1. When collecting and analysing personal data for his/her thesis, the student is considered to be the data controller. Since a thesis is made under supervision, it is the supervisor’s task to make the student aware of the obligations connected with this role. See more About data protection.
2. The lawful purpose for processing personal data in a thesis is normally public tasks (scientific research). Therefore, the BSc, MSc and eMBA students usually do not need to ask for informed consent, but must be made aware that the research participants/informants/respondents/subjects must always be informed about the nature of the data collection and processing.
3. All Hanken students need to fill in the Record of data processing activities for students. When filling in the form, the student will get instructions regarding:
- Occasions when he/she must fill in the longer Record of data processing activities for researchers (template_for_record_of_data_processing_activities_ka.xlsx) instead. If so, the student will also be asked to contact his/her supervisor, who in that case should help the student with the longer form.
- How to inform the research participants/informants/respondents/subjects about the nature of the data collection and processing.
- How to store the data safely, since IT-systems provided by Hanken (e.g. OneDrive for Business, Office 365, Webropol, SPSS) should be used. If a student plans to store the data somewhere else, he/she is asked to submit the data protection agreement of the storage provider after the matter has been discussed with the supervisor or with Hanken’s Data Protection Officer.
- Erasing the data. A student does not need to store the data for longer than six or twelve months after the thesis is submitted. Data in Webropol will be erased by the Computer Centre shortly after the students user-id is inactivated due to examination.
4. The supervisor should pay extra attention if a student plans to handle direct identifiers, data obtained in trust and confidence or sensitive data in his/her thesis project.
- When it comes to direct identifiers, the student must know that these identifiers should not be stored in the same file as other empirical data at any point. If it for some reasons must be processed together with the analysed data, the student must fill in the Record of Data Processing Activities for Researchers and the supervisor must help them with that.
- Data obtained in trust and confidence and sensitive data, must always be described using the Record of Data Processing Activities for Researchers, and the supervisor must help them with that.
5. There are six types of studies which require a request for an ethical review by Hanken’s Research Ethics Committee. Read more in Ethical Review. The supervisor and the student should fill in the request form together and be aware that the processing on the request will take at least two/three weeks.
6. When the student fills in the Record of data processing activities for students, both the student and supervisor will get a summary email. The supervisor should pay attention to the choices the student has made and act as follows:
- If the student has chosen direct identifiers, data obtained in trust and confidence, and sensitive data, this needs to be discussed with him/her, based on the point number 4 above in this list.
- If the student has answered No to the question about informing the research participants/informants/respondents/subjects, this needs to be discussed with him/her.
- If the student answers No to the question about only using storage systems provided by Hanken, this needs to be discussed with him/her, based on the point number 3 above in this list.
7. The summary email is also to be used as a proof of data protection actions on which the AoL-grading of the thesis is based.
8. For course assignments where students collect and handle data with no direct identifiers (e.g. name, address, email address, username, photo), public roles in legal entities, publicly available data, contact information stored separately, or data erased within six months after the course:
- The assignment/course teacher/instructor fills in and submits one e-form for all the assignments of all the students or student groups.
- The teacher/instructor should inform the students of this e-form, guide them not to gather or store any direct identifier information (at all, or in the same file as the research data), provide them with a note which they can use to inform respondents about data processing, and instruct them to erase the data within 6 months after the course.
- The note can be, for example: Please note that this study does not collect or store any direct identifier information about you (e.g. name, address, email address, username, photo), or any other piece of information/data that would allow identifying you. Your identity will not be visible in the study analysis, results, or report in any way, either. The entire dataset will be erased no later than 6 months after the course is completed.
- In case that any direct identifier information is gathered by students and stored in the same file as the rest of the research data, each student/student group should fill in a form on their own.