Skip to Main Content

Researcher's guide to responsible and open science

Processing personal data

You are highly likely going to process personal data if you collect information from or about people. Personal data means "any information relating to an identified or identifiable natural person". In other words, personal data is much more than a person's name or personal identity code, i.e. direct identifier. For example, hair colour, job title, car registration number, or location information are indirect identifiers and can reveal the identity of the research participant. Data related to people is very rarely completely anonymous.

EU’s General Data Protection Regulation includes the following as special categories of personal data:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • health information
  • information about sexual behaviour and orientation
  • processing of genetic and biometric data for the purpose of uniquely identifying a person

The collection and processing of special categories of personal data is possible for scientific and historical research purposes or statistical purposes (Article 9, EU General Data Protection Regulation). This sensitive data needs to be guarded with particular care, as the context in which it is handled can pose significant risks to fundamental rights and freedoms. Data management must minimise the risks associated with the disclosure of sensitive data throughout the lifecycle of the data.

When processing personal data, you must comply with data protection legislation, i.e. the EU General Data Protection Regulation (GDPR) and national data protection legislation. Familiarise yourself with the Tampere University's Data protection path of research, which contains the key issues concerning the processing of personal data in research. The data protection path also contains templates for key documents (e.g. privacy notice, information sheet, and data protection impact assessment).

Plan carefully how you will process personal data throughout the life cycle of the research data, from collection to archiving or disposal. The processing of research data includes for example collecting, saving, organising, structuring, editing, analysing, handing over, removing, and deleting research data.

You must comply with data protection principles when processing research data. These principles are summarised in the table below.

The principle Is implemented in practice, for example:
Legality, fairness, and transparency

The research project must be explained to the research participants in a clear and understandable manner, and the processing of the data must not be unpredictable for the research participants. Inform clearly and keep your promises.

Purpose limitation As a rule, the legal basis under data protection legislation for research is "public interest: scientific research". Clearly specify the particular and exact purpose for which you are collecting personal data, and also clearly tell the research participants what kind of research you are conducting.
Data minimisation Only collect the information you need for your research. No "just in case" data.
Accuracy Inaccurate and incorrect personal data must be corrected or deleted.
Limitation of storage Store data in an identifiable form only for as long as it is necessary for your research. For example, it may be possible to delete the contact information of research participants or audio files of interviews even before the end of the research project.
Integrity and confidentiality Take security into account when processing personal data, i.e. ensure that the data is not lost or destroyed and that there is no unauthorised access to the data. Therefore, plan carefully for example the collection of data, storage solutions, possible transfers, and deletion of the data.

Informing research participants is both an ethical and legal obligation. Research participants have the right to receive information on how their personal data is being processed during the research.

  • Content of the information: e.g. the purpose of the research, the data controller and data processors of the personal data, the legal basis for processing, the transfer of personal data, the sharing and opening of data, and the rights of the research subjects. See templates for the information sheet and the privacy notice.
  • Methods of informing: written, oral, e-mail – the methods may vary depending on the situation and the research subjects.
  • Information documents: information sheet, privacy notice, informed consent for research (remember to also request consent for the archiving/reuse of the data).
  • The chapter Informing Research Participants about the Processing of Their Personal Data in FSD's Data Management Guidelines provides practical instructions on how to carry out research participant informing.

Personal data is processed in many ways at different stages of the research, and each stage involves unique risks. A risk is for example the leakage of personal data to outsiders, and social harm or potential identity theft caused by a data breach. The risks related to the processing of personal data must be assessed from the perspective of the research participant. Risks are assessed in two stages:

  1. Preassessment: use a checklist to evaluate whether data processing situations require an impact assessment.
  2. Impact assessment: describes the risks involved in data processing and their prevention in concrete terms.

You can reduce risks by minimising the amount of personal data collected, the number of people processing it, and the time it is stored, and by considering technical information security solutions for example in the collection, storage, and deletion of data. Familiarise yourself with the sections Data collection and acquisition and Data processing, analysis, and storage in this guide. The anonymisation and pseudonymisation of the data also protects the research participant from having their identity revealed. Complete anonymity is rarely possible, so don't promise it to the research participant!

As a researcher, you are accountable for how you have processed research data that contains personal data. Document processing activities carefully. Update and store data protection documents that are made for different parties and purposes:

  • support for the researcher's work: research plan, data management plan, risk assessment, data protection impact assessment (DPIA).
  • Informing the research participant: information sheet, privacy notice, informed consent for research.
  • matters to be agreed with collaborating partners: agreement on joint controllership, data processing agreement (DPA), non-disclosure agreement, agreement on the transfer of personal data outside the EU/EEA (TIA = transfer impact assessment)

Ethical review

Ethical review is not about granting a research permit, but the ethics committee issues a statement on the ethical aspects and ethical acceptability of the research. The researcher ultimately assumes responsibility for their research, and the ethical statement is not an exemption from liability.

Ethical review is applied for when the research design requires it:

  • The research involves intervening in the physical integrity of research participants.
  • The research deviates from the principle of informed consent
  • The research focuses on minors under the age of 15 without separate consent from a parent or carer or without informing a parent or carer in a way that would enable them to prevent the child’s participation in the research
  • Research that exposes participants to exceptionally strong stimuli
  • Research that involves a risk of causing mental harm that exceeds the limits of normal daily life to the research participants (trauma, depression, insomnia)
  • Research where conducting the research could involve a threat to the safety of participants or researchers or their family members or others close to them (e.g. studies concerning domestic violence)

A doctoral researcher and a student must request a statement together with their supervisor. As a rule, no ethical statement is issued for master's theses and bachelor's theses.

To request an ethical statement, you will need the following documents: 1) a cover letter, 2) a research plan, 3) assessment of the ethical nature of the research by the person responsible for the research, 4) a risk assessment, 5) an impact assessment, 6) an information sheet and a privacy notice, 7) a consent form, 8) other material given to research participants, 9) a data management plan.

Research Data Services gives comments on data management plans, risk assessment, and privacy notice:

Checklist for writing a request for a statement:

  1. Take the time to write a request for a statement. If you submit a request for comments to the Research Data Services, be prepared that the comments may take from a few days to a week.
  2. Make sure that all required documents are included in the request for a statement.
  3. Explain clearly why you are requesting a statement in the cover letter.
  4. Ensure that things are presented consistently across different documents.
  5. Describe your task/processes in concrete and detailed terms.
  6. Use the words anonymous and pseudonymous with caution.
  7. Avoid thesis topics that would require a statement from an ethics committee. .

Ethics committees in our area:

Dat access committee DAC

Tampere University has a Data Access Committee, DAC (intra). DAC’s task is to evaluate the transfer of research data for reuse based on the requests of opinion made to it. Requests can come from within or outside the university.

The requests to be processed by DAC must concern research data containing personal data, where Tampere University is the data controller or joint data controller. The planned reuse can be commercial activity or non-commercial activity that deviates from the original use of the data. Reason for contacting DAC can also be, e.g., contractual or legislative changes related to the use of the data. 

DAC issues an opinion on the reuse of the research data in question. It takes into account in its opinion the legislation related to the data, regulatory provisions, and university guidelines. It also takes into account the copyrights and ownership rights related to the research data being evaluated and clarifies the position of the researcher or research group who collected the data on reuse. DAC cannot give a favorable opinion on the reuse of the data if the party owning the rights to the data does not give permission for the transfer of the data.

Send a reuse request as a message to the contact email address


P. 0294 520 900

Kirjaston kotisivut | Library homepage

Palaute | Feedback