Personal data

tekijä: Tiia Marjaana Puputti Viimeisin muutos tiistai 29. kesäkuuta 2021, 15.31

Questions in the data management plan:

1. What kind of personal data does your research material include? How do you protect the research participants? How do you inform the research participants about the processing of personal data?

2. Do your research data involve other ethical issues?

Are you doing research on human participants? Do your data include personal details? If your answer is yes, you must comply with the EU General Data Protection Regulation (GDPR) and Finland’s national Data Protection Act. Note that ‘processing’ here refers to all activities related to personal data, including their storing. 

According to the current interpretation, the author of a thesis is the ‘controller’ in the research, that is, responsible for processing personal data. In a research project where you work on your thesis as a member of the research team, the controller is often the University of Jyväskylä or some other research organisation. 

Recognise personal data  

The definition of ‘personal data’ is broad. Personal data include, for example:  

  • age 
  • educational background 
  • residential area 
  • photo 
  • voice 
  • fingerprints 
  • ethnic background or nationality  
  • marital status 
  • rare disease 
  • characteristic physical trait 
  • statements and opinions typical of a specific individual 
  • information on the participant’s circle of acquaintances or other parties 

Personal data include all the personal details that could reveal the research participant’s identity. The identification could be possible based on your research data or by combining your data with, for example, information on the internet.  Personal data are classified as direct identifiers, strong indirect identifiers, and indirect identifiers.  Direct identifiers such as names are clearly personal data. However, other kinds of details, traits, factors, activities and behaviours related to specific people can also be personal data. Read more about personal data and anonymisation.

The guidelines for processing personal data do not apply to deceased or fictional individuals.

When is a person identifiable?  

For example, if you mention an interviewee’s hometown and profession, the interviewee may be identified if the locality is small or the profession is uncommon.  

For instance, presidents would be too easily identifiable based on their profession. 

Do your data include special personal data?  

Special personal data include the following: 

  • ethnic origin  
  • political opinions  
  • religious or philosophical conviction  
  • labour union membership  
  • health-related information  
  • sexual orientation or behaviour  
  • genetic or biometric data to uniquely identify a person 

If your data include special personal data, it is particularly important to process them responsibly.  Take the following protective measures:  

  • Minimise data: data processing must be in due proportion to the objective of your research.  
  • Pseudonymisation is required always when possible for the research design.  More about this later!
  • Documentation of the processing of personal data: write down what you do, where the data are stored, and what you have agreed with the research participants. 

If this seems difficult, remember that privacy protection is not meant to prevent you from doing research. Its purpose is to protect the research participants. You as the thesis author are in charge of processing data responsibly.