Do you process personal data in your assignments or thesis?
Personal data means all information relating to a natural person that makes it possible to directly or indirectly identify the person. Direct identifiers include a person’s name, personal identity code, photo, video footage, voice recording, email address containing the person’s name, and handwritten signature. A person may be indirectly identifiable if a sufficient number of indirect identifiers is known to allow the person to be identified without unreasonable effort. For example, if a person’s job title and employer or position (such as the chair of a specific city government) is known, identifying the person may be fairly straightforward.
The processing of personal data is governed by data protection legislation (EU General Data Protection Regulation [EU GDPR 2016/679], Finnish Data Protection Act [1050/2018] and special legislation). Personal data processing means all activities performed on personal data, including viewing, collection, recording, organisation, storage, alteration, pseudonymisation, anonymisation, erasure or destruction.
Students may occasionally process personal data in connection with their thesis or in various study assignments.
As a rule, the author of a thesis collects and processes personal data if the thesis concerns living persons. The EU GDPR does not apply to deceased persons. Despite this, it should be kept in mind that a deceased person’s personal data may contain references to living descendants who may be identified even if they are not the subject of the thesis. Data protection legislation does not apply to pre-anonymised research data from sources such as the Finnish Social Science Data Archive. Data protection legislation also applies to published personal data, such as those collected from online sources.
Students can collect personal data in a number of ways, including
- survey forms (such as Webropol)
- by collecting personal data from online sources (social media, websites of businesses and public figures, etc.)
An interviewee’s voice recording, photo or video are personal data. Even in an anonymous survey, personal data are processed if the information that is collected can be used to identify a respondent directly or indirectly. Even collecting background variables may be enough to identify a person (such as age, sex, place of residence, job title, employer). Identifiability does not mean that a large group of people can identify a person; the person is identifiable even if only by close friends and family or the researcher.
The processing of personal data in various study assignment (not the thesis) can be considered as purely personal processing (so-called household activities), the EU GDPR does not apply to the assignment. Even in this case, personal data should be processed appropriately (see Edinburgh Univerity: If your research is strictly for domestic purposes related to your own personal academic use whilst studying at the University, then your research may be exempt from the Data Protection Laws. However, you should still work as if the legislation applies as it also aligns with ethical best practice). In contrast, the processing of personal data collected for a thesis cannot be considered as personal or household activities.
What do I need to take into consideration before processing personal data?
Before you begin processing personal data:
- Describe in as much detail as possible (in the research plan, for example) what personal data you plan to process, how and for what purposes.
- Describe in your research plan (or other comparable written document) how you plan to process and store personal data needed for your thesis/research. Keep in mind that you may not collect any redundant/unnecessary data (data minimisation). Also keep in mind that you may process the data only for its stated purpose (purpose limitation).
- Identify who is the controller of personal data. The controller is the party that determines the purpose and means of the processing of personal data In general in theses and scientific studies, the purposes and means of processing personal data are determined in the research plan (research questions = purposes of processing personal data, research methods =means of processing personal data). If you are the sole author of the study and use a research plan that you yourself have written, you are the controller. If the student and another party (such as another student or the University or hospital) together determine the purposes and means of processing personal data, they are considered joint controllers. In this case, the data must be stored according to the University’s data protection policies (in other words, you may not store the data on your personal computer). If the student writes a thesis as part of a research project using the project’s research data and questions and the thesis is included in the research project’s publications, the controller is usually the party that is otherwise the controller of the research project’s data. In individual, commissioned studies (typically for a private-sector organisation or business), the client may determine the purposes and means of processing personal data and act as the controller. In this case, the student must follow the client’s instructions on data protection.
When determining who is the controller of personal data collected for a thesis, discuss the following questions with your supervisor: who decides (source for the questions: memo by THL Data Protection Officer Jarkko Reittu on the controller of personal data, 8 May 2020):
- whether or not personal data are processed (begins the processing and benefits from it)
- why the personal data are processed (purpose of processing)
- what personal data are processed
- how long the personal data are processed/stored/archived
- who has access to the personal data and where are they transferred
- how the personal data are processed (means of processing)
- Write a privacy notice in which you answer the questions above. A privacy notice should be written even if you do not collect direct personal identifiers and the risk of identifying a person indirectly is very low. Store the privacy notice in case you need to demonstrate your compliance with data protection legislation. If you want, you can include it in your thesis as an appendix (if you are the controller, remove your contact information from the published privacy notice and leave only your name).
- Write an announcement for your research subjects about your study. Think about how you should handle communication with research subjects.
- If you collect personal data from official sources, for example, you may need a permission to conduct the study. Include the privacy notice with the request for a permission.
- Make sure that you do not need to transfer the data to third parties or to third countries outside the EU or EEA. Transferring personal data to third countries is prohibited unless the safeguards defined in the EU GDPR are taken. If you use free cloud services on your mobile device or computer, for example, the data may be transferred outside the EU/EEA.
- If your thesis makes extensive use of so-called sensitive personal data (such as health data, racial origin, religious beliefs or political opinions, trade union membership or sexual orientation), you may also need to perform a data protection impact assessment in which you evaluate the risk posed by the processing to the research subjects. You can find out whether an impact assessment is necessary by first performing an advance assessment of data protection.
- The supervisor and student together decide on the need for an advance assessment of research ethics. The general rule at the University of Eastern Finland is that student theses are not reviewed by UEF’s Committee on Research Ethics. The topic of the thesis should be chosen so as to not require an advance assessment of research ethics.
Purpose of processing personal data, legal basis for processing and requesting consent
The purpose of processing personal data and the legal basis are not one and the same. The purpose of processing means that personal data are collected only for a specific purpose (such as managing an employment or client relationship, maintaining membership records, planning and monitoring treatment of a patient, writing a student thesis, undertaking scientific or historical research, compiling statistics, archiving in the public interest). The purpose of processing must be determined separately for each scientific study or student thesis because each research plan defines a specific set of research questions (= purpose of processing personal data) and research methods (= means of processing personal data)
There must be always be a legal basis for processing personal data that is established before processing begins. The legal basis cannot be changed once the processing has been associated with a specific legal basis. The legal basis governs what rights research subjects have relative to the controller. In scientific research, the legal basis for processing is usually public interest (processing is necessary for a task carried out in the public interest, more specifically for scientific research purposes).
The legal basis must be defined in the privacy notice and communicated to research subjects. If the research plan for the thesis (Bachelor’s thesis) does not meet the scientific criteria of the field of study, the legal basis for processing cannot be scientific research in the public interest. In such cases, the legal basis must be the research subject’s consent, for example.
All research subjects from whom personal data are collected directly must be asked to consent to participate in the study (so-called informed consent for research, not the same as consent to personal data processing). Informed consent can be obtained from participants in writing, verbally before an interview or in a separate field in the survey form after the research subject has received a separate notice describing the research.
- Example: In Webropol surveys, the author of the thesis can include a separate introductory paragraph [=notice to the research subject] that provides general information about the study and a detailed description of how personal data are processed (information to be disclosed to the data subject under the EU GDPR). Alternatively, the information can be behind a link or in a separate document, provided that it can be read before giving consent and is separate from the consent request. The information can also be given separately before responding to the survey when recruiting research subjects by email, for example. The survey must include a consent request checkbox that the research subject can accept before accessing the survey. Be sure to delete any data you have collected from Webropol after completing the study at the latest.
- You can also ask for consent verbally at the start of an interview, provided that the research subject has received information about the study and personal data processing in writing or verbally before you ask for consent.
- Consent can also be requested in writing. However, keep in mind that in this case, the written consent form includes the research subject’s signature, which is a direct identifier and forms a part of a data file of personal data.
- If you use consent as the legal basis for processing personal data, remember to also ask research subjects for their consent to personal data processing (for the purpose you have described).
Templates prepared by UEF that you will need:
- Privacy notice
- Informing research subjects
- Consent to participation in a study
- Consent to personal data processing and participation in a study
- Advance assessment of data protection
- Data protection impact assessment
Store the documents for at least the period of time that you store your research data.
Ensure adequate data protection
In order to protect the privacy of research subjects, you should pseudonymise (remove all direct identifiers and store then separate) or anonymise (delete all personal data in a way that ensures that it is impossible to revert to identifiable data) the data you use in your thesis. You must store the data in a secure location on a platform provided by the University or your personal computer and make sure that the data are sufficiently protected.
A personal data breach or data security anomaly means that personal data are lost or disclosed to outsiders. If you suspect a personal data breach, report it to firstname.lastname@example.org or email@example.com immediately for further instructions. Situations in which a device used to store data is lost or stolen (such as a phone or computer) are also considered data breaches.
Keep in mind that you may not discuss confidential information shared by research subjects with outsiders. Under the non-disclosure obligation, you may not show or disclose documents to outsiders (confidentiality of documents), disclose contents of confidential documents or unrecorded information which, were it recorded in a document, would be confidential (obligation of confidentiality), or use confidential information for the benefit or detriment of yourself or another (prohibition of use). If necessary, you can go over your research data with your thesis supervisor as they are not an outsider to your thesis and you have named them in the privacy notice. However, note that if you are the controller, you may not usually disclose the data to the University for some other purpose (other than scientific research).
What happens to personal data after the thesis is finished?
After your research has ended, any research data that contains personal data must usually be destroyed in a secure manner that ensures that the data are not disclosed to outsiders. Do not throw out written materials in a public recycling bin! The University has locked trash bins for secure recycling of written documents. Files saved on network drives and Webropol must be deleted and any other data destroyed in a secure manner. It is especially important that the lifecycle of data is managed appropriately. Personal data processing has a beginning and an end. In some case after a study has ended, research data can be stored in the Finnish Social Science Data Archive or Language Bank of Finland, for example.
Privacy protection (in Heimo requires login) and Information security (in Heimo, requires login)
Guidelines of the Finnish Advisory Board on Research Integrity (TENK)
Guidelines by the Office of the Data Protection Ombudsman for scientific research
For guidance and advice, contact the University of Eastern Finland Data Protection Officer: firstname.lastname@example.org, tel. +358 50 576 0282.