Do you process personal data in your coursework or thesis?
If you collect information about people, for example through a survey, an interview or observation, you are likely processing personal data. In that case, you must comply with data protection legislation.
These guidelines will help you identify when and how data protection applies to your studies and guide you towards the correct procedures.
What is personal data?
Personal data means any information that can be used to identify a natural person directly or indirectly.
Examples of direct identifiers include:
- name and personal identity code
- photograph, video or audio recording
- an email address containing the person’s name
Indirect identifiers may include, for example, a job title, workplace or position when combined with other information. A person may become identifiable even if no single piece of information alone would reveal their identity.
Please note: It is sufficient for identifiability that the person’s close circle or the researcher can identify them — not everyone needs to be able to do so.
When does data protection apply to you?
Thesis
If you collect information about living people for your thesis, you must comply with data protection legislation. This also applies to:
- data collected online (e.g. from social media or public websites)
- anonymous surveys where respondents may be identifiable based on background variables (e.g. age, gender, place of residence and occupation combined). Note: If you anonymise the data yourself, i.e. remove personal data from the material, this also constitutes processing of personal data.
- interviews where audio or video is recorded
Data protection regulations do not apply to:
- deceased persons (but note that information about a deceased person may reveal the identity of a living person)
- data that has already been anonymised (e.g. datasets from the Finnish Social Science Data Archive)
Coursework assignments
When processing personal data as part of coursework assignments, the activity can often be considered personal use, in which case the data protection guidelines do not strictly apply. Nevertheless, you should follow good practices — handle data carefully and responsibly as if the legislation were in effect.
How to collect personal data
You can collect personal data, for example, by:
- using a survey tool (e.g. Webropol)
- conducting interviews
- making observations
- gathering data from online services (social media, public websites)
What should you do before collecting personal data?
Go through the following steps before you begin collecting or processing personal data:
Purpose of processing, legal basis and consent
The purpose of processing and the legal basis are two different things
- Purpose of processing = what personal data is used for (e.g. completing a thesis, a specific research question)
- Legal basis = the legal ground that permits the processing
Each thesis constitutes its own separate purpose of use. The legal basis must be determined before processing begins and cannot be changed afterwards.
In scientific research, the legal basis is usually scientific research in the public interest (processing is necessary for the purposes of scientific research). If your thesis does not meet the criteria for scientific research in your field (e.g. a Bachelor’s thesis), use the consent of the research participant as the legal basis. If you use existing data in your Bachelor’s thesis and are unable to obtain consent, the only available legal basis is the legitimate interest of the data controller, which requires a so-called balancing test. When choosing a topic for your Bachelor’s thesis, it is advisable to choose topics where you can obtain consent from participants, or topics that do not involve personal data at all.
Record the legal basis in your privacy notice and also inform research participants of it.
Consent to participate in research
You always need consent to participate in research (ethical participation consent) from everyone from whom you collect data directly. Consent can be requested:
- in writing — note that a signature is a direct identifier and creates a separate personal data register
- verbally at the beginning of an interview
- as a tick box on a survey form
Important: Always provide research participants with an information sheet about the research before requesting consent. The information sheet must be available to read separately from the consent form.
Practical example for Webropol surveys:
- Add an introductory paragraph at the beginning of the survey explaining the research and the processing of personal data (or include a link or attachment to the information sheet).
- Add a consent tick box that the participant must mark before responding to the survey.
- Remember to delete the collected data from Webropol once the survey has closed and the responses have been transferred to another application for analysis.
When you use consent as the legal basis for processing personal data, also request separate consent for the processing of personal data for the purpose you have described.
Ensure data security
Protect your data
- Pseudonymise your data: remove direct identifiers and store them separately from the rest of the data.
- Anonymise your data if possible: remove all personal data so that identification is no longer possible.
- Save your data in a secure location — either on platforms provided by the university or on your own computer, ensuring adequate protection.
Do not share confidential information
You have a duty of confidentiality: you must not show, disclose or reveal participants’ data to outside parties. You must also not use the data for your own benefit or to the benefit or detriment of others.
You may go through the data with your supervisor, as they are not an outside party in relation to your thesis — name them in your privacy notice. If you are the data controller, it is generally not possible to hand over the data to the university for purposes other than scientific research.
Report data security incidents immediately
If personal data is lost, becomes accessible to unauthorised parties, or if your storage device (phone, computer) is lost or stolen, this constitutes a data security incident. Report it immediately to:
What should you do with personal data when your thesis is complete?
Once your research has concluded and there has been a reasonable period for appeals regarding the results (for Master’s theses, generally around 1 year), dispose of any material containing personal data securely:
- Do not put paper materials in open recycling bins — use the university’s locked data security disposal bins.
- Delete files stored on network drives or in Webropol.
- Dispose of all other material securely.
In some cases, data can be archived after the research has concluded, for example in the Finnish Social Science Data Archive or the Language Bank of Finland.
Remember: The processing of personal data always has a beginning and an end. Take responsibility for the entire lifecycle of the data.
Templates and forms
UEF provides ready-made templates that you will need for your thesis:
- Privacy notice
- Information sheet for research participants
- Consent to participate in research
- Consent to the processing of personal data and participation in research
- Preliminary data protection assessment
- Data protection impact assessment
You can find the templates on UEF Intra (login required). Keep the documents for at least as long as you retain your research data.
Further information and support
- Data protection on UEF Intra (login required)
- Information security on intra (login required)
- Guidelines of the Finnish National Board on Research Integrity (TENK)
- Guidance on scientific research from the Office of the Data Protection Ombudsman
Need advice? Contact the UEF Data Protection Officer:
- Email: [email protected]
- Phone: +358 50 576 0282