The EU General Data Protection Regulation and the Data Protection Act require certain requirements to be taken into account when personal data is processed in RDI activities. In addition, RDI activities must continue to take into account any sector-specific requirements, such as legislation on medical research and research ethics principles and guidelines.
The framework for the guidelines is based on the list of Data Protection tools for researchers, compiled by Raisa Leivonen, Senior Inspector at the Office of the Data Protection Ombudsman.
Personal data refers to all information that can be used to identify a person either directly or indirectly by combining individual pieces of information with other information that enables identification. Personal data includes, for example, name, address, email address, phone number, IP address, and photograph.
Personal data may only be collected and processed in accordance with the conditions specified in the General Data Protection Regulation, solely for specific, explicit, and legitimate purposes, and may not be processed subsequently for purposes incompatible with those specified.
However, scientific research purposes (including RDI activities) are not considered incompatible with the original purposes.
According to the General Data Protection Regulation, personal data must be adequate, relevant, and limited to what is necessary for the purposes of processing. The processing of personal data includes all actions that are directed at personal data. Personal data may be stored in a form that allows the data subject to be identified only for as long as is necessary for the purposes of the processing.
In practice, it is advisable to collect only personal data that is relevant to RDI activities (data minimization). Therefore, always consider in advance whether personal data is necessary or whether it can be omitted altogether.
Often, the names or contact details of research subjects are no longer needed during the analysis phase, and it is advisable to delete them as soon as possible as the research progresses. Individual research subjects can also be distinguished from each other by using identifiers, such as a series of numbers (pseudonymization). However, it should be noted that contact details are also needed at a later stage in follow-up studies.
If you collect personal data, it will automatically form a personal data register, for which you must prepare a privacy policy/notice. In this case, you must also plan in advance how personal data will be collected, stored, processed, potentially disclosed, deleted, and destroyed, and describe this in the privacy policy. A pre-filled template for Centria's privacy policy/notice can be found in M-Files at Centria_Privacy Policy_Template.docx, ID13941.
The risks associated with the processing of personal data must always be assessed before processing begins. Risk analysis is used to identify, at the planning stage, the measures that need to be taken to manage risks and ensure the proper processing of personal data. In practice, access to personal data must always be restricted to those persons who need it to carry out the research.
The risk assessment under the GDPR must be carried out from the perspective of the data subject, i.e., the controller must assess
More detailed instructions on making a risk assessment can be found on the website of the Office of the Data Protection Ombudsman.
The purpose of an impact assessment is to help identify, assess, and manage the risks involved in processing personal data. An impact assessment must be carried out if the processing is likely to result in a high risk to the rights and freedoms of the data subject. An impact assessment must be carried out in particular when
More detailed and practical examples of situations in which an impact assessment must be carried out in accordance with the General Data Protection Regulation can be found on the website of the Office of the Data Protection Ombudsman.
It is important to plan in advance how to prevent and minimize damage caused by possible personal data breaches. In the General Data Protection Regulation, a personal data breach refers to an accidental or unlawful act that results in the destruction, loss, alteration, unauthorized disclosure, or access to personal data by a party that does not have the right to process it. Please note that this can happen, for example, if a USB stick is lost or a computer is stolen.
Every Centria employee is obliged to immediately report any data security breaches or deviations that compromise data protection to the data protection officer (tietosuojavastaava@centria.fi).
The processing of personal data always requires a legal basis, which must be determined before processing begins. The grounds for processing personal data are set out in Article 6 of the General Data Protection Regulation. This article contains six different grounds on which personal data may be processed. In general, the legal basis for processing personal data in the RDI activities of universities of applied sciences is either the unambiguous written/verbal consent of the research subject or a scientific or historical research purpose in the public interest.
Further information on the bases for processing can be found on the website of the Office of the Data Protection Ombudsman.
If the research setting does not require consent from the research subjects for reasons outside the scope of the General Data Protection Regulation (e.g., research ethics statements), it is easiest to use scientific or historical research purposes in the public interest as the basis for processing instead of the consent of the research subjects (Article 6(1)(e) of the GDPR). However, this basis for processing cannot be used in commercial research.
Watch also: Research permit, informing research subjects, and consent
The data subject has the right to obtain information about the collection and processing of their personal data, and therefore the person being investigated must be provided with the necessary information about how their personal data is processed. More detailed instructions on the rights of data subjects can be found on the website of the Office of the Data Protection Ombudsman.
Data subjects must be informed, among other things, of the purposes for which the data is processed, the processing times, the disclosure of data, and the rights of data subjects.
A pre-filled template for Centria's privacy policy/notice can be found in M-Files under the name "Centria_tietosuojaseloste_malli" ID13941.
Further information on the demonstration obligation can be found on the website of the Office of the Data Protection Ombudsman.
Always follow Centria's instructions. The data processing guidelines will help you choose the appropriate method for processing and storing data in each situation. The guidelines can be found in Centraalista.
Remember to follow Centria's guidelines! Centria's data protection guidelines for RDI activities can be found at Centraali.
Update your knowledge and follow the website of the Data Protection Ombudsman and Centria's data protection guidelines. Please also familiarize yourself with Centria's "Personnel Data Security Guide 2018," which can be found in Centraali. Please note that all Centria personnel must complete online data protection training, instructions for which can also be found in Centraali in the "Data Security Training Instructions".