In research, data protection refers to the careful and planned handling of the research participants’ personal data. Unnecessary collection of personal data should be avoided. The information has to be protected so that outsiders cannot access it. Request more information on the University’s data protection from tietosuoja@utu.fi.
More information:
If the research material contains personal data or the data is collected from identifiable persons, the data protection legislation and the guidelines of the Finnish national data protection authority, the Data Protection Ombudsman, on the protection of personal data in scientific research must be observed.
Personal data is all data related to an identified or identifiable individual. Interview material usually always contains personal data. These are, for example, any answers to interview questions that can be linked to a person (occupation, religion, illness, ethnicity) or answers that a third party can connect to a person are all personal data. However, if your research data does not contain personal data, you can ignore the data protection regulations.
Anonymised data no longer contains information that can be linked to a person and is not subject to data protection regulations, but the gathering and processing of data before the data has been anonymised does contain personal data. Simply deleting the names and identification data of the participants from the data does not mean the material is anonymised. Please see the link above for more information.
NO personal data included → No extra steps needed
YES personal data are included → See steps below
Plan the processing of personal data throughout the research and data retention and document it in the data management plan.
NOTE: If you are planning on using the data in further research, you have to mention it in the data protection notice at the level that is known at that point. Before the start of the next research project that uses the same data, a new data protection notice has to be issued. If the processing basis is consent, a new consent based on the GDPR is required for further use of the data in the new research project.
In addition to data protection, take into account the ethical principles in research that the university is committed to:
Does the study reveal any so-called special categories of personal data? This type of data will reveal the person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data for identifying a person, data about health, and sexual orientation or activity.
NO special categories of personal data included → No extra steps needed.
YES special categories of personal data are included → You will need a separate processing basis for this type of data. The data must be protected with particular care and with appropriate additional protective measures. A data protection impact assessment may also be required as a safeguard measure for processing the data. If any deviations are made to the data protection rights of the research subjects, an impact assessment must be sent to the Office of the Data Protection Ombudsman. Also, remember to write the processing basis in the data protection notice.
Informing research participants about the processing of their personal data is a crucial part of the transparency principle laid down in the General Data Protection Regulation of the European Union (GDPR). Based on the provided information, the participants must understand how their personal data are being collected, used, stored, disseminated or otherwise made available, or otherwise processed.
Finnish social science archive has created a guide about informing research participants
More information on asking for consent from the participants and e.g. models for the consent form are available on the University’s Legal Affairs unit’s intranet pages. More information on the permissions and guidance in clinical research is available on the website of the Turku Clinical Research Centre.