Ä¢¹½Ö±²¥

A student may collect personal data using a variety of means, such as

• a questionnaire (Webropol, REDCap)
• through interviews
• by means of observations
• from internet/social media

Please note that audio recordings, photographs and videos of interviews are also considered personal data. Personal data is being collected during a survey if the respondents can be identified based on the collected data, directly or indirectly. The collection of background variables only may also lead to a person being identified (e.g. nickname, age, gender or domicile). Identifiability does not require that a person will be recognised by everyone or a large group of people; it suffices if only persons close to the person can identify them.

Go through with your (thesis) supervisor your research plan, what kind of personal data you collect, and how you inform your subjects.

Processing of special categories personal data

As a rule, the processing of personal data belonging to special categories is prohibited. For you to be able to process special category data you will need explicit consent or your thesis needs to be scientific research. 

Consent is one possible legal basis for processing personal data/special category data.

Requirements for consent

For consent to be valid, it must be a

• informed,
• freely given, and
• unambiguous indication of the data subject's wishes ( for example, ticking a box on a website is a sufficiently unambiguous and clear expression of wishes or signing a document)
• specific (when processing special category data)
• you will need to inform the data subject how they can withdraw consent at any time (if a person withdraws consent their personal data needs to be deleted)

Special categories personal data are

• racial or ethnic origin
• political opinions
• religion or philosophical beliefs
• trade union membership
• data concerning health (concept"health" needs to be interpeted proadly)
• sexual orientation or activity and
• genetic and biometric data for identifying the person.

Processing such data can create significant risks to the fundamental rights and freedoms of the individual.

What should you take into account before starting the processing of personal data

Before starting, you must:

1. Determine as accurately as possible (in the research plan, for example) which personal data you will process, where and how.
2. Describe the processing and retention of personal data required for the study as part of your research plan (or other similar written document).

• Don’t forget the minimisation principle (do not collect any extra/unnecessary personal data)
• Don’t forget the link to intended use (the data must only be used for the described specific purpose)

3. Assess and identify the data controller. The data controller determines the goals and means of personal data processing.

• Theses, the university does not exercise decision-making power in relation to a thesis independently done by a student(s). Student is the data controller.  
• If you prepare your thesis as part of a research project, the party responsible for the research register and data is usually also the data controller. In the case of a single research assignment (typically from an organisation/business), the client may determine the goals and means of personal data processing, in which case it may be the data controller. In such a case, you must follow the client’s data protection and information security instructions.

You should consider the following factors when determining the role of data controller:

• Who decides why the data is being processed (the purpose of the thesis) and what is the expected outcome?
• Who determines the means that will be used (i.e. how personal data is to be processed)?
• Which working methods will be used to achieve the research goals?
• Who will determine the means of processing personal data to be used (e.g. the researcher’s laptop computer, home computer, workplace computer) and the means of ensuring information security?
• Who will decide which data will be processed and who will have access to the data?
• Who will decide for how long the data will be processed?
• What does the situation look like from the perspective of the research subjects (how will the division of responsibilities be presented to the research subjects?

Source of the list of questions: General Data Protection Regulation and Tieteellinen tutkimus – mikä muuttuu? Senior inspector from data ombudsman's office, Tietosuoja tutkijan arjessa seminar 16 May 2018.

4. Prepare a research notification, and a privacy notice and use a suitable consent form for the research subjects. In some cases that involve register data (such as data from the Social Insurance Institution), a research permit may be necessary. You should prepare a research notification and a privacy notice even if you will not collect any of the research subjects’ direct identification data (such as name, social security code, email).

5. Make sure there are no data transfers outside the EU/EEA area. The right to such transfers is restricted. If you are using cloud storage on your own computer, for example, data may be transferred outside the EU/EEA, which is not allowed without using the protection laid down in legislation.

6. Assess, together with the supervisor, the need to prepare a preliminary ethical assessment.

7. If you have data privacy questions contact data protection office together with your supervisor by email tietosuoja(at)jyu.fi.

There must always be a legal basis for the processing of personal data. In scientific research, the legal ground for processing is usually always the public interest. 

If the research plan for the thesis does not meet the scientific criteria for the field of research, the legal ground for processing cannot be public interest but must be based, for example, on the consent of the subject or on a legitimate interest. Discuss with your supervisor whether your work is scientific research. If you use legitimate interest as a ground for processing, you should

Consent to participate in the research is always required from anyone from whom data is collected (this is different from the legal ground for processing). 

The forms (notification, privacy notice, consent) should be kept securely for at least the duration of the processing of personal data.
 

Information or data security is an essential part of data protection. If you have any questions about the secure processing of personal data, you can contact the University's Information Security Manager  and his team. You can send the questions via HelpJYU portal.

If any personal data goes missing or ends up in the wrong hands, the incident is called personal data breach. If you suspect such a personal data breach, report it to receive help.

Information security

You may also need to report a data breach to the Data Protection Ombudsman or the research participant. Further information

Lost or stolen storage media (such as a phone or computer) is also usually a data breach.

Also note that you must not discuss any confidential personal data obtained from a research subject with any third parties. The confidentiality obligation includes a prohibition on showing or handing over documents to third parties (document secrecy), a prohibition on disclosing the contents of a confidential document or any unsaved information that would be confidential had it been included in the document (professional secrecy) and a prohibition on using the confidential information for your own benefit or the benefit/detriment of another party (prohibition of use). If necessary, you can discuss the data with your thesis mentor, however, because the mentor is not an third party in terms of your thesis and you have included their name in the data protection notice. Please note, however, that if you named yourself as the data controller, handing over the data to the university for any other purpose requires that, at a minimum, you inform the research subjects of the new intended use, or you may have to request consent again.

When your thesis is published in the university's publication archive, you must ensure that you do not by mistake publish personal data, i.e. data from which the data subject can be directly or indirectly identified.

When the research is complete, the research data containing personal data must, as a general rule, be disposed of in a secure manner which ensures that the data will not end up in the hands of third parties. Any hard copies must not be recycled! The university has locked, secure containers for confidential documents in which you can place your hard copies (in the registry office, for example). Files saved on a network drive or in Webropol must be deleted and other data must be destroyed in a secure manner. This part of the personal data lifecycle is of utmost importance. The processing of personal data has a beginning and an end. Sometimes the data can be saved after the research period in an anonymised format in, for example, the Finnish Social Science Data Archive or the Language Bank of Finland.