This guide helps thesis writers to take data protection legislation into account. If you collect personal data, carefully plan the data collection with your supervisor. Also, consider whether you really need personal data or if a well-designed anonymous survey would suffice. Especially in bachelor's level work, the appropriateness of collecting personal data should be carefully evaluated. Additional details for each section of the guide can be found on this page after the guide. You will receive more specific instructions from your supervisor.
When collecting personal data, you must go through the following five steps:
1. Need of research permit
Determine from the organization or community that is the subject of your thesis whether a research permit is required. Generally, a research permit is necessary if the thesis involves the organization’s or community’s staff, students, or other activities.
See below Research permits.
2. Are you processing personal data?
Personal data refers to information that allows an individual to be identified either directly or indirectly.
A person can be directly identified, for example, by their name, social security number, or some characteristic unique to them. Indirect identification occurs by combining one piece of information with another that enables identification. For instance, a postal code, profession, and income might be sufficient to identify a person in a certain area. Similarly, in a specific group (e.g., a student group), simply asking for gender may make identification possible.
Processing personal data is justified only when it is necessary for the thesis and there is a legal basis for processing it. Always minimize the personal data collected. Do not collect information unnecessarily or "just in case."
If your survey records the respondent's name or group identifier, gender, and age, the person can be identified afterward, meaning you are processing personal data. Personal data collection can be done through questionnaires, interviews, observations, or by collecting data from online services, etc. Even in an anonymous survey, personal data is being processed if the collected data allows the respondent to be identified directly or indirectly.
You can avoid collecting personal data in surveys by:
See below Personal data, possible personal data file.
3. If you are processing personal data, you need consent and a privacy notice
Processing personal data requires a legal basis for processing according to data protection legislation. In the context of a thesis, this means obtaining the consent of those participating in the survey/interview/etc.
When giving consent, participants must be informed about how their data will be processed, what it will be used for, and how the data will be stored and destroyed.
The thesis writer must be able to demonstrate that consent has been given. Consent should be collected in written or electronic form, in such a way that the participant takes an active action, for example by checking a box on a form or signing it.
Participants must be informed about the processing of their personal data. This is done through a privacy notice, which is attached to the consent form (either on paper or as part of an online survey).
The General Data Protection Regulation (GDPR) requires that withdrawing consent be as easy for the participant as giving it. Withdrawal can be done, for example, by email.
See below Informed consent.
4. Data controller and privacy notice
If your thesis is independently conducted, you act as the data controller for the personal data you collect. You must plan in advance how personal data will be collected, stored, processed, possibly disclosed, deleted, and destroyed, and these steps must be described in a privacy notice. It is advisable to create a privacy notice even if you are not collecting direct personal identifiers and the risk of identifying a person through indirect identifiers is very low.
Use a template to create a privacy notice for your thesis. The privacy notice is for your own use, and it can serve as proof that you have complied with data protection laws if needed. Attach the privacy notice to the online survey or to the consent form for participating in the study.
See below The role of a controller and privacy statement.
5. Data collection, storage, and destruction
As the author of the thesis, you are responsible for determining how the data is stored, retained, and destroyed, and you must act carefully to protect the data.
The best practice is to store personal data on a secure network drive. Using an external hard drive or USB stick is not recommended. Additionally, the use of external cloud services outside the organization is not allowed, as you cannot be certain where the data is stored or how it is used.
See below Processing and storage of personal data.
Research permits
If your research is concerned with the personnel of an organisation, or some community, find out whether a research permit is required. You should apply for a research permit when you wish to approach the personnel or students of an organisation, etc. You apply for the research permit from the organisation in question and it is a good idea to find out in advance what the permit process involves in that particular organisation. Applying for a research permit occurs during the planning stage of a study and must be taken into consideration in the schedule. You typically apply for a research permit when you wish to receive from an organisation
When requesting information from an organisation, it should be noted that the disclosure of information may result in costs.
You often apply for a research permit using the organisation’s template which asks you to provide detailed information about the study. Requests for research permits concerning Centria are sent to kirjaamo@centria.fi. The Centria research permit template is available at https://net.centria.fi/en/rdi/research-permit/
Personal data, possible personal data file
Personal data includes all data related to an identified or identifiable person.
Any data that enables the identification of a person either directly or indirectly are considered personal data. Indirect identification refers to data obtained by combining information, for example, if the organisation is small or a person’s role in the organisation is precise (e.g. CEO), merely having information about the person’s role singles out the person. A computer's IP address, which may be collected through a form, may also enable identification. Information directly linked to a person includes the name, personal identity code or some other factor characteristic of the person and other similar data. For more information, see: https://tietosuoja.fi/en/what-is-personal-data
In a thesis, personal data may only be processed when it is necessary for the implementation of the thesis and the grounds for the processing of personal data are met. When collecting personal data, remember to respect the principles of the minimisation of data (https://tietosuoja.fi/en/minimisation-of-data)
A personal data file is formed whenever you use questionnaires or conduct an interview. A personal data file may be formed if you collect data from different sources, such as social media, or from the online services provided by companies. An anonymous survey may also reveal a person if respondents enter information on the form that enables identifying them.
Informed consent
Participation in a study (a situation involving interaction between the participant and the researcher) always requires informed ethical consent from the research subject. Informed consent to participate in a study is a key ethical principle of human research. Finnish National Board on Research Integrity’s guidelines on the ethical principles of research with human participants (https://tenk.fi/sites/default/files/2021-01/Ethical_review_in_human_sciences_2020.pdf).
A situation involving interaction between the participant and the researcher includes interviews, surveys, observations, etc. In order to give consent, research subjects must receive sufficient information about the study and their rights as research subjects. The researcher must provide at least the following information:
Research subjects shall always have the following rights and these must be indicated in connection with giving consent:
Information on the study must be provided in a language that the research subject understands in written or electronic form whenever possible (see the research announcement template).
Consent to participation may be given in writing or electronically (see consent form template). Thesis work must include documentation of how research participants have been informed of the study and how they have been asked for their consent to participate in the study.
Please note that the consent to participate in a study is not the same as the content to the processing of personal data. When processing personal data, researchers must request separate consent from the subjects for the use of personal data concerning them.
The role of a controller and privacy statement
If you complete the thesis alone, in a pair or as a group, without an organisation or research group, you will personally serve as the controller. This requires you to take measures related to controlling the data file, such as planning the collection, ensuring safe storage, and processing and possible transfer, erasure and destruction of the personal data. The aforementioned matters must be described in the privacy statement. It is a good idea to prepare a privacy statement even if the data you collect does not include direct personal identifiers and the risk of identifying a person with indirect identifiers is very low.
You can find the template for the privacy statement both among the forms in chapter 1 and at the bottom of this page.
Processing and storage of personal data
The processing and storage of personal data must always comply with the data protection principles laid down in data protection legislation (https://tietosuoja.fi/en/what-is-personal-data)
According to the principles relating to the processing of personal data, personal data must be
Personal data may only be stored for as long as necessary for the purposes of processing. When personal data are no longer needed, they must be anonymised or deleted (https://tietosuoja.fi/en/storage-limitation). It is a good idea to inform research participants about the deadline at which point their data will be destroyed at the latest.
As the controller, you must ensure that the data are stored securely and that no third parties can access the data. This applies to both the data you processed as well as any backups. It is best to store personal data on a secure network drive. Using an external hard drive or USB stick is not recommended. The use of your organisation’s external cloud services is also not permitted because you cannot be sure where the data will be stored or how it will be used.
Any personal data and consent forms contained in the data set must be destroyed securely after the thesis has been evaluated