Data protection means protecting the privacy and trust of an individual (data subject) and preventing unauthorised processing of their personal data. The processing of personal data must always happen for a specified purpose and on a lawful basis. The Uniarts Helsinki data protection policy describes the main principles, obligations and procedures that the university adheres to in the processing of personal data. All researchers must take legislation related to personal data processing into consideration in their research.
Taking care of data security means taking care of the availability, confidentiality and integrity of data. Data security can be seen as comprising the practical procedures that are used to guarantee the security of data.
Data security must be taken care of during all stages of data processing, both when it comes to handling equipment as well as choosing and using devices, systems, methods and services. Researchers must pay special attention to the secure processing of research material.
Classified and confidential materials as well as materials containing personal data may only be stored in a Uniarts Helsinki network folder. Researchers have access to a personal home folder and, on request, shared network folders that can be used to share files between team members. Home folders can only be accessed with a Uniarts ID or on a university computer, and the folder is personal. Network folders can only be accessed through the Uniarts Helsinki network or a Uniarts VPN connection. Please note that the tools may only be used to disclose the data to people who have the right to it, nobody else.
Examples of data processing include the collection, recording, organisation, storage, adaptation or alteration, retrieval or transfer of personal data, as well as other measures concerning personal data.
Individuals who process personal data as a part of a research project must comply with the codes of conduct in research data protection that the university has committed to following. University researchers must follow responsible conduct of research practices in processing personal data so that the ethics and quality of the research and the integrity of the scientific community are protected, as indicated in the European Code of Conduct for Research Integrity.
When drawing up research and data management plans, the requirements for processing personal data and compliance with the European GDPR must be taken into account.
All researchers must plan the processing of personal data in advance, covering its entire life cycle. The project’s risks must be assessed, and appropriate technical and organisational measures for protecting personal data must be taken based on the assessment. The processing of personal data must be limited to the minimum amount required for reaching the academic goals of the project. In addition, the data must be pseudo-anonymised or anonymised.
The principal investigator is responsible for the project complying with data protection legislation and data protection policy. They must also make sure that researchers who are to process personal data receive proper orientation into data processing practices before proceeding. The principal investigator specifies the employees’ respective responsibilities and obligations in processing personal data based on data protection policy.
The processing of personal data in each research project is detailed in the project’s privacy notice, which provides a more detailed account of the specific issues concerning the scientific research in question. The privacy notice describes, for example, the purpose for processing personal data and the rights of the research subjects. It also names the project’s person-in-charge or the group responsible for the research. Research subjects must be given sufficient information on the contents of the research project. The privacy notice must also take into account the way the research is communicated during and after the project.
The researcher compiles the privacy notice in the data protection statement form offered by Uniarts Helsinki for research purposes. If necessary, the legal services provide support in compiling the privacy notice.
The data controller is the researcher/student, if the research is not carried out in a service or employment relationship with the university or if the employment relationship with Uniarts Helsinki does not last the entire duration of the research project. The university acts as the controller in research projects where the purpose and methods of processing personal data are defined by the university. This is the case with research projects that are approved by the university and whose funding is directed to the university. The university and the researcher may also act as a joint controller, as is the case when the researcher defines the purpose of processing personal data.
The necessity of personal data for scientific research must be assessed at the earliest possible stage. Efforts must be made to minimise the processing of personal data. Both the amount and nature of the personal data to be processed in the research need to be considered. The personal data must be adequate, relevant and necessary for the purpose of the processing.
Research should be carried out without using personal data whenever possible.
Minimisation also entails that personal data that is not necessary for the purpose is destroyed. For example, personal idea codes, name details, addresses and other unnecessary identifiers are destroyed immediately after they no longer are necessary in carrying out the research. Minimisation is a protective measure that aims at reducing the risks related to the processing of research data containing identifiers.
Pseudonymous data is data that cannot be used for identifying a person without additional, separate information.
Pseudonymisation refers to the removal or replacement of identifiers with pseudonyms or codes, which are kept separately and protected by organisational measures (protection of the physical environment for the use of the data and restricted and monitored access control) as well as technical measures (secure data storage solutions).
Data is not pseudonymous if a specific data subject is identifiable from the data solely without additional information (if, for example, indirect identifiers or accounts of rare occurrences enable identification).
Pseudonymous data becomes anonymous when separately kept identifying information (decryption key, personal data and information on the techniques used to pseudonymise the data) is destroyed. If you cannot dispose of the separately kept personal data, you can make pseudonymous data anonymous by destroying the decryption key and information on the pseudonymisation processes, and by re-arranging the data, for example, according to new, randomised case IDs. The data is anonymous if it cannot be linked to the original personal data with reasonable effort.
Pseudonymous data is also taken to be personal data. This includes data from longitudinal studies where participants have a case ID instead of a personal identification number, but the research group has a key that can be used to connect the anonymous data to research participants.
Anonymisation refers to the various techniques and tools used to achieve anonymity. Anonymous data is data where an individual data unit (person) cannot be re-identified with reasonable effort based on the data provided or by combining the data with additional data points. Data is anonymous if characteristic attributes (e.g. combinations of certain indirect identifiers) pertain to more than one person and a data subject cannot be identified with reasonable effort. New data on the same research subjects cannot be added to an anonymous dataset, and for the data to count as anonymous, anonymisation must be irreversible.
Completely anonymous data does not exist, but with well-executed procedures one can achieve a result where individual persons cannot be identified with reasonable effort. Anonymisation is one way of making the data available for sharing and reuse.
Identifiable data may be used for scientific research when the use is appropriate, planned and justified, and when there is a legal basis for processing the data.
The processing of research data containing identifiers must be planned thoroughly and executed carefully. From the point of view of research participants, processing personal data constitutes the risk of confidential information relating to them being revealed to outsiders, such as people close to them, employers or authorities. The protection of data subjects’ privacy may not be jeopardised by the careless storage of data or unprotected electronic data transfers, for example.
You can adapt various protective measures, including data minimisation, pseudonymisation and anonymisation, for your purposes when processing personal data. If necessary, the data can be further protected by administrative and technical data security solutions.
Direct identifiers
Direct identifiers are data that is sufficient on its own to identify a person. Information that is sufficient on its own to identify an individual includes a person’s full name, personal identity code, email address containing the personal name, and biometric identifiers (fingerprints, facial image, voice patterns, iris scan, hand geometry or manual signature).
Strong indirect identifiers
Strong indirect identifiers refer to information that may be used to identify an individual fairly easily. These include a postal address, phone number, vehicle registration number, bibliographic citation of a publication by the individual, email address not in the form of the person’s name, web address to a web page containing personal data, unusual job title, very rare disease, or position held by only one person at a time (e.g. chairperson in an organisation). A rare event can also reveal the identity of an individual. According to the Finnish Social Science Data Archive, strong indirect identifiers also include the types of codes that can be used to unequivocally identify an individual from among a group of individuals. These include, for instance, a student ID number, insurance or bank account number, a computer’s IP address or similar identifiers.
Indirect identifiers
Indirect identifiers (or quasi-identifiers) are the kind of information that on their own are not enough to identify someone but, when linked with other available information, could be used to deduce the identity of a person. Indirect identifiers include, for instance, age, gender, education, occupational status, primary activity/labour status, socio-economic status, household composition, income, marital status, language, nationality, ethnic background, place of work or study and regional variables (such as post code, neighbourhood, municipality, and major region). Dates (such as dates of birth, dates of death or dates of newsworthy events), too, may also be indirect identifiers in research data when combined with other information.
Personal data means any information relating to an identifiable natural person. Personal data include, for example, person’s name, address, geographic data, IP address, other online identifier, photograph, dietary data, health data or other information that alone or when combined with other information that reveals something of a specific person.
Personal data may refer to an individual’s private or family life, health, physical characteristics, professional activities, and social behaviour. Research data may also contain identifiers relating to research subjects’ family and friends or other third parties, and this data, too constitutes personal data.
Special caution must be exercised when the research involves processing of special categories of personal data, i.e. data that reveals the person’s race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning health, sexual orientation or activity and genetic and biometric data for identifying the person. Processing of special categories of personal data requires impact assessment. Ethical review is also recommended.
Data protection
privacy@uniarts.fi
MInna Eskola
Legal Services
Titti Luukkainen
Research Services
researchservices@uniarts.fi
The EU General Data Protection Regulation (GDPR) is followed in the data projection in all EU countries.
Personal data must always be processed in compliance with the data protection principles specified in data protection legislation. The data-protection principles state that personal data must be