Research Data Management

(1) Before data collection (during research planning phase)

1. Plan what data you need and implement data protection by design and by default principles 

If your research proposal involves the processing of any personal data, you shall have plans in place to demonstrate compliance with EU and national data protection laws for the entire data life cycle.

At the earliest stage of designing your research project, consider how you design your study so that your data can be the least identifiable while still accomplishing your research goals, and ensure that, by default, personal data will be processed with the highest privacy protection. These are called data protection by design and by default principles. 

Understand the objectives of your study and define the clear, specified need for collecting personal data. Collect only the minimum amount of personal data necessary and proportionate to the accomplishment of your research tasks. Personal data shall not be collected just in case that they might be useful in the future.

Conduct a data minimisation review for the whole process of data management, including defining the types and amount of personal data collected, the extent to which they may be accessed, further processed and shared, the purposes for which they are used, and the period during which they are kept. You shall minimise the processing as far as possible. 

2. Write and update a Data management plan (DMP)

A Data management plan (DMP) can help you plan the entire life cycle of your research data. It is an important part of Research data management (RDM) and an essential tool for following good and responsible research practices. A DMP describes what and how research data will be handled during and after the research project, and elaborates the key measures for ethical and legal compliance and for FAIR data production.

Most of the research funders require a DMP as part of the funding application process (e.g., by Business Finland), after a positive funding decision (e.g., by the Research Council of Finland, formerly the Academy of Finland), or during the first six months of the project (e.g., by Horizon Europe).

Researchers can use Hanken’s DMP template or other Public DMP templates (with Hanken’s DMP guidance integrated) in DMPTuuli to write and update a DMP. Please see DMPTuuli with Hanken's DMP guidance and DMP template to learn how to get access to Hanken’s DMP template and DMP guidance.

3. Evaluate risks to data subjects  

3.1 Request an ethical review statement when needed

Researchers shall bear the responsibility for ethical and moral concerns and decisions involved in the research and during the interaction between the researchers and research participants.

All research shall comply with relevant Ethical principles and guidelines and follow any applicable ethical review practices. Conduct an ethical self-assessment and identify and address ethics issues in your research proposal.

• Check the six study types described in Ethical review to see if you need to request an ethical review statement by Hanken’s Research Ethics Committee. If your study is one of the six types, fill in the e-form Request for an ethical review for an empirical study and submit it to Hanken’s Research Ethics Committee.
• When you submit your ethical review request, you always need to provide these attachments: a privacy notice and a consent form. Depending on your research, you may also need additional attachments, such as a Data management plan (DMP) where you indicate the date of your ethical review request, and/or a Data protection impact assessment (DPIA).

Please contact Hanken’s Research Integrity Advisor (anu.helkkula@hanken.fi) for advice.

More information: To identify ethics and data protection issues in your research project, you can read Ethics and data protection (by the EC for scientific community, especially for funding applicants) and try its Ethics and Data Protection Decision Tree.

 

3.2 Carry out a Data protection impact assessment (DPIA) when needed 

If a planned personal data processing "is likely to result in a high risk to the rights and freedoms of the data subjects," a Data protection impact assessment (DPIA) shall be conducted prior to the processing (GDPR, Art. 35). This is particularly relevant when a new data processing technology is being introduced and may occur when the following data will be processed:

• data processed on a large scale, for example, large amounts of personal data or data from more than 500 data subjects; 
• personal data of children under the age of 15 or of other vulnerable data subjects such as employees, mentally ill persons, asylum seekers, the elderly, and patients; or
• sensitive personal data or data of a highly personal nature such as special categories of personal data, electronic communications whose confidentiality should be protected, location data whose collection questions the freedom of movement, financial data that might be used for payment fraud, personal documents, emails, diaries, notes from e-readers equipped with note-taking features, and very personal information contained in life-logging applications.

Check also the following four lists to determine whether you are required to conduct a DPIA:

• (1) The non-exhaustive list in the GDPR (Art. 35 (3)):
  • a systematic and extensive analysis of personal data in the context of automated processing, including profiling, where this has a significant effect on the data subject;
  • large-scale processing of special categories of personal data, or of personal data relating to criminal convictions and offences; or
  • a systematic monitoring of a publicly accessible area on a large scale.

• (2) The nine criteria in the Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (the PDF file by the Article 29 Data Protection Working Party (now the European Data Protection Board), pp.9-11). The Guidelines (pp.11-14) also present a longer list of scenarios in which a DPIA may or may not be necessary. The nine criteria include:
  • Criterion 3: Systematic monitoring – processing used to observe, monitor or control data subjects, including data collected through networks or a systematic monitoring of a publicly accessible area. In these circumstances data subjects may not be aware of who is collecting their data and how the data will be used. It may also be impossible for individuals to avoid being subject to such processing in a public or publicly accessible space.
  • Criterion 6: Matching or combining datasets, for example, originating from two or more data processing operations performed for different purposes and/or by different data controllers in a way that would exceed the reasonable expectations of the data subject.
  • Criterion 8: Innovative use or applying new technological or organisational solutions, like combining use of finger print and face recognition for improved physical access control.

• (3) The supervisory authority in each member state shall establish and publish a supplementary guidance and list of processing operations for which a DPIA is required (GDPR, Art. 35 (4)). In the EU Member State DPIA Whitelists, Blacklists and Guidance compiled by the International Association of Privacy Professionals (IAPP), you can find the blacklist from the Finnish supervisory authority: 
  • List compiled by the Office of the Data Protection Ombudsman of processing operations which require data protection impact assessment (DPIA).

• (4) Section 31 of the Finnish Data Protection Act (1050/2018) requires that, for scientific and historical research purposes and statistical purposes, a DPIA shall be carried out if special categories of personal data are to be processed AND there will be a derogation from the rights of the data subjects to access, rectify, restrict, and object (under the GDPR, Art. 15, 16, 18, and 21). Note that in this situation, the DPIA shall be submitted to the office of the Data Protection Ombudsman before the processing is started.

A processing meeting one or two of the criteria may require a DPIA to be carried out. A DPIA is a process to help you identify and minimise the data protection risks of a project. The GDPR (Art. 35 (7): (a)-(d)) requires that the contents of a DPIA shall contain at least:

• a systematic description of the envisaged processing, including its nature, scope, context, purposes, and lawful ground,
• an assessment of the necessity and proportionality of the processing in relation to the purposes, 
• identifying and assessing the risks that the processing may pose to the data subjects, and
• defining adequate safeguard measures to prevent or mitigate these risks.

That is, in the DPIA, you identify the need for a DPIA, describe the nature of the data and data processing including data collection, analysis, storage and disposal, specify what and how much data will be collected and processed, what types of processing might involve what risks, the sources of risks and potential impact on the data subjects, and define additional safeguard measures to reduce or eliminate the risks.

Depending on the nature and scope of your processing, you can conduct a full or light version of a DPIA. Use Hanken's DPIA template (for studies and research) to conduct a full version of DPIA, or answer directly to the four minimum required aspects for a DPIA.  

Students and researchers shall consult Hanken's Data protection officer (DPO, dpo@hanken.fi) to conduct a DPIA. The DPO shall also monitor its performance (GDPR, Art. 35 and 39).

If your processing meets one or more of the criteria, but you consider the planned processing is not “likely to result in a high risk,” you shall justify and document the reasons for not carrying out a DPIA, and include the views of Hanken’s DPO (dpo@hanken.fi) (Article 29 Data Protection Working Party, 2016/679, p. 12).

(2) Data collection and analysis (during active research phase)

4. Specify the legal basis for processing personal data and provide data subjects with sufficient, mandated information

Personal data shall be processed lawfully with at least one of the six lawful grounds defined by the GDPR (Art. 6): consent, contract, legal obligation, protection of vital interests, public interest or official authority, and legitimate interests. You need to rely on at least one legal basis to justify why you have the right to collect, store, and handle personal data.

For research work conducted by researchers including PhD students, the legal basis is usually scientific research carried out in the public interest (GDPR (point (e) of Art. 6 (1) and Finnish Data Protection Act (1050/2018, Chapter 2, Section 4, point (3)).

When collecting personal data, what researchers need to do to comply with good data management practices, data protection regulations, and research integrity includes:

• (1) Obtain informed consent from the research participants, which is required by research ethics, for example, The ethical principles of research with human participants and ethical review in the human sciences in Finland. Finnish National Board on Research Integrity TENK guidelines 2019 (PDF). For non-medical research involving human participants, researchers shall follow these guidelines by TENK, which state that "[i]nformed consent to participate in research is a central ethical principle in research with human participants" (p. 9).

Note that this consent (to participate in the research, required by ethical standards) is different from consent (to personal data processing, as a legal basis under the GDPR). The difference is acknowledged by TENK’s guidelines (p. 9).

• Researchers use Hanken's Informed Consent template (in English, in Finnish, in Swedish) to obtain informed consent. Choose the language that your research participant prefers.

If you do not ask for informed consent from the research participants, or if your study is one of the other five types described in Ethical review, you need to request for an ethical review statement by Hanken’s Research Ethics Committee. 

There are rare cases wherein you may not have to ask for informed consent, for example, observation studies in public places and field experiments in which the experimental setup may substantially suffer from letting the participants know about the research in advance. Furthermore, if you only use secondary register data which is anonymised or aggregated (e.g., company-level data), you do not need to inform the research participants ("Secondary register data" means that the original data about persons have been gathered by someone else or some other party/organisation than you. For example, in your study you are analysing a company's anonymised customer database or some survey data that a governmental agency has originally gathered).

• (2) Provide all the mandated information in a privacy notice to research participants about the processing of their personal data. Transparency is an overarching principle and a fundamental requirement under the GDPR. Personal data should be processed in a fair and transparent way. Regardless of the legal basis for processing personal data, data subjects should obtain sufficient information from you about why and how their personal data are being collected, used, stored, disseminated, or otherwise processed. The GDPR (Art. 12-14) stipulates long lists of information that shall be provided to the data subjects, including the purposes and legal basis for processing, identity and contact details of the data controller and DPO, recipients of personal data, international data transfers, data retention and deletion plans, and data subjects’ rights. Furthermore, the principle of transparency requires, in particular, the information provided to the data subjects be easily accessible and easy to understand (GDPR, Recital 39). 

  • Researchers fill in and submit the e-form The Research's Privacy Notice (in English, in Finnish, in Swedish) and provide the privacy notice to the research participants to fulfil the transparency requirement and information provision obligation.

• After submitting the e-form, click "Save the completed form as a file." Edit the downloaded RTF file, so it can be suitable for your research participants.

• After being submitted, this privacy notice e-form also functions as the Record of processing activities which fulfils the record-keeping accountability (GDPR, Recital 82 and Art. 30). The transparency requirement also means that personal data processing activities shall be transparent to the supervisory authorities/Data protection authorities (DPAs). To demonstrate compliance with the GDPR, data controllers and processors maintain records of processing activities and make the records, on request, available to the supervisory authorities. Hanken's DPO checks the contents of the privacy notices/Records, contacts the researchers when needed, and compiles the records on file.

Basically, there are two situations with different timings for providing the required information, depending on whether the data are collected from the research participant or from some other sources:

• (1) If the personal data are collected from research participants (for example, when the participant is interviewed, fills out a questionnaire, or is observed by audio/video recording in a performance or social interaction carried out by the participant), you need to provide your research participants with the information about the processing of their personal data before or at the time when you are collecting/obtaining the data. You may provide the information, for instance, at the beginning of the interview or questionnaire. (GDPR, Art.13)

Both the informed consent form and privacy notice shall be provided to the research participants before you collect their personal data. Afterwards, the privacy notice shall be held available, for example, on the research project’s website and/or Hanken’s webpage, and be provided upon request to all the data subjects, Data protection authorities (DPAs), and research funders. Keep both the informed consent and privacy notice on file.

• (2) If personal data are received from a source other than the research participants (for example, from other data controllers, publicly available sources or other data subjects, or combing register data with your own research data), research participants should be informed of the processing of their personal data within a reasonable period after you have obtained the personal data, but at the latest within one month (GDPR, Art.14).

This often applies when you collect secondary data from online forums/social media. You need to ensure that data processing is fair to all the data subjects involved, that their fundamental rights are respected in compliance with ethical and privacy principles, and that relevant terms and conditions of the platform are observed. When applicable, the privacy notice ought to be given to the data subjects who are involved in the collection and processing of the data from the online forums/social media and you need to obtain consent from them.

If the provision of such information proves impossible or would involve a disproportionate effort, or seriously impair the achievement of the objectives of your processing, you can make your privacy notice publicly available, for example, on your research project’s website and/or Hanken’s webpage to make the privacy information publicly available (GDPR, Art. 14 (5)(b)). For example, Findata requires that data applicants post privacy notices online, either on the home organizations’ pages or the research projects’ pages, before granting access right to the secondary datasets from, e.g., Statistics Finland.

When it is difficult to provide all the required information at one time, you can adopt layered fair processing notices, providing and bringing first the most important information (e.g., the purposes of the processing and the identify of the data controller) in the first short layer to the data subjects’ attention, together with a click-through link to your privacy notice with more detailed information.

More information, see:

• The right to obtain information on the processing of personal data by the Office of the Data Protection Ombudsman. 
• Informing research participants about the processing of their personal data by the Finnish Social Science Data Archive (FSD).  

 

For studies and thesis-writing by BSc/MSc/eMBA students, consent is usually used as the legal basis unless the student is a member of a research project where one or more researchers (at the PhD level or above) are involved (GDPR, point (a) of Art. 6 (1)). When consent is used as a legal basis for processing personal data, the consent needs to meet the requirements of the GDPR. Consent to the processing of personal data should be a “freely given, specific, informed and unambiguous indication of the data subject’s wishes,” and “be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language” (GDPR, Art. 4 and 7). Data subjects have the right to withdraw their consent at any time. See Consent of the data subject by the Office of the Data Protection Ombudsman.

When collecting personal data, what students need to do to comply with data protection laws includes:

• (1) Obtain the respondents' consent to the processing of their personal data as the legal basis for personal data processing.
  • Students use Hanken's Consent to the processing of personal data template (in English, in Finnish, in Swedish) to obtain consent. Choose the language that your respondents prefer. Keep the consent on file, as you may be obligated to demonstrate that it was obtained.

• (2) Fill in and submit the e-form The Study's Privacy Notice (in English, in Finnish, in Swedish) and provide all the mandated information in the privacy notice to the respondents about the processing of their personal data to fulfil the transparency requirement and information provision obligation under the GDPR (Art. 12-14).
  • After submitting the e-form, click "Save the completed form as a file." Edit the downloaded RTF file, so it can be suitable for your respondents.
  • After being submitted, this privacy notice e-form also functions as the Record of processing activities which fulfils the record-keeping accountability under the GDPR (Art. 30). Hanken's DPO checks the contents of the privacy notices/Records, contacts the students when needed, and compiles the records on file.

 

Processing of special categories of personal data (sensitive personal data) shall be prohibited. Students and researchers needs to rely on at least one of the ten exceptions or derogations to the prohibition in order to collect and process special categories of personal data, data of a highly personal nature, and other specially protected personal data. These exceptions or derogations are specified in the GDPR (Art. 9) and supplemented in the Data Protection Act (1050/2018, Sections 6, 7 and 29).

• Researchers usually use the derogation (j) – processing of special categories of personal data is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. 

• Students usually use the derogation (a) – the data subject has given explicit consent to the processing of special categories of personal data to process special categories of personal data. This means that consent should not only be freely given, specific, informed and unambiguous, but also be explicit with a clear affirmative act by the data subject.

A personal identity code may be processed: (1) based on consent, (2) if so provided by law, (3) to perform a statutory duty, (4) to implement the rights and duties of the data subject or the controller, or (5) for scientific or historical research purposes or statistical purposes (Data Protection Act (1050/2018, Chapter 5, Section 29).

A Data protection impact assessment (DPIA) may be needed when students and researchers process special categories of personal data or data of a highly personal nature. See the instructions under "3.2 Carry out a data protection impact assessment (DPIA) when needed" and contact dpo@hanken.fi. 

5. Ensure secure data storage, backup, and transfers

What is important in your data collection and data analysis stages is that your research data are stored and backed up in a location that cannot be accessed by anyone who is not authorised, and that data transfers outside Hanken and the EU/EEA are only carried out in full compliance with relevant regulations.

See the PDF file “Instructions for handling and storing data and documents on different information security levels” on the page of Information Management at Hanken and learn what different storage solutions are allowed and suitable for different documents and data on different data security levels. 

For secure storage and backup of active research data during usage, students and researchers use:

• data storage services provided and maintained by Hanken, including the researcher's own account on the Hanken network like H:\, Microsoft Office365 applications (e.g., Onedrive for Business), Webropol or SPSS. If you do not have a plan for data archival after the research project, this solution is suitable. OR 

• data storage services provided by CSC such as IDA which is also for data archival. IDA is a Fairdata service for both data storage and data archival. The Fairdata services are offered by the Finnish Ministry of Education and Culture and produced by CSC – IT Centre for Science.

Established and well-known infrastructures are mostly a more secure alternative for storing research data than, for example, the hard disc on the researcher’s personal computer, both in terms of data security and from a confidentiality perspective. 

In addition to Hanken's and CSC's data storage systems, you can use your own password-protected personal computer and hardware (e.g., internal/external hard drives) and password-protected joint-use computers in a room located physically at Hanken with restricted access, to store and process data during research:

• However, do NOT use, even on your own computer, such data storage that is connected to or backed up on Internet clouds (e.g., iCloud, Google Docs, DropBox), but only use local hard drives and data folders that are not backed up in Internet services/clouds.
• Ensure that the data on your personal computer are properly protected by keeping the computer updated with security patches and ensuring secure configurations.
• When using memory sticks or external hard drives, make sure that they are stored securely, for example, in locked closets/lockers, and that you erase the personal data stored on your memory sticks and USB disks immediately after use. You can also encrypt the data on memory sticks and external hard drives by using, for example, zip applications or Office365.

Unless you have entered into a Data processing agreement (DPA) with another system/service provider who acts as a data processor, you shall NOT use other systems and internet clouds, for example, iCloud, Dropbox, Google Docs, publicly available OneDrive (for consumers) and other survey platforms than Webropol. A Data processing agreement (DPA) shall be signed between the data controller and data processor. Hanken’s DPA templates are available here (Data Processing Agreement template and Data Processing Appendix template (as part of an Agreement)).

If you collect personal data from online questionnaires or surveys, use the GDPR-compliant tools and platforms such as Webropol. Webropol's user instruction is available on the page of Hanken's IT services. If the information you plan to collect contains sensitive personal data or confidential data, it may be better that you do not collect it online. 

If you collect interview data by recording the interview with mobile phone or dictaphones or recording teleconferences, see Security instructions for handling recorded interviews.

You can use Hanken’s video platform Panopto to transcribe research data, for both audio and video files. Please note that you are responsible for not sharing the personal data contained in Panopto with anyone else. See Transcribing qualitative data.

 

If you transfer personal data outside Hanken:

• Use OneDrive storage space in your Hanken-provided account for sharing files and collaborating with others. Use the “Specific people”-option to ensure data access control. See Instructions on sharing files and collaborating with others at Hanken to ensure data security.

• If you save and store your data in IDA by CSC, use the safe data transfer and sharing measures offered by IDA. See 1.8 I want to share my research data, what should I do? in FAQ of the Fairdata services by CSC. 

• You can use physical memory sticks or external hard drives, in cases where you or the other party do not have access to Hanken's data sharing systems (e.g., OneDrive for Business). Make sure that data are stored securely, and that you erase the personal data stored on your memory sticks and on your USB disks immediately after the transfer. You can encrypt the data on memory sticks and external hard drives.

• Note that you should NOT send or share data by an ordinary, non-secured email, or use systems that are not provided by Hanken or CSC (e.g., DropBox, Google Docs, and publicly available OneDrive (for consumers) for data transfers.

• If you have a third party outside Hanken as the data processor who provides, for example, translation/interpretation, transliteration/transcription or raw data analysis services, you need to sign a Data processing agreement (DPA) with the data processor. Hanken’s DPA templates are available here (Data Processing Agreement template and Data Processing Appendix template (as part of an Agreement)).

• Transfers of personal data to third countries or in international organisations: For data transferred outside the EU/EEA, follow the European Commission's Rules on international data transfers (GDPR, Chapter V, Art. 44-50):

  • If the target country is on the list of the Commission's Adequacy decision, personal data can be transferred without any further safeguard being necessary. 
  • If the target country is not on the Adequacy list and personal data cannot be transferred to the third country on the basis of the Adequacy decision, you need to determine whether the transfer can be lawful under appropriate safeguards with one of the adopted mechanisms such as standard contractual clauses, binding corporate rules, certification mechanism, and codes of conduct.
  • There are also limited Derogations for specific situations (GDPR, Art. 49). For example, as part of the scientific publishing process, it can be exceptional yet necessary to transfer personal data outside the EU/EAA to the publishers or peer reviewers to verify the research results (GDPR, Art. 49 (1)(d)).

If personal data are transferred to non-EU/EEA countries, specify the countries' names in your privacy notice and the appropriate safeguards you plan to take to ensure that the level of data protection in compliance with the GDPR is not undermined. Contact dpo@hanken.fi for advice, for example, conducting a Transfer impact assessment (TIA).

If no personal data are transferred from and to non-EU/EEA countries, specify in the privacy notice that data transferred between project partners outside the EU/EEA will only be restricted to anonymized data, the transfer will be made via a secure channel, and processing and transfers of personal data will only reside inside the EU/EEA and be limited to the research.

More information, see Transfers of personal data out of the European Economic Area by the Office of the Data Protection Ombudsman. 

 

Special categories of personal data (sensitive personal data) are classified as being on the increased information security level (See the PDF file “Instructions for handling and storing data and documents on different information security levels” in Information Management at Hanken). 

If you work with sensitive personal data, use CSC's Sensitive Data Services for Research including Sensitive Data Connect (SD Connect, for sensitive data storage and sharing) and Sensitive Data Desktop (SD Desktop) which are designed to support secure sensitive data management through web-user interfaces accessible from the user's own computer.

Protect the data with strict access control and encryption if you work with sensitive personal data or confidential data such as trade secrets, politically sensitive information, information concerning national security, and data obtained in trust and confidence:

• Be sure that your storage solutions are safe enough for the data.
• Do NOT use cloud storage due to its insufficient data protection.
• Do NOT use external hard drives as the main storing option.
• Protect the data with encryption. If needed, particularly mobile devices, portable and external storage devices should be encrypted for use, e.g., by using Cryptomaror.
• Data with direct identifiers, contact information, sensitive personal data, and confidential data should NOT be sent between research team members by email – not even Hanken’s email system.

 

You can ask for advice from Hanken’s Information security officer (datasakerhetschef@hanken.fi) and Data protection officer (DPO, dpo@hanken.fi) to ensure that your storage and transfer solutions meet data protection requirements.

6. Inform data subjects of changes and update privacy notice and documentation

If there are changes in personal data processing, for example, if there are new, compatible processing purposes other than the initial purpose, if there are new recipients of the personal data (e.g., new research partners or translation or transcription service providers), or if there is an addition of new data variables to the categories of personal data compiled into the dataset, the privacy notice and other documentation shall be updated and the research participants be informed of the changes prior to the new processing. 

If informing each research participant of the changes proves to be impossible or would require a disproportionate effort, you can update your privacy notice on your research project’s website and/or Hanken’s webpage to make the information about the changes publicly available.

7. Anonymize data prior to publishing and archiving

It is stated by the Office of the Data Protection Ombudsman on Minimisation of personal data in scientific research that "[a]nonymisation and pseudonymisation should be performed as soon as possible, for instance right after the data have been aggregated."

Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to the individual involved without the use of additional information. Such additional information shall be kept separately from the pseudonymised data and be subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. (GDPR, Art. 4 (5))

Pseudonymisation can be done by removing or replacing identifiers with pseudonyms, aliases or codes. The data remain pseudonymous and personal as long as the additional identifying information exist. 

Anonymisation refers to the processing of personal data in a manner that the individual concerned cannot be re-identified. Completely anonymous data do not exist, but by using various techniques and tools and following well-executed procedures, you can achieve a result where individual persons cannot be identified with reasonable efforts based on your data, e.g., by combining different indirect identifiers in your data, or by combining your data with the information from other external sources.

Make an anonymisation plan which describes the anonymisation measures and evaluates the disclosure risk of data subjects’ personal data. The anonymisation plan also works as documentation on how the data have been processed. You can use the Anonymisation plan template in Anonymisation and Personal Data by the Finnish Social Science Data Archive (FSD) to write an anonymisation plan.

It is recommended to avoid using open-ended questions to collect background information such as education or occupation. Instead, use a structured form to prevent interviewees from giving free-form responses that often contain identifiers. In categorising background information, utilise existing social classifications such as those Classifications by Statistics Finland.

Usually the first anonymisation measure is to remove direct and strong indirect identifiers from your data. Use pseudonyms, aliases or codes so the data subjects are not identifiable without the use of separately stored additional information. Information on the original values and techniques used to create the pseudonyms or codes should be kept organisationally and technically separate from the pseudonymised data.

Pseudonymised data can be attributed to a natural person by the use of the additional information and are still personal data. Pseudonymised data become anonymised when the separately kept identifying information used to create the pseudonyms or codes (e.g., decryption keys, codes, applications or techniques used to pseudonymise the data) has been irreversibly destroyed and cannot be linked to the pseudonymised data.

Anonymised data are no longer considered to constitute personal data and are not subject to the data protection regulations.

The table by the FSD provides good tips for recognising direct, indirect, and strong indirect identifiers and how to anonymise research data by removing, changing or categorising these different identifiers.

As publicly available information is constantly increasing, it is important to regularly assess whether a once anonymised dataset continues to be anonymous and conduct residual risk assessments.

For special categories of personal data involving pseudonymisation or anonymisation, it may be necessary to conduct a Data protection impact assessment (DPIA) in order to ensure an appropriate level of data protection and minimise the risks to the data subjects’ rights. See 3.2 Carry out a Data protection impact assessment (DPIA) when needed and contact dpo@hanken.fi.

(3) After active research phase

8. Data erasure and (meta)data publishing

Personal data that are no longer needed for the original purpose should be disposed as soon as possible unless there are special reasons or legislation that require archiving. For example, direct identifiers such as names, email addresses, and personal identity codes should be removed immediately after they are no longer necessary to carry out the research. Storage limitation reduces the risks related to personal data processing. If it is not possible to determine the exact data retention period, specify the criteria used to determine that period to your research participants. 

Make sure that personal data, dispensable data files, temporary files created when programs are used, and all their backups be deleted within due time when they are no longer needed, and that the deleted data cannot be recovered.

Deleting files using operating system tools, or even reformatting a hard drive, will not irretrievably destroy the data. It is important to permanently destroy any data that includes personal, sensitive or confidential data after data storage is no longer necessary. Save your files to OneDrive and use the deletion feature. Remember to empty the trash as well. Data in Webropol will be erased by the Computer Centre shortly after a student's user ID is inactivated. You can ask for help and support from Hanken’s Information security officer (datasakerhetschef@hanken.fi) and DPO (dpo@hanken.fi) for secure data disposal measures.

More information, see:

• Data disposal by FSD.
• Five steps to decide what data to keep by the Digital Curation Centre (DCC).

 

Anonymised data are published and archived in a data repository for shared reuse whenever possible. According to Data Protection Act (1050/2018, Section 4 (4) and GDPR (point (e) of Art. 6 (1), if processing research material containing personal data and processing personal data included in their metadata for archiving purposes is necessary and proportionate to the aim of public interest pursued and to the rights of the data subject, it is lawful. Pseudonymised data are still personal data. Restricted access can be used as a measure to archive pseudonymised data. The research participants need to be informed of your open data plans in the privacy notice. See "Anonymize data prior to publishing and archiving." 

If the open accessibility of a dataset is not possible for justified reasons, the metadata of the dataset can be published openly available. It is strongly recommended to use Fairdata Qvain metadata tool to describe and publish your (meta)data. See Data publishing and pre­ser­va­tion.

Remember to register your datasets in Hanken's research database - Haris and add the persistent identifiers (PIDs, e.g., DOI and URN) for your (meta)data. Se Register datasets.

Some basic data protection concepts:

Personal data means any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Direct identifiers are information that is sufficient on its own to identify a natural person. Examples are a person’s full name, personal identity code, email address containing the personal name, and biometric identifiers (e.g., fingerprint, facial image, voice pattern or manual signature).

Indirect identifiers are information that on its own is not enough to identify someone, but can be used to deduce the identity of a person when linked with other available information. Examples are a person's age, gender, educational background, economic activity, occupational status, socio-economic status, household composition, income, marital status, mother tongue, nationality, ethnic background, place of work or study, and postal code.

Some types of information are identified as strong indirect identifiers which can be used to identify an individual fairly easily, such as a postal address, phone number, vehicle registration number, bibliographic citation of a publication by the individual, email address not in the form of the personal name, web address to a web page containing personal data, very rare disease, unusual job title, position held by only one person at a time (e.g., chairperson in an organisation), a student ID number, insurance or bank account number, and IP address of a computer. 

The following personal data are defined as special categories of personal data (sensitive personal data) by the GDPR (Art. 9): personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. Personal data relating to criminal convictions and offences or related security measures are also, by their nature, particularly sensitive and merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms of the data subjects (GDPR, Art. 10).

More information about what constitutes personal data, see:

• "What kind of information constitutes identifiable data?" in Anonymisation and Personal Data by the Finnish Social Science Data Archive (FSD).
•  What is personal data? by the Office of the Data Protection Ombudsman.

Data processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means (i.e., why and how) of the processing of personal data. The controller is primarily responsible for compliance with data protection laws throughout the data life cycle. The controller can allocate responsibilities according to the actual roles of the parties.

• For personal data processing in research work by researchers including PhD students, data controllership shall be determined case by case, and the role of data controller or joint controller can be defined in the following cases:
  • If the researcher conducting the research is employed by Hanken, namely, if the research is conducted under an employment relationship with Hanken and as part of the employee’s work duties, Hanken is the data controller. 
  • If the research is not conducted under an employment contract with Hanken or not as part of a Hanken’s research project with supplementary funding, the researcher is the data controller. 
  • If the research is commissioned by a company or organization, the company or organization generally acts as the data controller.
  • When two or more controllers (e.g. Hanken, Aalto University, University of Helsinki) jointly determine the purposes and means of processing, they shall be joint controllers. 
• For personal data processing in studies and thesis-writing by BSc/MSc/eMBA students, data controllership shall also be determined case by case:
  • If a student collects and processes personal data independently for her/his studies and there is no employment relationship between Hanken and the student, the student assumes the role of data controller.
  • If a student’s studies are conducted under an employment contract with Hanken or as part of a Hanken’s research project, Hanken is the data controller.
  • If the study is commissioned by a company or organization, the company or organization generally acts as the data controller.
  • There are also cases where joint controllership needs to be defined for the personal data processed for a student's study or thesis-writing.

Data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. A Data processor does not determine the purposes and means (i.e., why and how) of the processing of personal data. If your research project has a third party outside Hanken as a data processor who provides, for example, IT solutions for data collection or storage, translation/interpretation, transliteration/transcription or raw data analysis services, you need to sign a Data processing agreement (DPA) with the data processor. Hanken’s DPA templates are available here (Data Processing Agreement template and Data Processing Appendix template (as part of an Agreement)). 

 

More information, see:

• A Preliminary opinion on data protection and scientific research by the European Data Protection Supervisor (EDPS). The opinion considers that personal data protection is wholly compatible with responsible research. Data protection regulations are intended to serve as a safety framework for individuals whose data are needed to support science and research. 
• Scientific research and data protection by the Office of the Data Protection Ombudsman (tietosuoja.fi), which contains guidelines on personal data protection in scientific research. These guidelines provide guidance on defining the purpose for processing of personal data, choosing the legal basis, and implementing the rights of the data subject. They also include information on data controllers' and processors' obligations to demonstrate compliance with data protection legislation, responsibilities when transferring data outside the EU or EEA, and to employ appropriate ways to destroy, anonymize or archive research data.
• Additional instructions for planning the management of sensitive and confidential data 2019 (based on the DMP template of the Academy of Finland) by Tuuli project.
• How to handle personal data in research? by Aalto University.
• Privacy policy: Instructions for researchers by Jyväskylä University.
• Data protection in research by Tampere Universities.