Ä¢¹½Ö±²¥

The definition of personal data is broad. Personal data is all the information and characteristics related to a living, natural person, with which the person can be identified either directly or indirectly by combining information collected in the study with information about the person available elsewhere.

Examples of personal data:

• age
• educational background
• industry, job or profession
• neighborhood
• sufficiently recognizable picture
• voice of speech
• claims and opinions characteristic of a person
• e-mail address
• IP address
• ethnic background or nationality (special personal information)
• health information (special personal information)
• revenue
• exercise habits
• fingerprint
• walking style
• a physical characteristic characteristic of a person
• information about the subject's immediate family or other persons related to the subject.

Please note that pseudonymous information is also personal information.

Direct identifiers include, for example, sound, image, fingerprint, brain image, signature and personal identification number.

Indirect identifiers are variables and information which, as such, do not refer to a single person in the material, but which, when combined with each other or with information available about the person elsewhere, probably lead to the person

An example of indirect identifiability: the person lives in the Tampere region, his gender is female, male or other, he works as an experienced activist in certain organizations, and he works as a senior official in a certain field.

Special categories of personal data are the data that discloses the person's 

• race or ethnic origin
• political opinions
• religious conviction
• philosophical beliefs
• trade union membership
• health information
• sexual orientation or behaviour
• genetic and biometric data, when the purpose is to identify a person using them. 

There is also personal information to be kept confidential: 

• criminal sanction information
• bank account information.

The data can be sensitive and confidential for other reasons as well. For example, it may include trade secrets information about endangered species intelligence information.

Check the potential high classification level of the information you are about to collect in (in Intranet Uno, requires login with JYU credentials). 

The first priority is to identify the controller of the personal data. The controller determines the methods and means of processing and, if the university is the controller, the university's policies on processing are binding. In principle, in the case of research carried out on the staff of a university, the university is the controller; in other cases, the researcher is the controller. However, this will be assessed on a case-by-case basis and the JYU Data Protection Officer should be contacted.

Plan the processing and life cycle of the personal data you collect and use well in advance of your contact with the subjects - in other words, before you start collecting data.

In terms of processing, it is important to plan what personal data will be collected, how its use will be minimised, how its use and storage will be secured, and how the data may be transferred. The systems in which personal data are processed and stored must meet the conditions set out in the University's data protection and security policy:

• Basic non-sensitive personal data may be processed and stored on Nextcloud, the University's disk systems (S: and U: drives, and the JYU Microsoft services. 
• Special categories of personal data and other secret data may only be processed and stored on Researchvideo and CollabRoom or on Nextcloud, the University's Microsoft systems and the University's S:- and U: network drives. For detailed instructions, please refer to. Successful minimisation of the processing of personal data (including pseudonymisation and anonymisation) can facilitate compliance. 

If data are transferred from one organisation to another, this must be planned carefully and the subjects must be informed. Similarly, if there is an intention to use the data to research purposes in other studies (meaning that the purpose is other than the original one), this should be anticipated in the information provided to the study subjects. In these cases, it is also often necessary to agree on the transfer, processing or possible joint controllership of personal data.

As a general rule, personal data should only be handled and retained for needed and justified duration. The lifecycle must be justified by the research plan. However, the GDPR does provide provisions to make even personal data available in a FAIR way. This route is archival. It is important to note that retention of e.g., 5 years after the end of the study by the research team or the researcher is not archiving, but continuing storage. Archiving is a legal term and is discussed elsewhere in these guidelines. 

When planning the study, the end point of the processing of personal data should be planned. The end point can be either 

• complete anonymisation and the destruction of the personal information (i.e. deletion of the identification data from the files,
• disposal of the data to a dedicated data archive in pseudonymous or directly identifiable form or
• destruction of the whole data files (if not deemed suitable for archiving). 

In principle, personal data may only be processed for the original purpose of processing. This means that the data may not be kept in an identifiable form for longer than is necessary for the possible verification of the results of the original research use, nor may it be used for further research. However, with successful anticipation, planning and information on further use, this situation can be changed and a wider research use in a FAIR way can be made possible!

Further use is made possible by properly informing the subjects. Before this can be done, it is necessary to identify the various factors that make further use possible. The most obvious is the removal of personal data from the data, i.e. anonymisation, followed by the possible opening of the data in an appropriate archive. If it is not possible to anonymise the data, it is possible to archive it in identifiable form, provided that a suitable archive is found and the subjects are properly informed. Examples of such archives are, for example, the Archive of the Finnish Literary Society and the Finnish Language Bank. The Ä¢¹½Ö±²¥ is developing its own archive of research data, which could also receive data containing personal data in the future.

To ensure that suitable parts of the data can be used for new purposes after the research, the researcher must anticipate the possibility of further use when drafting the wording of the information. In the case of personal data and potentially sensitive data, it is often difficult to know years in advance which parts of the data are suitable for further use, e.g. as archived data, which parts can be anonymised and which parts should be disposed of when they are no longer needed for the original purpose of the research. The information and data protection notice and the data management plan can, where appropriate, be drafted in such a way that the wording of the data privacy notice allows for different options. Drafting the informing is a constant search for the borderline between sufficient information content and too much explicit, narrowing information.

Example: If the privacy notice describes that the data will be archived in the Finnish Social Science Data Archive, it is not possible for the researcher to offer the data to another data repository if necessary. by announcing the archiving of the data to the effect, "the data will be offered for archival in an appropriate FAIR compliant data repository", the researcher keeps the options open. 

Make sure that the information documents you provide to your subjects (study information, data privacy notice and consent form) and the data management plan are written side by side, so that their descriptions of the processing and life cycle of the parts of the data that contain personal data are consistent with each other.

As the study may be alive, the information documents may need to be updated - provided that the subjects are still available.

Links to the data management design, the researcher's data protection guidelines and the model templates for the information documents can be found in the highlights at the bottom of the page.

For detailed advice for implementing these steps, visit the 'Data privacy instructions for researchers' site linked to the bottom of this page. 

1. It all starts with planning. What personal information do you need to conduct your research? Is your study a one-time or follow-up study? When you provide a privacy statement required by the GDPR, you must be able to specify a clear life cycle for the processing of personal information, including the beginning and the end. Principle of minimisation and limitation of the retention of personal data. Minimisation means that only the amount of personal data necessary for the purpose defined in the study plan should be collected and that identifiers that become redundant should be removed as soon as possible. According to the principle of limitation, it is good to try to define a temporal end point for the storage of personal data. Note that the text of the privacy statement will legally bind you in the future.

2. Anonymisation, archiving, follow-up studies, reuse. The middle and end of the life cycle of personally identifiable information must be planned well in advance so that you can realistically describe it in the research notification and the privacy notice that you provide to your subjects.

• At what point do you plan to pseudonymise the data collection and processing, and how do you ensure the security of the code key? Is anonymisation a viable option for you? Before collecting the information, familiarize yourself with . Only make a decision to anonymise when you are absolutely sure you will be able to do it.
  
   
• If you do not anonymise the data to open them anonymously for re-use after the research, justify in the privacy notice the reason for retention of the identifiable data after the study, such as verification of the research results. If it is not possible for you to set an exact end date for the retention of personal data, record in the information you provide to the subjects that the retention of data for the purposes of the original study will be evaluated, for example, every year or two.
  
   
• Archiving of identifiable data is possible under certain conditions. For example, the Finnish data archive for language data, . . There are ready-made clauses in the template for the university's privacy statement for the different options.

3. Select the appropriate legal basis for the processing of personal data. The primary recommended basis is scientific research in the public interest. Public interest e.g. facilitates the possible future reuse of the data. Consent is recommended only in cases where public interest is not applicable for one reason or another. If you collect special categories of personal data and use consent as a legal basis, the consent must be explicit. See more information on the choice of legal basis. Record the selected criterion in the privacy notice.

4. Determine who will act as the controller or your personal data registry. If you are carrying out research on an externally funded project or working for a university, the university acts as the controller. Often, the university and the researchers both act as controllers. In consortium projects, there is usually joint controllership between the partner organisations. Record the controller in the privacy notice and in your DMP.

5. Prior to the start of the study, clearly inform your subjects how and by whom their personal data will be processed and managed during the study. Check that the informed consent that you gather from your study participants is in line with your planned data protection measures. This way, you ensure that your study follows the best practice in both research ethics and data privacy jurisdiction. JYU's Privacy Policy advises you on how to process personal information securely and lawfully at different stages of the investigation. If your research setting is of such a nature (e.g. extensive register data with incomplete contact information) that personal information is not possible, please consult the university's guidelines.

6. Always conduct at least a concise, free-form risk assessment for your research that contains personal information. For more information, see the data protection guidelines linked below. If the risk is estimated high, the study is made subject to the the Data Protection Impact Assessment (DPIA) in accordance with the EU's general data protection regulation.

A particularly high risk is considered

• a large number of persons whose data are processed
• a large amount of information about a person
• sensitive information
• information on vulnerable study subjects (e.g. children)
• use of data for automated decision making
• systematic monitoring.

7. When collecting personal data directly from your subjects, also ask them for consent to participate in the study. Consent to participate in the investigation is sought when the legal basis for the processing of personal data is public interest. Informed consent is a fundamental principle of research ethics, and deviating from it always requires an impact assessment.

8. When collecting personal information, strive to minimise the identifiable information, that is, avoid collecting personal information that is not necessary for your research question. Take care of the data security of the storage devices during the field study. Transfer the data to the University Nextcloud, JYU Microsoft environment such as OneDrive, the S: drive project folder, or your personal U: drive folder as soon as possible after saving.

9. When processing personal information, take care of the security of your procedures. Ensure that access to personally identifiable information is restricted to the persons or entities described in the DMP and the privacy notice. Document how you implement the security measures you have promised to subjects and how you control access to identifying information. Remember that personal data may only be processed in the manner and for the purpose for which the data subject was informed in the privacy notice before the start of the investigation. If the need to deviate from the one specified in the data privacy notice arises during the processing of the data, inform the subjects immediately and update the data privacy notice and other necessary documents.

10. At the end of the study, take care of the identifiable parts of the data according to the information you provided to the subjects. What parts of the data do you destroy? What will you possibly anonymise? What do you store post-project in identifiable form, e.g., pseudonymised, for verification of results or any follow-up that may be included in your original study? What are you archiving, where, and with what usage restrictions?

Make sure that the processing of personal data is described in a consistent manner in your data management plan and in the research notification and privacy notice you provide to subjects.