Personal data encompasses all data from which a person can be identified either directly or indirectly.
Direct identifiers are considered to be
Indirect identifiers are e.g.
Information is sensitive if it contains categories of personal data specified in data protection legislation concerning
Other information may also be sensitive by nature.
For more information on personal and sensitive data, see Data management guidelines (Finnish Social Science Data Archive)
About using social media data, see Use and archiving of social media data by Finnish Social Science Data Archive and Do you use social media data in your research? by Marko Ahteensuu
If the research material contains personal data or the data is collected from identifiable persons, the data protection legislation and the guidelines of the Finnish national data protection authority, the Data Protection Ombudsman, on the protection of personal data in scientific research must be observed.
Personal data is all data related to an identified or identifiable individual. Interview material usually always contains personal data. These are, for example, any answers to interview questions that can be linked to a person (occupation, religion, illness, ethnicity) or answers that a third party can connect to a person are all personal data. However, if your research data does not contain personal data, you can ignore the data protection regulations.
Anonymised data no longer contains information that can be linked to a person and is not subject to data protection regulations, but the gathering and processing of data before the data has been anonymised does contain personal data. Simply deleting the names and identification data of the participants from the data does not mean the material is anonymised. Please see the link above for more information.
NO personal data included → No extra steps needed
YES personal data are included → See steps below
Plan the processing of personal data throughout the research and data retention and document it in the data management plan.
NOTE: If you are planning on using the data in further research, you have to mention it in the data protection notice at the level that is known at that point. Before the start of the next research project that uses the same data, a new data protection notice has to be issued. If the processing basis is consent, a new consent based on the GDPR is required for further use of the data in the new research project.
In addition to data protection, take into account the ethical principles in research that the university is committed to:
Does the study reveal any so-called special categories of personal data? This type of data will reveal the person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data for identifying a person, data about health, and sexual orientation or activity.
NO special categories of personal data included → No extra steps needed.
YES special categories of personal data are included → You will need a separate processing basis for this type of data. The data must be protected with particular care and with appropriate additional protective measures. A data protection impact assessment may also be required as a safeguard measure for processing the data. If any deviations are made to the data protection rights of the research subjects, an impact assessment must be sent to the Office of the Data Protection Ombudsman. Also, remember to write the processing basis in the data protection notice.
Informing research participants about the processing of their personal data is a crucial part of the transparency principle laid down in the General Data Protection Regulation of the European Union (GDPR). Based on the provided information, the participants must understand how their personal data are being collected, used, stored, disseminated or otherwise made available, or otherwise processed.
Finnish social science archive has created a guide about informing research participants
More information on asking for consent from the participants and e.g. models for the consent form are available on the University’s Legal Affairs unit’s intranet pages. More information on the permissions and guidance in clinical research is available on the website of the Turku Clinical Research Centre.