You are highly likely going to process personal data if you collect information from or about people. Personal data means "any information relating to an identified or identifiable natural person". In other words, personal data is much more than a person's name or personal identity code, i.e. direct identifier. For example, hair colour, job title, car registration number, or location information are indirect identifiers and can reveal the identity of the research participant. Data related to people is very rarely completely anonymous.
EU’s General Data Protection Regulation includes the following as special categories of personal data:
The collection and processing of special categories of personal data is possible for scientific and historical research purposes or statistical purposes (Article 9, EU General Data Protection Regulation). This sensitive data needs to be guarded with particular care, as the context in which it is handled can pose significant risks to fundamental rights and freedoms. Data management must minimise the risks associated with the disclosure of sensitive data throughout the lifecycle of the data.
When processing personal data, you must comply with data protection legislation, i.e. the EU General Data Protection Regulation (GDPR) and national data protection legislation. Familiarise yourself with the Tampere University's Data protection path of research, which contains the key issues concerning the processing of personal data in research. The data protection path also contains templates for key documents (e.g. privacy notice, information sheet, and data protection impact assessment).
Plan carefully how you will process personal data throughout the life cycle of the research data, from collection to archiving or disposal. The processing of research data includes for example collecting, saving, organising, structuring, editing, analysing, handing over, removing, and deleting research data.
You must comply with data protection principles when processing research data. These principles are summarised in the table below.
| The principle | Is implemented in practice, for example: |
|---|---|
| Legality, fairness, and transparency |
The research project must be explained to the research participants in a clear and understandable manner, and the processing of the data must not be unpredictable for the research participants. Inform clearly and keep your promises. |
| Purpose limitation | As a rule, the legal basis under data protection legislation for research is "public interest: scientific research". Clearly specify the particular and exact purpose for which you are collecting personal data, and also clearly tell the research participants what kind of research you are conducting. |
| Data minimisation | Only collect the information you need for your research. No "just in case" data. |
| Accuracy | Inaccurate and incorrect personal data must be corrected or deleted. |
| Limitation of storage | Store data in an identifiable form only for as long as it is necessary for your research. For example, it may be possible to delete the contact information of research participants or audio files of interviews even before the end of the research project. |
| Integrity and confidentiality | Take security into account when processing personal data, i.e. ensure that the data is not lost or destroyed and that there is no unauthorised access to the data. Therefore, plan carefully for example the collection of data, storage solutions, possible transfers, and deletion of the data. |
Informing research participants is both an ethical and legal obligation. Research participants have the right to receive information on how their personal data is being processed during the research.
Personal data is processed in many ways at different stages of the research, and each stage involves unique risks. A risk is for example the leakage of personal data to outsiders, and social harm or potential identity theft caused by a data breach. The risks related to the processing of personal data must be assessed from the perspective of the research participant. Risks are assessed in two stages:
You can reduce risks by minimising the amount of personal data collected, the number of people processing it, and the time it is stored, and by considering technical information security solutions for example in the collection, storage, and deletion of data. Familiarise yourself with the sections Data collection and acquisition and Data processing, analysis, and storage in this guide. The anonymisation and pseudonymisation of the data also protects the research participant from having their identity revealed. Complete anonymity is rarely possible, so don't promise it to the research participant!
As a researcher, you are accountable for how you have processed research data that contains personal data. Document processing activities carefully. Update and store data protection documents that are made for different parties and purposes:
Ethical review is not about granting a research permit, but the ethics committee issues a statement on the ethical aspects and ethical acceptability of the research. The researcher ultimately assumes responsibility for their research, and the ethical statement is not an exemption from liability.
Ethical review is applied for when the research design requires it:
A doctoral researcher and a student must request a statement together with their supervisor. As a rule, no ethical statement is issued for master's theses and bachelor's theses.
To request an ethical statement, you will need the following documents: 1) a cover letter, 2) a research plan, 3) assessment of the ethical nature of the research by the person responsible for the research, 4) a risk assessment, 5) an impact assessment, 6) an information sheet and a privacy notice, 7) a consent form, 8) other material given to research participants, 9) a data management plan.
Research Data Services gives comments on data management plans, risk assessment, and privacy notice: researchdata@tuni.fi
Checklist for writing a request for a statement:
Ethics committees in our area:
Tampere University has a Data Access Committee, DAC (intra). DAC’s task is to evaluate the transfer of research data for reuse based on the requests of opinion made to it. Requests can come from within or outside the university.
The requests to be processed by DAC must concern research data containing personal data, where Tampere University is the data controller or joint data controller. The planned reuse can be commercial activity or non-commercial activity that deviates from the original use of the data. Reason for contacting DAC can also be, e.g., contractual or legislative changes related to the use of the data.
DAC issues an opinion on the reuse of the research data in question. It takes into account in its opinion the legislation related to the data, regulatory provisions, and university guidelines. It also takes into account the copyrights and ownership rights related to the research data being evaluated and clarifies the position of the researcher or research group who collected the data on reuse. DAC cannot give a favorable opinion on the reuse of the data if the party owning the rights to the data does not give permission for the transfer of the data.
Send a reuse request as a message to the contact email address dac@tuni.fi.
