The definition of personal data is broad under the General Data Protection Regulation of the European Union (GDPR). Personal data includes any information relating to an identified or identifiable natural person and encompasses all data from which a natural person can be identified either directly or indirectly.
Direct identifiers are information that is sufficient on its own to identify a natural person. Examples are a person’s name, personal identity code, address, email address, telephone numbers, username, user-id, facial image (e.g. profile picture, video footage showing the face), voice pattern, fingerprint, and manual signature.
Indirect identifiers are information that on its own is not enough to identify someone, but can be used to deduce the identity of a person when linked with other available information. Examples are a person's gender, age, education, professional status, nationality, location data, career history, system log data, marital status, and vehicle registration number.
Some types of information are identified as strong indirect identifiers, which can be used to identify an individual fairly easily, such as a postal address, unusual job title, very rare disease, position held by only one person at a time (e.g., chairperson in an organisation), student ID number, insurance or bank account number, and IP address of a computer. See the list of strong indirect identifiers in Anonymisation and Personal Data by the Finnish Social Science Data Archive (FSD).
Sensitive personal data are special categories of personal data and classified as being on the increased information security level (See “Instructions for handling and storing data and documents on different information security levels” in Information Management at Hanken). The following categories are classified as sensitive personal data by the GDPR, Art. 9 (1), Art. 10: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, data concerning a natural person’s sex life or sexual orientation, or data relating to criminal convictions and offences, or related security measures.
If you are collecting any information from individuals or about individuals (e.g., consumers, company managers), assume that it is personal data. Pseudonymised data are also personal data.
More information about what constitutes personal data, see What is personal data? by the Office of the Data Protection Ombudsman.
Personal data should be processed lawfully, fairly, and in a transparent manner to protect the fundamental rights of the data subjects and minimise the risk to their rights in the event of unauthorised access and usage. Collected personal data should be protected with adequate organisational and technical measures for data security.
The European Data Protection Supervisor ( EDPS ) considers that personal data protection is wholly compatible with responsible research. Data protection regulations are intended to serve as a safety framework for individuals whose data are needed to support science and research. See A Preliminary Opinion on data protection and scientific research by the EDPS.
Finnish Office of the Data Protection Ombudsman has issued guidelines on personal data protection in scientific research. These guidelines provide guidance on defining the purpose for processing of personal data, choosing the basis for processing personal data, and implementing the rights of the data subject. They also include information on data controllers' and processors' obligations to demonstrate compliance with data protection legislation, responsibilities when transferring data outside EU or EEA, and appropriate ways to destroy, anonymize or archive the research data. Please see Scientific research and data protection by the Office of the Data Protection Ombudsma (tietosuoja.fi).
Here is one example of the situations where data are not adequately protected: University failed to sufficiently protect sensitive personal data, published on the web page of the European Data Protection Board (EDPB).
If you are processing personal data, follow the procedures below to maintain high ethical standards and comply with relevant legislations and regulations:
(1) Before data collection (during research planning phase)
1. Plan what data you need and implement data minimization and privacy by default principles
Understand the objectives of your study and define the clear, specified need for collecting personal data. Collect only the minimum amount of personal data necessary and proportionate to accomplish the tasks of the study. Personal data should not be collected just in case that they might be useful in the future. Consider if your data can be the least identifiable while still accomplishing your research goals.
Conduct a data minimisation review for the whole process of data management, including defining the types and amount of personal data collected, the extent to which they may be accessed, further processed and shared, the purposes for which they are used, and the period during which they are kept.
2. Write and update a data management plan (DMP)
A DMP can help you plan the entire life cycle of personal data processing. It is a formal document that describes how and what research data will be handled during and after the research project, and elaborates the key measures for ethical and legal compliance, as well as for FAIR data production.
Researchers can use Hanken’s DMP template or other Public DMP templates (with Hanken’s DMP guidance integrated) in DMPTuuli to write and update a DMP. See DMPTuuli with Hanken's DMP guidance and DMP template in the LibGuide on Research data management (RDM).
The DMP you create with DMPTuuli serves at the same time as a Record of Data Processing Activities, which you can share with participants/subjects/respondents of your research.
Send the whole DMPs or the parts on data protection to Hanken’s Data Protection Officer (DPO, firstname.lastname@example.org). In Hanken’s and Academy of Finland's DMP templates, the sections 1.1 on data description, 2.1 on ethical compliance, 4.1 on data storage and backup, 4.2 on access control, and 5.1 on open and archiving data have content related to data protection.
3. Evaluate risks to data subjects
3.1 Get ethical advice and ethical review when needed
If sensitive personal data are processed in the research project, researchers can contact Hanken’s Research Integrity Advisor (email@example.com) for advice and Data Protection officer (DPO) firstname.lastname@example.org) for guidance.
If your study is one of the six types described in Ethical review, fill in the e-form Request for an ethical review for an empirical study and submit to Hanken’s Research Ethics Committee. Submit your data management plan (DMP) as an attachment to request for the ethical review. Indicate the date in the DMP when a request for ethical review was submitted to Hanken’s Research Ethics Committee.
3.2 Carry a data protection impact assessment (DPIA) when needed
A data protection impact assessment (DPIA) must be done if the planned personal data processing is likely to pose a substantial risk to research participants. This situation is likely to occur when you process large amounts of data, personal data of the children under the age of 15, or sensitive personal data.
A data protection impact assessment (DPIA) should be performed by consulting Hanken’s Data Protection Officer (DPO, email@example.com). A DPIA should describe the nature, scope, context and purposes of data processing, identify and assess risks to data subjects, and define adequate additional measures to mitigate the risks. In the DPIA, you identify the need for a DPIA, describe the nature of data and data processing including data collection, analysis, storage and disposal, specify how much data will be collected and processed, what types of processing might involve risks, the sources of risk and nature of potential impact on data subjects, and identify additional measures to reduce or eliminate the risks identified as medium or high ones.
Collecting any sensitive personal data such as health-related information needs explicit consent from the data subjects. Processing such personal raw data should be proportionate to the research aim pursued and respect the essence of the right to data protection. The data are to be protected with encryption and strict access control.
(2) Data collection and analysis (during active research phase)
4. Clarify the legal basis for processing personal data and inform your research participants
Clarify the legal basis: Justify why you have the right to collect, handle, and preserve personal data. That is, you need to define the legal basis for the processing of personal data:
Usually the legal basis for purposes of scientific research is the need for personal data for the research (scientific research carried out in the public interest as defined in Finnish Personal Data Act (1050/2018), and as based on the GDPR (point (e) of Article 6 (1)).
If consent is used as a legal basis for processing personal data, the consent needs to meet the requirements in the GDPR. Consent shall be a freely given, specific, informed and unambiguous indication of the research participants' wishes, by which they, with a statement or with a clear affirmative action, signify their agreement to the processing of personal data relating to them. Research participants have the right to withdraw their consent at any time. See Consent of the data subject by the the Office of the Data Protection Ombudsman.
Obtain informed consent of research participants: Note the difference between consent to participate in research (required by ethical guidelines) and consent to personal data processing under the GDPR.
Researchers shall obtain informed consent of the research participants to participate in the research, which is required by ethical guidelines. For non-medical research involving human participants, researchers shall follow the ethical principles of research with human participants and ethical review in the human sciences in Finland. Finnish National Board on Research Integrity TENK guidelines 2019 (PDF). The guidelines state that "[i]nformed consent to participate in research is a central ethical principle in research with human participants."
You can modify and use Hanken’s consent message template (.docx file) to inform your research participants.
Provide information to research participants about the processing of their personal data: Under the GDPR, research participants should obtain the information from you about why and how their personal data are being collected, used, stored, disseminated, or otherwise processed. That is, the data subjects have the right to get sufficient information from you about the collection and processing of their personal data. Informing research participants about the processing of their personal data is a crucial part of the transparency principle laid down in the GDPR. This means that even if your legal basis is not based on consent, the data subjects have to be informed of, among other things:
Basically, there are two situations with different timing for providing the information, depending on whether the data are collected from the research participant or from some other source:
This applies when you collect secondary data from online forum/social media and you need to ensure that data processing is fair to all the data subjects involved, and that their fundamental rights are respected in compliance with ethical and privacy principles and relevant terms and conditions of the platform. When applicable, the DPO’s contact details ought to be given to the data subjects involved in the collection and processing of the data from online forum/social media.
More information, see:
The consent messages and information you provided for your data subjects are kept on file and available upon request by all data subjects, research funders, and data protection supervisory authorities.
5. Ensure secure data storage, backup, and transferral during research
What is important in your data collection and data analysis stage is that your research data is stored and backed up in a location that cannot be accessed publicly or by anyone who is not authorised, and that data transferal outside of Hanken and the EU/EEA is only carried out in full compliance with relevant regulations.
See also Security instructions for handling recorded interviews in this LibGuide on Research data management (RDM) and Instructions for handling and storing data and documents on different information security levels on the page of Information Management at Hanken and learn what different storage solutions are allowed and suitable for different documents and data on different data security levels.
For secure storage and backup of active research data during usage, researchers use:
Data storage services provided and maintained by Hanken, including the researcher's own account on the Hanken network like H:\, Microsoft Office365 applications (e.g., Onedrive for Business), Webropol or SPSS. If you do not have a plan for data archival after the research project, this solution is suitable.
OR data storage services provided by CSC such as IDA which is also for data archival. IDA is a Fairdata service for both data storage and data archival. The Fairdata services are offered by the Finnish Ministry of Education and Culture and produced by CSC – IT Centre for Science.
Established and well-known infrastructures are mostly a more secure alternative for storing research data than, for example, the hard disc on the researcher’s personal computer, both in terms of data security and from a confidentiality perspective.
Unless you have entered into a Data Processing Agreement (DPA) with another system/service provider, you shall NOT use other systems and internet clouds, for example, iCloud, Dropbox, Google Docs, publicly available Onedrive (for consumers), or other survey platforms than Webropol. If you collect personal data from online questionnaires or surveys, use the GDPR compliant tools and platforms such as Webropol. Webropol's user instruction is available on the page of Hanken's IT services. If the information you plan to collect contains sensitive personal data or confidential data such as trade secrets and information concerning national security, it may be better that you do not collect it online.
In addition to Hanken's and CSC's data storage systems, you can use your own personal computer and hardware (e.g., internal/external hard drives) to store and process data in the short term.
If you transfer personal data or obtain data from data providers outside of Hanken:
If you save and store your data in IDA by CSC, use the safe data transfer and sharing measures offered by IDA. See 1.8 I want to share my research data, what should I do? in FAQ of the Fairdata services by CSC.
You can use physical memory sticks or external hard drives, in cases where you or the other party do not have access to Hanken's data sharing systems (e.g., OneDrive for Business).
Note that you should NOT ever send or share data by an ordinary, non-secured email, or use non-Hanken-provided systems (e.g., DropBox, GoogleDocs, OneDrive for Consumers).
If personal data is transferred to non-EU/EEA countries, specify the countries' names in your Data management plan (DMP) and the appropriate safeguards you plan to take to ensure that the level of data protection in compliance with the GDPR is not undermined.
If no personal data is transferred from and to non-EU/EEA countries, specify in the DMP that data transferred between project partners outside the EU/EEA will only be restricted to anonymized data, the transfer will be made via a secure channel, and that processing and transfers of personal data will only reside inside the EU/EEA and be limited to the research.
If you work with sensitive personal data, use CSC's Sensitive Data Services for Research including Sensitive Data Connect (SD Connect, for sensitive data storage and sharing) and Sensitive Data Desktop (SD Desktop) which are designed to support secure sensitive data management through web-user interfaces accessible from the user's own computer.
Protect the data with strict access control and encryption if you work with sensitive personal data or confidential data such as trade secrets, politically sensitive information, and information concerning national security:
You can use Hanken’s video platform Panopto to transcribe research data, for both audio files and video files. Please note that you are responsible for not sharing the research data with anyone else in Panopto. See Transcribing qualitative data.
Data processors who conduct translation/interpretation or transliteration/transcription work, and the research partners who conduct the analysis of raw data – which contains any personal or individual-specific data, or are based on any individual informants – shall sign a Data processing agreement (DPA). Use Hanken’s Template for Data Processing Agreement (DPA).
Please ask for advice from Hanken’s Data security officer (firstname.lastname@example.org) and Data Protection Officer (DPO, email@example.com) to ensure that your storage and transferal solutions meet the data protection requirements.
6. Inform data subjects about changes and update documentation
Personal data may only be processed for the purposes which have been informed to the research participant prior to the beginning of the processing (by the consent form). If you need to process personal data for other purposes, you should inform the research participants on these new purposes and update all documents prior to the processing.
7. Anonymize data prior to publishing and archiving
Completely anonymous data do not exist, but by using various techniques and tools and following well-executed procedures, you can achieve a result where individual persons cannot be identified with reasonable effort based on the information provided, e.g., by combining different indirect identifiers, or by combining the data with information from other external sources.
Make an anonymisation plan which describes the anonymisation measures and evaluates the disclosure risk of data subjects’ personal data. The anonymisation plan also works as documentation on how the data have been processed. You can use the Anonymisation plan template in Anonymisation and Personal Data by the Finnish Social Science Data Archive (FSD) to write an anonymisation plan.
For sensitive personal data involving pseudonymisation or anonymisation, it is necessary to conduct a Data protection impact assessment (DPIA) in order to ensure an appropriate level of data protection and minimise risks to the data subjects’ rights.
It is recommended to avoid using open-ended questions to collect background information such as education or occupation. Instead, use a structured form to prevent interviewees from giving free-form responses that often contain identifiers. In categorising background information, utilise existing social classifications such as those Classifications by Statistics Finland.
The first anonymisation measure is usually to remove direct and strong indirect identifiers from your data. Use pseudonyms, aliases or codes so the data subjects are not identifiable without the use of separately stored additional information. Information on the original values and techniques used to create the pseudonyms and codes should be kept organisationally and technically separate from the pseudonymised data.
Removing direct and strong indirect identifiers, however, is rarely sufficient to make the data anonymous. It is possible to identify an individual by combining the background variables. See the detailed description of anonymisation principles and techniques for both quantitative data and qualitative data in Anonymisation and Personal Data by FSD and learn what to do for successful anonymisation.
As publicly available information is constantly increasing, it is important to regularly assess whether a once anonymised dataset continues to be anonymous and conduct residual risk assessments.
(3) After active research phase
8. Data erasure and data publishing
Personal data that are no longer needed to conduct the research should be disposed as soon as possible. For example, direct identifiers such as names, email addresses, and social security numbers should be removed immediately after they are no longer necessary to carry out the research. Storage limitation reduces risks related to personal data processing.
You need to make sure that personal data, dispensable data files, temporary files created when programs are used, and all their back-ups be deleted within due time when they are no longer needed, and that the deleted data cannot be recovered.
Deleting files using operating system tools, or even reformatting a hard drive, will not irretrievably destroy the data. It is important to permanently destroy any data that includes personal, sensitive or confidential data after data storage is no longer necessary. Ask for help and support from Hanken’s Data Security Manager (firstname.lastname@example.org) and DPO (email@example.com) for secure data disposal measures.
Anonymised data are published and archived in a data repository for shared use when possible. Data with personal information can only be published anonymised. Pseudonymised data are still personal data, and therefore cannot be opened without explicit consent for that purpose. Before archiving the research data, pseudonymous data should be made anonymous by irretrievably destroying the separately kept identifying information (for example, decryption keys, codes, applications or techniques used to pseudonymise the data).
If the open accessibility of a dataset is not possible for justified reasons, the metadata of the dataset can be published openly available. It is strongly recommended to use Fairdata Qvain metadata tool to describe and publish your (meta)data.
The consent of the research participant is required for the opening of the material from which the research participant is directly or indirectly identifiable. In some cases, the material may be shared for the originally intended purpose. If you plan to share or reuse data which include personal information, contact Hanken’s DPO firstname.lastname@example.org.
More information, see:
Personal data is any information relating to an identified or identifiable natural person. Examples of personal data can include, but are not limited to, name, address, email address, IP address, picture, and personal identity code.
The main principles of data protection laws state that personal data must be processed lawfully, fairly and in a transparent manner to protect the rights of the data subjects. Furthermore, personal data must be
A data subject is any person whose personal data is being collected, held or processed.
Rights of the data subjects include:
In addition to data subjects, there are two other fundamental roles in data protection: data controllers and data processors.
A data controller determines the purposes for which and the means by which personal data is processed. Hanken is for example a data controller when providing higher education for its students.
A data processor processes personal data only on behalf of the controller. The data processor is usually a third external party, for example a cloud service provider who provides online services for Hanken. According to Data Protection Laws, a data controller is required to sign Data Processing Agreements with its data processors to ensure protection of outsourced processing and storing of personal information.
The alternative lawful purposes for collecting and processing are:
More information about the main principles of data protection can be found from Data protection principles by the Office of the Data Protection Ombudsman.
In case of a personal data breach in Finland, the Office of the Finnish Data Protection Ombudsman must be notified within 72 hours by the Hanken’s Data Protection Officer (email@example.com).
In most cases, the obligations of the Data Controller are shared between the individual researcher or the principal investigator and Hanken. That implies that there is a need for joint and shared measures to ensure informing the data subjects, defining legal basis for processing, protecting the personal data, and to keep records of processing activities.
The lawful purpose for processing personal data in research at Hanken is normally public tasks (scientific research) or consent of the data subjects. If the research cannot be defined as scientific research with aims for publications for the advancement of science or with aims to train for scientific methods, a consent must be acquired by the data subjects. Model templates for collecting consent are available on the privacy pages on www.hanken.fi/privacy (requires log in).
To inform the data subjects about their rights, the researcher should use wordings of the templates mentioned above. The most important issues are that the data subjects
To register legal basis and to keep records of processing activities, Hanken has developed e-forms and templates:
With the help of these forms and templates, Hanken and the researcher can show compliance with the data protection laws.
Contact Hanken's Data Protection Officer firstname.lastname@example.org for advice regarding data protection.
You need to fill in the ethical review request e-form and submit to Hanken’s Research Ethics Committee if your study is one of the six types:
Submit your data management plan (DMP) as an attachment to request for the ethical review. Indicate the date in the DMP when a request for ethical review was submitted to Hanken’s Research Ethics Committee.
If you have questions concerning ethical review, contact Hanken's Research Integrity Advisor: Anu Helkkula, email@example.com.
Video: Ethical review in the human sciences in Finland by TENK
All research shall comply with the Finnish National Board on Research Integrity (TENK) guidelines Responsible conduct of research and procedures for handling allegations of misconduct in Finland (2012). The RCR guidelines are available in Finnish, Swedish, and English.
In addition to the RCR guidelines, TENK has issued guidelines on the ethical principles to be followed as well as ethical review to be arranged for research in the humanities and social and behavioural sciences The ethical principles of research with human participants and ethical review in the human sciences in Finland (2019) in Finnish, Swedish and English.
When engaging in international collaboration, researchers shall follow the European Code of Conduct for Research Integrity by ALLEA, the European Federation of Academies of Sciences and Humanities and any other applicable ethical guidelines.
Researchers shall bear the responsibility for ethical and moral concerns and decisions involved in the research and during the interaction between the researcher and research participants. Follow Hanken's ethical guidelines and good data protection practices to maintain high ethical standards and comply with relevant legislation. See the procedures of personal data management in research at Hanken.
If you have questions concerning ethical guidelines, contact Hanken's Research Integrity Advisor: Anu Helkkula, firstname.lastname@example.org.
If you have questions concerning data protection, contact Hanken's Data Protection Officer email@example.com.
Legal issues related to data management include data protection policy, data-sharing agreements, data ownership, open data licenses, secondary data usage copyright permissions and other Intellectual Property Rights (IPRs) issues. Agreements on data ownership and other intellectual property rights must be concluded before commencing any actual research activities.
Use a license when opening your data for reuse (e.g. research data, code, software). Licensing your open research data means that you clearly define the reuse terms and possible restrictions to the future reuse of your data. This way, you are in control of who has rights to reuse the data, and how. Use machine-readable licenses that follow international standards, preferably Creative Commons. Besides Creative Commons licences, there are also specific licensing models for research data.
More information, see: