Research Integrity Advisor (anu.helkkula@hanken.fi).

Watch the video TENK's Ethical review in human sciences:

Video: Ethical review in the human sciences in Finland, by TENK.

IPRs in data management

Legal issues related to data management include data protection laws, data-sharing agreements, data ownership, open data licenses, secondary data usage copyright permissions and other intellectual property rights (IPRs).

Agreements on data ownership and other IPRs shall be concluded before commencing any actual research activities. Agreements about authorship also need to be done before the beginning of the project. 

Describe in your DMP how you agree upon the rights of use related to the research data your will collect, produce, and reuse for your research project. Clarify the transfer of rights procedures relevant to your project. Follow the funder's or publisher's policies. If applicable, describe confidentiality issues in your project as well.

Use a license when opening your research data, code or software for shared reuse. Licensing your open research data means that you clearly define the reuse terms and possible restrictions to the future reuse of your data. This way, you are in control of who has rights to reuse the data, and how they can reuse your data. Use machine-readable licenses that follow international standards, preferably Creative Commons. Besides Creative Commons licences, there are also specific licensing models for research data

  • Creative Commons CC BY 4.0 license is recommended for published datasets when possible.

More information, see: