Skip to main content

Research Data Management: Legal aspects of data


Every research data involves the questions of rights, legal and ethical issues. Show that you are aware of the relevant legislation related to your data processing.

In your DMP, the focus should be on the ethical aspects of the data management whereas the ethical issues related to your research methods are covered in the research plan.

Tips for best practices
  • Describe how you will ensure privacy protection and data anonymisation or pseudonymisation.
  • Data should be collected for specified, explicit and legitimate purposes.
  • Don't collect any personal data if it is not necessary for you research.
  • The period for which the personal data are stored is limited to a strict minimum.
  • Specify the party serving as the controller.
  • The University is designated as the data controller of a research project, if the University defines the purpose and means of processing. This is the case in research projects that are approved by the University and conducted with core funding granted to the University by the Finnish Government or with external funding provided by an external party.
  • Unless otherwise agreed upon, students shall assume the responsibilities of data controllers when they collect personal data for research purposes (including practical assignments and theses). This means that students are responsible for fulfilling the obligations imposed on data controllers under data protection legislation.
  • Privacy notice helps you plan how you will process personal information during the research process.
  • Justify why you have the right to collect, handle, and preserve data that involves ethical issues, for example, that you have passed an ethical review.
  • Identify the legal basis for processing personal information (it is usually the public interest or the exercise of public authority.)
  • Identify and describe situations when collected personal data are sensitive as well as the legal basis for processing sensitive personal data. If sensitive personal data are processed in the research, the processing must be based on Article 9 of the General Data Protection Regulation (GDPR). Consent from the data subject and scientific purpose of the research are emphasised as a lawful basis when processing sensitive personal data as part of research.
  • Pseudonymised data is still personal data, and hence, it must be processed in accordance with GDPR and other data protection legislation.
  • Read more about the Data Protection Policy at Tampere University

Sensitive data

Collecting and processing special categories of personal data (or “sensitive data”) is possible for scientific or historical research purposes or statistical purposes (article 9, EU’s General Data Protection Regulation). Special categories of personal data include:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • sexual orientation
  • information about a person’s health
  • criminal convictions and offenses
  • genetic or biometric data processed for uniquely identifying a person.

When sensitive data belonging to special categories are collected, consent must be explicit. Sensitive data also requires specific protection because there is a significant risk to the fundamental rights of the individual. In the data management, actions intended to minimise the risks of revealing sensitive information must be taken care of during the entire data lifecycle.


Data service

Research Data Services assist the staff and students of the Tampere higher education community in matters related to research data management. What we do:

  • We organise research data management and data protection trainings covering topics such as describing your data, data protection, data storage services and sharing your data. Content of trainings and workshops can be tailored to meet your needs. More detailed information on trainings will be updated to our website. Don't hesitate to contact us!
  • We provide you with this Data management guide and other instructions and resources for the planning, organising, storing, sharing and sharing of research data.
  • We comment on data management plans

Plase email and let’s solve your problem together!

Intellectual Property Rights

Agreements on the IPR rights and rights of use of the data should be made before you start collecting or producing the data. By doing so, you prevent possible conflicts at later stages and make sure that your data will be accessible and reusable.

Check the short video about Intellectual property rights and data by Maria Rehbinder from Aalto University.

Data that is factual has no copyright protection and it is not possible to copyright facts. In many cases, the data in a data management system as well as the metadata describing that data is factual, and hence not protected by copyright. However, project might, for example, use copyrighted photographs.

A database can also have legal protection (sui generis data base right, for example). A process of deciding what data needs to be included in the database, how to organize data, and how to relate different data elements are all creative decisions that may receive protection. So, intellectual property rights can govern the use of databases but also some data content.

Data can also be protected by trade secrets legislation (in Finnish)

Tips for best practices
  • Familiarise yourself with institutional policies. Tampere higher education community's Open Science and Research policy states that research data produced within Tampere higher education community is primarily owned by Tampere University or Tampere University of Applied Sciences. The researcher always has the first right to the data. When the data form a work as stipulated in Section 1 of the Copyright Act, the copyright belongs to the producer of the data.
  • Researcher's Practical Guide to Intellectual Property 2017 by Aalto University
  • Copyright (Finnish Social Science Data Archive)
  • Check the Intellectual property policy of Tampere Universities (chapter 4 and 5). “…The source of funding is the key to determining IP ownership.” 
    • “Tampere Universities have an interest in IP arising from contract research as this type of IP involves restrictions and third-party rights.”
    • “Employees own IP that they generate while undertaking open research and may offer this type of IP to Tampere Universities.
  • Rights to research data may be created in three ways
    1. by legislation (e.g., copyright)
    2. by commitments (e.g., funder requirements)
    3. by agreements (e.g.,  research consortia, contract research, co-operation with companies).
  • Innovation services can help you with questions related to various aspects on utilization of research results and know how and IP protection aspects. Please contact
  • If you receive personal or sensitive personal data from a third party, e.g., a health care register, you or the University may still be the controller for that data even if you or the University does not own the data. In these cases, the research contract you make with the data owner sets the conditions how you can use and share the data.

Photo by

Risk assesment

GDPR requires that the risks related to the processing of personal data be assessed before any such processing. Familiarise yourself with the data protection and risk management guidelines of Tampere higher education community and consider the following:

  • Which freedoms and rights of the data subject can be compromised by the processing?
  • What kind of damage can the planned processing of personal data cause to the data subject?
  • What kind of damage can the inappropriate disclosure, destruction or corruption of the data cause to the data subject?
  • What kind of risks must your data be protected against?
  • What measures are used to manage identified risks?
  • What is an accepted level for the probability and impact of residual risks?

After completing the assessment, verify with the Data Protection Officer of the University whether your data requires an impact assessment in accordance with the GDPR. Data Protection Officer can be reached at

Please also find out whether the funder of your research, owner of the data or any other external party has any claims concerning the data.