Research Data Management (the lifecycle of research data)

In research, data protection refers to the careful and planned handling of the research participants’ personal data. Unnecessary collection of personal data should be avoided. The information has to be protected so that outsiders cannot access it. Request more information on the University’s data protection from dpo@utu.fi

• Tietosuojalaki (in Finnish)
• Office of the data protection ombudsman
• Scientific research FAQ (Office of the data protection ombudsman)
• Scientific research and data protection (Office of the data protection ombudsman)
• EU's General Data Protection Regulation
• University’s intranet pages on data protection
• Anonymisation and Personal Data on the web pages of the Finnish Social Science Data Archive
• Instructions on data protection in the data management plan at the web pages of the Finnish Social Science Data Archive

Funding application often require the Data Security description of University of Turku.

All research data that contains Personal Data must be included to the Research data inventory (UTU intranet).

If the research data includes personal and/or sensitive information, the restrictions regarding such data must be taken into account. 

Personal data encompasses all data from which a living person can be identified either directly or indirectly. Direct identifiers are considered to be

• person's full name
• social security number
• email address containing the personal name
• biometric identifiers (esim. haastateltavan ääni).

Indirect identifiers are e.g.:

• gender
• age
• education
• professional status
• nationality
• location data
• system log data
• marital status
• place of residence.

Information is sensitive if it contains categories of personal data specified in data protection legislation concerning

• ethnic origin
• political opinions
• religion or philosophical beliefs or trade union membership
• genetic information
• genetic or biometric data for identifying a natural person.
• data concerning health
• data concerning sexual life or orientation

Other information may also be sensitive by nature.

Intructions from the University of Turku:

• Research Ethics at the University of Turku
• Ethical review in human sciences research
• Ethical review in medical research
• Agreements (intranet)
• Tietosuoja-arviointi (in Finnish, intranet)
• Tietojen säilytyspaikan valinta, tietoturvanäkökulma (in Finnish, intranet)
• Where can I save my data? (Intranet)
• Data security description

Additional instructions for planning the management of confidential and personal data (writing by Instructions for planning the management of sensitive and confidential data working group)

Open data and personal information:

• Only anonymized data can be published in accordance with the principles of open science.
• If data cannot be anonymized, the open data policy can be implemented, for example, by detailing the research material, data sources, and methods or codes used in the analysis in the published article, so that the research can be attempted to be replicated as closely as possible if necessary.

Somedatan käytöstä löytyy lisätietoa Marko Ahteensuun kirjoituksesta Käytätkö somedataa tutkimuksessasi? ja Tietoarkiston ohjeesta Sosiaalisen median aineistojen tutkimisesta ja arkistoinnista.

Open Data and Personal Information:

Only anonymized data can be published in accordance with the principles of open science. If data cannot be anonymized, the open data policy can be implemented, for example, by detailing the research material, data sources, and methods or codes used in the analysis in the published article, so that the research can be attempted to be replicated as closely as possible if necessary.

Information on the use of social media data can be found in Marko Ahteensuu's article Do you use social media data in your research? and in the guidelines Use and archiving of social media data from the Finnish Social Science Data Archive.

If the research material contains personal data or the data is collected from identifiable persons, the data protection legislation and the guidelines of the Finnish national data protection authority, the Data Protection Ombudsman, on the protection of personal data in scientific research must be observed.

Personal data is all data related to an identified or identifiable individual. Interview material usually always contains personal data. These are, for example, any answers to interview questions that can be linked to a person (occupation, religion, illness, ethnicity) or answers that a third party can connect to a person are all personal data. However, if your research data does not contain personal data, you can ignore the data protection regulations.

Anonymised data no longer contains information that can be linked to a person and is not subject to data protection regulations, but the gathering and processing of data before the data has been anonymised does contain personal data. Simply deleting the names and identification data of the participants from the data does not mean the material is anonymised. In anonymization, the linking of the material to the persons must be permanently and irrevocably severed. Please see the link above for more information.

Does the data processed in the research project contain personal data?

NO personal data included → No extra steps needed

YES personal data are included → See steps below

Plan the processing of personal data throughout the research and data retention and document it in the data management plan.

See the university's intranet for further instructions: What is personal data (requires a utu ID) and How to fill data privacy notice (requires a utu ID).

• Make sure you are adhering to the data-protection principles of the GDPR in your research.
• Minimising personal data = only collect personal data that’s necessary and proportionate to your research, limit recognition in different phases of research with pseudonymisation and erasing/removing unnecessary personal data. 
• Purpose limitation = data can be used for a specific, explicit and legitimate purpose → a specific research project is its own purpose.
• Retention period for storing data = retention period must be specified. 
• Transparency = inform the participants of the collection and processing of their personal data effectively in person with a data protection notice i.e. a privacy notice. 
• Pay attention to accountability = document the implementation of the principles and procedures → the data controller must be able to demonstrate they are following data protection regulations.
   

Processing of personal data in practice:

1. Draft a data protection notice, i.e. a privacy notice (template), that will be given to each research participant before data gathering. See the university's intranet for further instructions: What is personal data (requires a utu ID) and How to fill data privacy notice (requires a utu ID).
2. Find out who is going to act as a controller, i.e. who determines the purposes and methods of use of personal data. 
   => If the project is a collaboration between different organisations, will the data be transferred between the organisations? If it will, define the roles and responsibilities for processing personal data in scientific research. → Are several parties acting as joint controllers or is there going to be a controller–processor relationship? Depending on the situation you will need a joint controller agreement or an agreement on processing personal data. → Contact legal@utu.fi for more information.
3. Choose the appropriate processing basis based on the GDPR (can be scientific research aiming to pursue public interest; or freely given, specific, informed and unambiguous consent).
4. Will the research data containing personal data be transferred to a third party outside the controller’s authority, such as a third party service provider? → Draw up a contract on the processing of the personal data. Primarily use the university’s template titled “Data Protection Appendix” available on the intranet.
5. Will the personal data be transferred to third countries outside the EU/EEA Member States? Find out in advance which transfer mechanism is suitable based on the GDPR and what additional safeguards are needed. If the standard contract terms of the EU Commission are used as a transfer mechanism, ask for these at legal@utu.fi.
6. Can the research facilitate the research subjects’ data protection rights? If not, justify any restrictions of rights and take the necessary measures.
   => When processing and storing data, pay attention to the integrity and confidentiality requirements of the information and consider how the research subject’s potential requests could be fulfilled in practice. 
7. Do an initial risk assessment, based on which you can decide if a more thorough Data Protection Impact Assessment (DPIA) is needed. Consult the university’s Data Protection Officer via dpo@utu.fi if necessary.
8. If the University of Turku is the controller of the data, register the basic information of your research into the Research Data Inventory. This will fulfil article 30 of the GDPR and create a record of processing activities, which the controller is required to maintain. 

NOTE: If you are planning on using the data containing personal data in further research, you have to mention it in the data protection notice at the level that is known at that point. Before the start of the next research project that uses the same data, a new data protection notice has to be issued. If the processing basis is consent, a new consent based on the GDPR is required for further use of the data in the new research project.

If the anonymized material is to be shared in an open repository, it is adviced to tell the subjects about this in a privacy statement or research release. Despite anonymization, other principles such as research ethics (UTU intranet, utu ID needed) apply.

In addition to data protection, take into account the ethical principles in research that the university is committed to:

• Ask the research subjects for consent to participate, i.e. informed consent, which is not the same as the basis for processing personal data within the meaning of the GDPR.
• Find out if you will need an ethical review for your research design.
• Pick a secure place to store your data and also make sure that the transfer and sharing of the data is secure. 
• Create a Data Management Plan (DMP) for your research data.

Does the research data contain special categories of personal data?

Does the study reveal any so-called special categories of personal data? This type of data will reveal the person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data for identifying a person, data about health, and sexual orientation or activity.

NO special categories of personal data included → No extra steps needed.

YES special categories of personal data are included → You will need a separate processing basis for this type of data. The data must be protected with particular care and with appropriate additional protective measures. A data protection impact assessment may also be required as a safeguard measure for processing the data. If any deviations are made to the data protection rights of the research subjects, an impact assessment must be sent to the Office of the Data Protection Ombudsman. Also, remember to write the processing basis in the data protection notice.

Informing research subjects is a crucial part of the research data lifecycle. Thorough information and adequate consents form the foundation for ethical and lawful research as well as long-term research projects. Proper information dissemination is significant not only for the subjects and the research team but also for the supporting organization, the scientific community, the organization archiving the data, and future users of the data. For more information, Data Management Guidelines (by Finnish Social Science Data Archive)

More information on asking for consent from the participants and e.g. models for the consent form are available on the University’s Legal Affairs unit’s intranet pages. Finnish social science archive has created a guide about informing research participants. More information on the permissions and guidance in clinical research is available on the website of the Turku Clinical Research Centre.