Research Data Management: Data collection

When you collect your data from your research participants, informing research participants about the processing of their personal data is a crucial part of the transparency principle laid down in the General Data Protection Regulation of the European Union (GDPR). In other words, research participants should obtain the information from you about how their personal data are being collected, used, stored, disseminated, or otherwise processed.

If you collect personal data, justify why you have the right to collect, handle, and preserve personal data:

• If data processing takes place in the EU (Finland), the GDPR applies and information on data processing should be provided.
• A basic principle regarding the collection and storage of personal data is the need for personal data in a study (scientific research). In other words, consent is not needed if general interest/scientific research is invoked as the basis for data processing.
• According to the main principle in the Personal Data Act (523/1999), personal data can be processed with the consent of the subject.
  • Researchers and doctoral students can modify the consent message template to inform your research participants when collecting personal data.
  • BSc/MSc/eMBA students can use the different notes in the Record of data processing activities for students e-form and let the research participants know that "The research involves processing and storing of personal data, but it will be conducted according to the privacy policy of Hanken (https://www.hanken.fi/privacy)."
• You do not need the consent of a person that you do not directly quote. But in your written paper, credit both the original and the secondary sources. This means you need to cite both the original and secondary sources in in-text citation within the paper, and cite only the secondary source in your reference list at the end of the paper.
• If the research participants have questions or requests regarding the handling of the personal data, the student/researcher (name, email address) should primarily be contacted. In case of complaints, the research participants can contact the Data Protection Officer of Hanken (dpo@hanken.fi).

Basically, there are two situations with different must-dos when collecting personal data:

• If the personal data are collected from research participants (for example, when the participant is interviewed, fills out a questionnaire, or is observed by audio/video recording in a performance or social interaction carried out by the participant), you need to provide your research participants the information about the processing of their personal data at the time when you are collecting/obtaining the data. You may provide the information, for instance, at the beginning of the interview or questionnaire.
• If the personal data are received from a source other than the research participant (for example, from other data controllers, publicly available sources, or other data subjects, or combing register data with your research data), research participants should be informed about the processing of their personal data within a reasonable period of time, however, no later than one month counting from the point when the personal data are collected/received by you.

See Hanken's security instructions for recording interviews with mobile phones and dictaphones and interviews' content in teleconferences on the right.

Remember to indicate in the informed consent message:

• how the contact information was obtained,
• how the collected data is stored and archived,
• the reasons for letting or not letting the research participants see, correct, or erase their own data.

You can still have a separate file about the research participants’ contact information (e.g., email addresses), but that file must be separate from the actual research dataset.

More information about what you need to provide research participants about the processing of their personal data, see Content of the information by the Finnish Social Science Data Archive (FSD).     

Note that in special situations, for example, if you collect data from children under 15 years old or other populations belonging to vulnerable groups, or your data collection exposes participants to certain kinds of sensitivities or risks, you need to request an ethical review from Hanken's Research Ethics Committee. See Ethical review about the six types of studies that request an ethical review. Contact Hanken’s Data Protection Officer dpo@hanken.fi for detailed advice.

More information, see Informing Research Participants about the Processing of Their Personal Data by the Finnish Social Science Data Archive (FSD).     

Recorded interviews are usually materials associated with the base information security level (restricted).

Exceptions consist of:

• Interviews whose content concerns a person's sensitive personal data as defined in GDPR, which means that the interviews are then classified as being on the increased information security level (confidential). Sensitive personal data is by definition data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.
• Interviews that deal with trade secrets are also classified as being on the increased information security level (confidential).
• Cases where the interviewee has required a particularly high level of confidentiality.

For more information on information security levels, see the PDF file (Instructions for handling and storing data and documents on different information security levels) on the page of Information Management at Hanken.

The following rules apply when recording interviews:

- Recording with mobile phones

• Recording with a mobile phone is allowed provided that the phone is in personal use and protected with a PIN, password, or biometric login.
• Files on the base information security level are transferred via Hanken's OneDrive to the personal computer, or other appropriate storage medium.
• Files on the increased information security level are transferred to your own computer via a USB cable.

- Recording with dictaphones

• Dictaphones usually lack security features such as PINs or passwords. A dictaphone containing interviews' content must therefore be handled with care so that it does not fall into the wrong hands. The materials should be transferred to another storage medium, e.g., OneDrive or your own computer's disc as soon as possible after the interview. The files should then be removed from the recorder.

- Recording of teleconferences

• Interviews on the base information security level can be recorded through a teleconference in Microsoft Teams. The conference must be arranged through a Hanken user account. The recorded files are created directly in the cloud service and can then be transferred to other suitable storage media.

For surveys, you can also use respondents from participants pools/panels (e.g., Amazon MTurk, Prolific Academic). If doing so, all the same principles for data processing and protection apply as for other sources of respondents. Especially, remember to inform the respondents (on the cover letter or first page of the survey) about the purpose of data gathering and processing, about whether any direct identifier information is stored (at all, in separate file, or in the same file as the research data), and how and when all the data will be erased. Note that if the actual survey instrument that you use is not Hanken-provided Webropol (but e.g., Qualtrics), you have to check with dpo@hanken.fi that there is a Data Processing Agreement in place with the provider of the survey instrument.