Skip to Main Content
Turku University Library

Research Data

What is personal and sensitive data?

Personal data encompasses all data from which a person can be identified either directly or indirectly.

Direct identifiers are considered to be

  • person's full name
  • social security number
  • email address containing the personal name
  • biometric identifiers.

Indirect identifiers are e.g.

  • gender
  • age
  • education
  • professional status
  • nationality
  • location data
  • system log data
  • marital status
  • place of residence.

Information is sensitive if it contains categories of personal data specified in data protection legislation concerning

  • racial or ethnic origin
  • political opinions
  • religion or philosophical beliefs
  • trade union membership
  • data concerning health
  • data concerning sexual life or orientation
  • genetic or biometric data for identifying a natural person.

Other information may also be sensitive by nature.

For more information on personal and sensitive data, see Data management guidelines (Finnish Social Science Data Archive)

 

About using social media data, see Use and archiving of social media data by Finnish Social Science Data Archive and Do you use social media data in your research? by Marko Ahteensuu

University of Turku guidance on handling personal and sensitive data

Guidance on handling personal and sensitive data

If the research material contains personal data or the data is collected from identifiable persons, the data protection legislation and the guidelines of the Finnish national data protection authority, the Data Protection Ombudsman, on the protection of personal data in scientific research must be observed.

Personal data is all data related to an identified or identifiable individual. Interview material usually always contains personal data. These are, for example, any answers to interview questions that can be linked to a person (occupation, religion, illness, ethnicity) or answers that a third party can connect to a person are all personal data. However, if your research data does not contain personal data, you can ignore the data protection regulations.

Anonymised data no longer contains information that can be linked to a person and is not subject to data protection regulations, but the gathering and processing of data before the data has been anonymised does contain personal data. Simply deleting the names and identification data of the participants from the data does not mean the material is anonymised. Please see the link above for more information.

Does the data processed in the research project contain personal data?

NO personal data included → No extra steps needed

YES personal data are included → See steps below

Plan the processing of personal data throughout the research and data retention and document it in the data management plan.

  • Make sure you are adhering to the data-protection principles of the GDPR in your research.
  • Minimising personal data = only collect personal data that’s necessary and proportionate to your research, limit recognition in different phases of research with pseudonymisation and erasing/removing unnecessary personal data. 
  • Purpose limitation = data can be used for a specific, explicit and legitimate purpose → a specific research project is its own purpose.
  • Retention period for storing data = retention period must be specified. 
  • Transparency = inform the participants of the collection and processing of their personal data effectively in person with a data protection notice i.e. a privacy notice. 
  • Pay attention to accountability = document the implementation of the principles and procedures → the data controller must be able to demonstrate they are following data protection regulations.
     

Processing of personal data in practice:

  1. Draft a data protection notice, i.e. a privacy notice (template), that will be given to each research participant before data gathering.
  2. Find out who is going to act as a controller, i.e. who determines the purposes and methods of use of personal data. 
    => If the project is a collaboration between different organisations, will the data be transferred between the organisations? If it will, define the roles and responsibilities for processing personal data in scientific research. → Are several parties acting as joint controllers or is there going to be a controller–processor relationship? Depending on the situation you will need a joint controller agreement or an agreement on processing personal data. → Contact legal@utu.fi for more information.
  3. Choose the appropriate processing basis based on the GDPR (can be scientific research aiming to pursue public interest; or freely given, specific, informed and unambiguous consent).
  4. Will the research data containing personal data be transferred to a third party outside the controller’s authority, such as a third party service provider? → Draw up a contract on the processing of the personal data. Primarily use the university’s template titled “Data Protection Appendix” available on the intranet.
  5. Will the personal data be transferred to third countries outside the EU/EEA Member States? Find out in advance which transfer mechanism is suitable based on the GDPR and what additional safeguards are needed.
  6. Can the research facilitate the research subjects’ data protection rights? If not, justify any restrictions of rights and take the necessary measures.
    => When processing and storing data, pay attention to the integrity and confidentiality requirements of the information and consider how the research subject’s potential requests could be fulfilled in practice. 
  7. Do an initial risk assessment, based on which you can decide if a more thorough Data Protection Impact Assessment (DPIA) is needed. Consult the university’s Data Protection Officer via dpo@utu.fi if necessary.
  8. If the University of Turku is the controller of the data, register the basic information of your research into the Research Data Inventory. This will fulfil article 30 of the GDPR and create a record of processing activities, which the controller is required to maintain. 

NOTE: If you are planning on using the data in further research, you have to mention it in the data protection notice at the level that is known at that point. Before the start of the next research project that uses the same data, a new data protection notice has to be issued. If the processing basis is consent, a new consent based on the GDPR is required for further use of the data in the new research project.

In addition to data protection, take into account the ethical principles in research that the university is committed to:

  • Ask the research subjects for consent to participate, i.e. informed consent, which is not the same as the basis for processing personal data within the meaning of the GDPR.
  • Find out if you will need an ethical review for your research design.
  • Pick a secure place to store your data and also make sure that the transfer and sharing of the data is secure. 
  • Create a Data Management Plan (DMP) for your research data.

 

Does the research data contain special categories of personal data?

Does the study reveal any so-called special categories of personal data? This type of data will reveal the person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data for identifying a person, data about health, and sexual orientation or activity.

NO special categories of personal data included → No extra steps needed.

YES special categories of personal data are included → You will need a separate processing basis for this type of data. The data must be protected with particular care and with appropriate additional protective measures. A data protection impact assessment may also be required as a safeguard measure for processing the data. If any deviations are made to the data protection rights of the research subjects, an impact assessment must be sent to the Office of the Data Protection Ombudsman. Also, remember to write the processing basis in the data protection notice.

Informing research participants about the processing of their personal data is a crucial part of the transparency principle laid down in the General Data Protection Regulation of the European Union (GDPR). Based on the provided information, the participants must understand how their personal data are being collected, used, stored, disseminated or otherwise made available, or otherwise processed. 

Finnish social science archive has created a guide about informing research participants

More information on asking for consent from the participants and e.g. models for the consent form are available on the University’s Legal Affairs unit’s intranet pages. More information on the permissions and guidance in clinical research is available on the website of the Turku Clinical Research Centre.