Research Data Management

(1) Before data collection (during research planning phase)

1. Plan what data you need

If your research involves personal data processing, consider already at the earliest research planning stage how you design your study so that your data can be the least identifiable while still accomplishing your research goals, and ensure that, by default, personal data will be processed with the highest privacy protection. 

Understand the objectives of your study and define the clear, specified need for collecting personal data. Collect only the minimum amount of personal data necessary and proportionate to the accomplishment of your research tasks. Personal data shall not be collected just in case that they might be useful in the future.

Conduct a data minimisation review for the whole process of data management, including defining the types and amount of personal data collected, the extent to which they may be accessed, further processed and shared, the purposes for which they are used, and the period during which they are kept. You shall minimise the processing as far as possible. 

2. Evaluate risks to data subjects  

2.1 Request an ethical review statement when needed

All research shall comply with relevant Ethical principles and guidelines and follow any applicable ethical review practices. Conduct an ethical self-assessment and identify and address ethics issues in your research proposal.

• Check the six study types described in Ethical review to see if you need to request an ethical review statement by Hanken’s Research Ethics Committee. If your study is one of the six types, fill in the e-form Request for an ethical review for an empirical study and submit it to Hanken’s Research Ethics Committee.
• When you submit your ethical review request, you always need to provide these attachments: a privacy notice and a consent form. Depending on your research, you may also need additional attachments, such as a Data management plan (DMP) where you indicate the date of your ethical review request, and/or a Data protection impact assessment (DPIA).
• In case a BSc/MSc/EMBA student's study is one of the six types, the supervisor shall request an ethical review statement and fill in the request e-form together with the student.

Contact Hanken’s Research Integrity Advisor (anu.helkkula@hanken.fi) for advice.

More information: To identify ethics and data protection issues in your research project, you can read Ethics and data protection (by the EC for scientific community, especially for funding applicants) and try its Ethics and Data Protection Decision Tree.

2.2 Carry out a Data protection impact assessment (DPIA) when needed 

If a planned personal data processing is likely to result in a high risk to the rights and freedoms of the data subjects, a Data protection impact assessment (DPIA) shall be conducted prior to the processing. This may occur when the following data will be processed:

• data processed on a large scale, for example, large amounts of personal data or data from more than 500 data subjects. 
• personal data of children under the age of 15 or of other vulnerable data subjects such as employees, mentally ill persons, asylum seekers, the elderly, and patients. 
• sensitive personal data or data of a highly personal nature such as special categories of personal data, electronic communications whose confidentiality should be protected, location data whose collection questions the freedom of movement, financial data that might be used for payment fraud, personal documents, emails, diaries, notes from e-readers equipped with note-taking features, and very personal information contained in life-logging applications.
• a systematic and extensive analysis of personal data in the context of automated processing, including profiling, where this has a significant effect on the data subject.
• systematic monitoring: processing used to observe, monitor or control data subjects, including data collected through networks or a systematic monitoring of a publicly accessible area. In these circumstances data subjects may not be aware of who is collecting their data and how the data will be used. It may also be impossible for individuals to avoid being subject to such processing in a public or publicly accessible space.
• matching or combining datasets, for example, originating from two or more data processing operations performed for different purposes and/or by different data controllers in a way that would exceed the reasonable expectations of the data subject.
• innovative use or applying new technological or organisational solutions, like combining use of finger print and face recognition for improved physical access control.
• if special categories of personal data are to be processed AND there will be a derogation from the rights of the data subjects to access, rectify, restrict, and object. Note that in this situation, the DPIA shall be submitted to the office of the Data Protection Ombudsman before the processing is started, according to Section 31 of the Finnish Data Protection Act (1050/2018).
• The supervisory authority in each member state shall establish and publish a supplementary guidance and list of processing operations for which a DPIA is required. In the EU Member State DPIA Whitelists, Blacklists and Guidance compiled by the International Association of Privacy Professionals (IAPP), you can find the blacklist from the Finnish supervisory authority: 
  • List compiled by the Office of the Data Protection Ombudsman of processing operations which require data protection impact assessment (DPIA).

More information, see the nine criteria in the Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (the PDF file by the European Data Protection Board, pp.9-11). The Guidelines (pp.11-14) also present a longer list of scenarios in which a DPIA may or may not be necessary.

A processing meeting one or two of the criteria may require a DPIA to be carried out. A DPIA helps you identify and minimise the data protection risks of a project. The contents of a DPIA shall contain at least:

• a systematic description of the envisaged processing, including its nature, scope, context, purposes, and lawful ground,
• an assessment of the necessity and proportionality of the processing in relation to the purposes, 
• identifying and assessing the risks that the processing may pose to the data subjects, and
• defining adequate safeguard measures to prevent or mitigate these risks.

Depending on the nature and scope of your processing, you can conduct a full or light version of a DPIA. Use Hanken's DPIA template (for studies and research) to conduct a full version of DPIA, or answer directly to the four minimum required aspects for a DPIA.  

Contact dataethics@hanken.fi to conduct a DPIA.

(2) Data collection and analysis (during active research phase)

3. Ask for consent and provide privacy notice 

When collecting personal data, what researchers need to do to comply with good data management practices, data protection regulations, and research integrity includes:

• (1) Obtain informed consent from the research participants, which is required by research ethics, for example, The ethical principles of research with human participants and ethical review in the human sciences in Finland. Finnish National Board on Research Integrity TENK guidelines 2019 (PDF). The guidelines state that "[i]nformed consent to participate in research is a central ethical principle in research with human participants" (p. 9).

Note that this consent (to participate in the research, required by ethical standards) is different from consent (to personal data processing, as a legal basis under the GDPR). The difference is acknowledged by TENK’s guidelines (p. 9). For research work conducted by researchers including PhD researchers, the legal basis for processing personal data is usually scientific research carried out in the public interest.

• Researchers use Hanken's Informed Consent template (in English, in Finnish or in Swedish) to obtain informed consent. Choose the language that your research participant prefers.

• (2) Provide privacy notice to research participants about the processing of their personal data to fulfil the information provision obligation required by the GDPR.

  • Researchers fill in and submit the e-form The Research's Privacy Notice (in English, in Finnish or in Swedish) and provide the privacy notice to the research participants.

• After submitting the e-form, click "Save the completed form as a file." Edit the downloaded RTF file, so it can be suitable for your research participants.
• After being submitted, this privacy notice e-form also functions as the Record of processing activities which fulfils the record-keeping accountability under the GDPR. 

When collecting personal data, what BSc/MSc/eMBA students need to do includes:

• (1) Obtain the respondents' consent to the processing of their personal data as the legal basis for personal data processing. For studies and thesis-writing by BSc/MSc/eMBA students, consent is usually used as the legal basis, unless the student is a member of a research project where one or more researchers (at the PhD level or above) are involved. 
  • Students use Hanken's Consent to the processing of personal data template (in English, in Finnish or in Swedish) to obtain consent. Choose the language that your respondents prefer. 

• (2) Fill in and submit the e-form The Study's Privacy Notice (in English, in Finnish or in Swedish) and provide the privacy notice to the respondents about the processing of their personal data to fulfil the information provision obligation under the GDPR.
  • After submitting the e-form, click "Save the completed form as a file." Edit the downloaded RTF file, so it can be suitable for your respondents.
  • After being submitted, this privacy notice e-form also functions as the Record of processing activities which fulfils the record-keeping accountability under the GDPR. 

Special categories of personal data (sensitive personal data) are subject to specific processing conditions. Students and researchers need to rely on at least one of the ten exceptions or derogations to the prohibition in order to collect and process special categories of personal data:

• Researchers usually use the derogation (j) – processing of special categories of personal data is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. 

• Students usually use the derogation (a) – the data subject has given explicit consent to the processing of special categories of personal data to process special categories of personal data. This means that consent should not only be freely given, specific, informed and unambiguous, but also be explicit with a clear affirmative act by the data subject.

A Data protection impact assessment (DPIA) may be needed when students and researchers process special categories of personal data, data of a highly personal nature, and other specially protected personal data. See the instructions under "2.2 Carry out a data protection impact assessment (DPIA) when needed" and contact dataethics@hanken.fi. 

4. Ensure secure data storage, backup, and transfers

For secure storage and backup of active research data during usage, students and researchers use: 

• data storage services provided by Hanken including the researcher's own account on Hanken network like H:\, Microsoft Office365 applications (e.g., Onedrive for Business), Webropol or SPSS. 
  • If you collect personal data from online questionnaires or surveys, use the GDPR-compliant tools and platforms such as Webropol. Webropol's user instruction is available on the page of Hanken's IT services.  
  • You can use Hanken’s video platform Panopto to transcribe research data, for both audio and video files. See Transcribing qualitative data.

• data storage services provided by CSC include IDA which is also for data archival. IDA is one of the Fairdata services offered by the Finnish Ministry of Education and Culture and produced by CSC.

• In addition to Hanken's and CSC's data storage systems, you can also use:
  • your own password-protected personal computer and hardware (e.g., internal/external hard drives), 
  • password-protected joint-use computers in a room located physically at Hanken with restricted access, and
  • memory sticks or external hard drives, but make sure that they are stored securely, for example, in locked closets/lockers, and that you erase the personal data stored on the memory sticks and USB disks immediately after use. You can encrypt the data on memory sticks and external hard drives by using, for example, zip applications or Office365.

Do NOT use, even on your own computer, such data storage that is connected to or backed up on Internet clouds (e.g., iCloud, Google Docs, DropBox), but only use local hard drives and data folders that are not backed up in Internet services/clouds.

Unless you have entered into a Data processing agreement (DPA) with another system/service provider who acts as a data processor, you shall NOT use other systems and internet clouds, for example, iCloud, Dropbox, Google Docs, publicly available OneDrive (for consumers) and other survey platforms than Webropol. A Data processing agreement (DPA) shall be signed between the data controller and data processor. Hanken’s DPA templates are available here (Data Processing Agreement template or Data Processing Appendix template (as part of an Agreement)).

For personal data transfers outside Hanken:

• Use OneDrive storage space in your Hanken-provided account for sharing files and collaborating with others. Use the “Specific people”-option to ensure data access control. 

• If you save and store your data in IDA by CSC, use the safe data transfer and sharing measures offered by IDA. See 1.8 I want to share my research data, what should I do? in FAQ of the Fairdata services by CSC. 

• You can use physical memory sticks or external hard drives, in cases where you or the other party do not have access to Hanken's data sharing systems. Make sure that data are stored securely, and that you erase the personal data stored on your memory sticks and on your USB disks immediately after the transfer. You can encrypt the data on memory sticks and external hard drives.

• Note that you should NOT send or share data by an ordinary, non-secured email, or use systems that are not provided by Hanken or CSC, e.g., DropBox, Google Docs, and publicly available OneDrive (for consumers), for data transfers.

• If you have a third party outside Hanken as the data processor who provides, for example, translation/interpretation, transliteration/transcription or raw data analysis services, you need to sign a Data processing agreement (DPA) with the data processor. Hanken’s DPA templates are available here (Data Processing Agreement template or Data Processing Appendix template (as part of an Agreement)).

• If you transfer personal data outside of the EU/EEA, contact dataethics@hanken.fi for advice. See Transfers of personal data out of the European Economic Area by the Office of the Data Protection Ombudsman. 

If you work with sensitive personal data, use CSC's Sensitive Data Services for Research including Sensitive Data Connect (SD Connect, for sensitive data storage and sharing) and Sensitive Data Desktop (SD Desktop) which are designed to support secure sensitive data management through web-user interfaces accessible from the user's own computer.

Protect the data with strict access control and encryption if you work with sensitive personal data or confidential data such as trade secrets, politically sensitive information, information concerning national security, and data obtained in trust and confidence:

• Be sure that your storage solutions are safe enough for the data.
• Do NOT use cloud storage due to its insufficient data protection.
• Do NOT use external hard drives as the main storing option.
• Protect the data with encryption. If needed, particularly mobile devices, portable and external storage devices should be encrypted for use, e.g., by using Cryptomator.
• Data with direct identifiers, contact information, sensitive personal data, and confidential data should NOT be sent between research team members by email – not even Hanken’s email system.

You can ask for advice from Hanken’s Information security officer (datasakerhetschef@hanken.fi) to ensure that your storage and transfer solutions meet data protection requirements.

5. Inform data subjects of changes and update documentation

If there are changes in personal data processing, for example, if there are new, compatible processing purposes other than the initial purpose, if there are new recipients of the personal data (e.g., new research partners or translation or transcription service providers), or if there is an addition of new data variables to the categories of personal data compiled into the dataset, the privacy notice and other documentation shall be updated and the research participants be informed of the changes prior to the new processing. 

6. Anonymize/pseudonymize data prior to publishing and archiving

It is stated by the Office of the Data Protection Ombudsman on Minimisation of personal data in scientific research that "[a]nonymisation and pseudonymisation should be performed as soon as possible, for instance right after the data have been aggregated."

Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to the individual involved without the use of additional information. Pseudonymisation can be done by removing or replacing identifiers with pseudonyms, aliases or codes. The additional information on the original values and techniques used to create the pseudonyms or codes shall be kept organisationally and technically separately from the pseudonymised data to ensure that the personal data are not attributed to an identified or identifiable natural person. (GDPR, Art. 4 (5))

The data remain pseudonymous and personal as long as the additional identifying information exist. That is, pseudonymised data can be attributed to a natural person by the use of the additional information and are still personal data. 

Pseudonymised data become anonymised when the separately kept identifying information used to create the pseudonyms or codes (e.g., decryption keys, codes, applications or techniques used to pseudonymise the data) has been irreversibly destroyed and cannot be linked to the pseudonymised data.

Anonymisation thus refers to the processing of personal data in a manner that the individual concerned cannot be re-identified. Anonymised data are no longer considered to constitute personal data and are not subject to the data protection regulations.

Completely anonymous data do not exist, but by using various techniques and tools and following well-executed procedures, you can achieve a result where individual persons cannot be identified with reasonable efforts based on your data, e.g., by combining different indirect identifiers in your data, or by combining your data with the information from other external sources.

The table by the FSD provides good tips for recognising direct, indirect, and strong indirect identifiers and how to anonymise research data by removing, changing or categorising these different identifiers. 

In categorising background information, utilise existing social classifications such as those Classifications by Statistics Finland.

(3) After active research phase

7. Data erasure and (meta)data publishing

Personal data that are no longer needed for the original purpose should be disposed as soon as possible unless there are special reasons or legislation that require archiving. If it is not possible to determine the exact data retention period, specify the criteria used to determine that period to your research participants. 

Deleting files using operating system tools, or even reformatting a hard drive, will not irretrievably destroy the data. Save your files to OneDrive and use the deletion feature. Remember to empty the trash as well. Data in Webropol will be erased by the IT services shortly after a student's user ID is inactivated. You can ask for help and support from Hanken’s Information security officer (datasakerhetschef@hanken.fi) for secure data disposal measures.

More information, see:

• Data disposal by FSD.
• Five steps to decide what data to keep by the Digital Curation Centre (DCC).

Anonymised data are published and archived in a data repository for shared reuse whenever possible. According to Data Protection Act (1050/2018, Section 4 (4) and GDPR (point (e) of Art. 6 (1), if archiving research material containing personal data is necessary and proportionate to the aim of public interest pursued and to the rights of the data subject, it is lawful. Restricted access can be used as a measure to archive pseudonymised data which are still personal data. The research participants need to be informed of your open data plans in the privacy notice. 

If the open accessibility of a dataset is not possible for justified reasons, the metadata of the dataset can be published openly available. It is strongly recommended to use Fairdata Qvain metadata tool to describe and publish your (meta)data. See Data publishing and pre­ser­va­tion.

Some basic data protection concepts:

Data processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means (i.e., why and how) of the processing of personal data. The controller is primarily responsible for compliance with data protection laws throughout the data life cycle. The controller can allocate responsibilities according to the actual roles of the parties.

• For personal data processing in research work by researchers including PhD researchers, data controllership shall be determined case by case, and the role of data controller or joint controller can be defined in the following cases:
  • If the researcher conducting the research is employed by Hanken, namely, if the research is conducted under an employment relationship with Hanken and as part of the employee’s work duties, Hanken is the data controller. 
  • If the research is not conducted under an employment contract with Hanken or not as part of a Hanken’s research project with supplementary funding, the researcher is the data controller. 
  • If the research is commissioned by a company or organization, the company or organization generally acts as the data controller.
  • When two or more controllers (e.g. Hanken, Aalto University, University of Helsinki) jointly determine the purposes and means of processing, they shall be joint controllers. 
• For personal data processing in studies and thesis-writing by BSc/MSc/eMBA students, data controllership shall also be determined case by case:
  • If a student collects and processes personal data independently for her/his studies and there is no employment relationship between Hanken and the student, the student assumes the role of data controller.
  • If a student’s studies are conducted under an employment contract with Hanken or as part of a Hanken’s research project, Hanken is the data controller.
  • If the study is commissioned by a company or organization, the company or organization generally acts as the data controller.
  • There are also cases where joint controllership needs to be defined for the personal data processed for a student's study or thesis-writing.

Data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. A Data processor does not determine the purposes and means (i.e., why and how) of the processing of personal data. If your research project has a third party outside Hanken as a data processor who provides, for example, IT solutions for data collection or storage, translation/interpretation, transliteration/transcription or raw data analysis services, you need to sign a Data processing agreement (DPA) with the data processor. Hanken’s DPA templates are available here (Data Processing Agreement template and Data Processing Appendix template (as part of an Agreement)). 

More information, see:

• A Preliminary opinion on data protection and scientific research by the European Data Protection Supervisor (EDPS). The opinion considers that personal data protection is wholly compatible with responsible research. Data protection regulations are intended to serve as a safety framework for individuals whose data are needed to support science and research. 
• Scientific research and data protection by the Office of the Data Protection Ombudsman (tietosuoja.fi), which contains guidelines on personal data protection in scientific research. These guidelines provide guidance on defining the purpose for processing of personal data, choosing the legal basis, and implementing the rights of the data subject. They also include information on data controllers' and processors' obligations to demonstrate compliance with data protection legislation, responsibilities when transferring data outside the EU or EEA, and to employ appropriate ways to destroy, anonymize or archive research data.
• Additional instructions for planning the management of sensitive and confidential data 2019 (based on the DMP template of the Academy of Finland) by Tuuli project.
• How to handle personal data in research? by Aalto University.
• Privacy policy: Instructions for researchers by Jyväskylä University.
• Data protection in research by Tampere Universities.