1. When collecting and analysing personal data for his/her thesis, the student is considered to be the data controller. Since a thesis is made under supervision, it is the supervisor’s task to make the student aware of the obligations connected with this role. See Handling personal data in research.
2. The lawful purpose for processing personal data in a thesis is normally public tasks (scientific research). Therefore, the BSc, MSc and eMBA students usually do not need to ask for informed consent, but must be made aware that the research participants/informants/respondents/subjects must always be informed about the nature of the data collection and processing.
3. All Hanken students need to fill in the Record of data processing activities for students. When filling in the form, the student will get instructions regarding:
4. The supervisor should pay extra attention if a student plans to handle direct identifiers, data obtained in trust and confidence or sensitive data in his/her thesis project.
5. There are six types of studies which require a request for an ethical review by Hanken’s Research Ethics Committee. Read more in Ethical Review. The supervisor and the student should fill in the request form together and be aware that the processing on the request will take at least two/three weeks.
6. When the student fills in the Record of data processing activities for students, both the student and supervisor will get a summary email. The supervisor should pay attention to the choices the student has made and act as follows:
7. The summary email is also to be used as a proof of data protection actions on which the AoL-grading of the thesis is based.
8. For course assignments where students collect and handle data with no direct identifiers (e.g. name, address, email address, username, photo), public roles in legal entities, publicly available data, contact information stored separately, or data erased within six months after the course: