Background for the instructions
A code of conduct has been developed in cooperation between higher education institutions and research institutes for the processing of personal data in connection with research. The office of the Data Protection Ombudsman may also publish more detailed instructions. These HAMK instructions will be updated as additional information is obtained. These instructions also work in connection with theses.
Material management plan
The material management plan is closely related to the processing of personal data in connection with research. Practices of HAMK’s material management plans, https://www.hamk.fi/tutkimus/aineistonhallinta/.
Personal Data Processing Agreements (DPA)
If the controller uses, for instance, subcontractors or partners to process personal data, the necessary agreements must be concluded. A more detailed description is available at https://blog.hamk.fi/ohjeet/personal-data-processing-agreements-dpa/.
An impact assessment may also be required in research activities. Whenever personal data is processed in the study, it should be assessed according to the instructions at https://blog.hamk.fi/ohjeet/data-protection-impact-assessment/ whether there is a need for an impact assessment.
Controller in connection with research
According to the General Data Protection Regulation, the controller is the party actually defining ‘the purposes and means of processing personal data’. Typically, the processing of personal data is determined by the researcher (cf. Section 9, ‘ Freedom of teaching and research’, of the Universities of Applied Sciences Act, in Finnish). The researcher is therefore the controller if he/she has determined how personal data is processed in the study. It is possible that in some situations, the controller is HAMK Ltd or HAMI Ltd. It is about who defines the purposes and means of processing of personal data. More extensive cooperation patterns may also involve joint control of registers.
The controller for the processing of personal data in a thesis is typically the student.
Researcher or student as a controller
If the controller is a researcher or the author of the thesis, this means, among other things, the following:
- The controller shall be responsible for the processing of personal data.
- When providing information on the processing of personal data (data protection notice), the researcher or student shall be indicated as the controller.
- Determining the data protection officer is the responsibility of the data controller.
- The data protection officer shall be appointed if the core tasks of the controller consist of processing operations which require extensive regular and systematic monitoring of data subjects, or the core tasks of the controller consist of extensive processing of specific categories of personal data or information related to criminal convictions or infringements.
- For instance, if a study is concerned with a large amount of health-related information, the need for the data protection officer should be assessed.
Legal basis for material containing personal data
The study primarily uses ‘public interest’ as the basis for processing (Section 4 of the Finnish Data Protection Act in Finnish). However, in such cases, the processing of personal data should be proportionate to the objective of public interest pursued by it.
Other grounds for processing may also be used:
- Implementation of an agreement
- Legal obligations of the controller
- Vital benefits of the data subject or another person (typically not suitable for research)
- Processing is necessary to achieve the legitimate interests of the controller or a third party (not applicable to a task carried out by the authorities)
- If the processing is based on consent, preparations should be made when planning the study so that the data subjects can withdraw their consent.
It should be noted separately that even if the participation in the study is voluntary, the processing of personal data may still be based on ’public interest’.
Derogation from the data subject’s rights in research
The data subject’s rights are derogated from at HAMK only in justified, exceptional cases. According to Section 31 of the Data Protection Act, the data subject’s right of access the data, the right to correct data, the right to restrict processing and the right of objection may be waived where appropriate, provided that
Processing is based on the appropriate study protocol
There is a person or group responsible for the study; and
Personal data is used and disclosed only for historical or scientific research or for other compatible purposes, and in other respects, such action is taken that data on a particular person is not be disclosed to third parties.
Where the study processes specific personal data (Article 9 of GDPR) or personal data related to criminal convictions or infringements (Article 10), in addition to compliance with sections 1–3 above, a data protection impact assessment (under Article 35) shall be completed, and it shall be submitted to the Data Protection Ombudsman’s office before the launch of the processing of personal data. The Data Protection Ombudsman’s instructions for this are available in Finnish at: https://tietosuoja.fi/rekisteroidyn-oikeuksista-poikkeaminen.
The need for deviations must be assessed based on a case-by-case consideration. In other words, the implementation of the list in the previous section does not justify a derogation. A derogation from the data subject’s rights is only possible to the extent that:
- Such rights are likely to prevent or greatly hamper the achievement of these specific purposes, and
- Such derogations are necessary to fulfil these purposes.
It should be noted that according to Article 17 of the General Data Protection Regulation, the data subject is not entitled to delete data in the research if it is likely to prevent the processing concerned or render it very difficult.
Informing the data subject
Instructions for informing the data subject are available at https://blog.hamk.fi/ohjeet/data-protection-informing-the-data-subject/.
Other principles related to the processing of personal data
- Personal data relevant from the perspective of research is collected
- Whenever possible, research material is processed as anonymised or pseudonymised data. However, pseudonymised material remains personal data. Additional information on this is available for instance at https://www.fsd.uta.fi/aineistonhallinta/en/anonymisation-and-identifiers.html. In international research project,s it is particularly important to anonymise the material if the material is processed outside the EU / EEA.