Research & Art

Research ethics review - FAQ's

Basics and practicalities about research ethics process - frequently asked questions

Basics and practicalities about research ethics process

1. Why do I need an ethical review for my research?

The point of ethical review is to help you to understand the ethical issues related to your study and make sure they are adequately taken into account.That is, ethicalreview is not something that must be "passed", but rather a process that helps you to make sure your research project is ethically sound.

2. How do I know if I need an ethics review?

You can access additional information about when the review is needed through the following link:

You      can      access      a       self-assessment      guide         through                             the          following link:

3. Can I fail the ethics review?

Not really, if the ethical review has a negative outcome the ethics committee will give you feedback and help you to make the necessary changes.

4. I am doing open interviews/ethnographic researchand, thus, don't have a pre- defined set of questions that I will ask every research participant. What are the implications for the ethics review process?

You do not need a pre-defined set of questions. The ethical review process does not ask for final interview guide but you need to provide draft of the themes and  describe the topic of your study, who the participants of your study are, which personal data you collect from them, how you store this data, when you eras the data, the risks you may expose the participants if they participate in your study, etc. You can update the request in cases there are changes to your plans. (see question 6)

5. I am not an employee at Aalto (e.g. a doctoral researcher with a visitor contract) and therefore cannot access the request form for ethical review online - what should I do?

Please send an email to the Aalto University Research Ethics Committee secretary and discuss your role. In most cases the e-form can separately be opened for Aalto University doctoral students. However, you need to have your supervisor involved; do not submit your request if your supervisor has not read and approved it beforehand. You can request a word format of the request form from the secretary and   type your answers to a Word document. In case, your position in Aalto does not allow opening up the e-form, you can agree to have someone else in Aalto transfer your word version to the e-system. 

6. What happens when plans change during the research project?

Depends on the change. If the level of ethical risks or issues stays similar, only a minor change is needed which can be done very quickly - within a day with help of the secretary of the Ethics committee. If the changes are considered "fundamental changes", they need to be reviewed by the Ethics committee.

What constitutes a fundamental change? The change is considered fundamental when new risks or new kind of sensitive data is included in the project. For example, adding children to the interviewees when you previously have had only adults wouldconstitute a fundamental change; adding additional similar adults would not be a fundamental change. If in doubt regarding what constitutes a fundamental change get in touch with secretary of the committee. 

Questions regarding collaborators in the research study

1. I plan to collaborate with external scholars to publish my work, but I do not know who these peopleare, yet. What are the implications for the ethicsreview process?

You can store all data in E-duuni and provide access to the external/new collaborators (see Checklist for Qualitative Research Projects). However, in the privacy notice you must explicitly list parties who have access to any data regarded as personal data, usually the “raw data”. In case you are not sure who will be the external collaborators, you can state that in the privacy notice. However, in that case you will need to update the privacy notice and the updated version must be available for the participants and they must know where to find the updated version. In such cases, you may for example publish the privacy notice on Aalto website and tell the participants in the privacy notice, that once the collaborators are known, the updated version will be available for them. 

Please note that regarding all external collaborators outside Aalto who have access to personal data, you must know what is their role is under GDPR. 

2. My case company wants me to sign an NDA. What are the implications for the ethics review process?

Please consult Aalto's lawyers in all matters related to concluding NDA’s. 

3. If I work with a transcription service, do I also need to ask the service to sign an NDA?

Aalto has a framework agreement for transcription services. Please see more information here: 

In case you do not use Aalto’s service provider, but a service provider that you have chosen, you need to conclude an agreement for purchasing the transcription services. Service provider usually offers procurement agreement (sale and purchase of services). 

Questions related to participants 

1. Can I compensate research participants for their contributions?

See Aalto compensation rules. Remuneration policy for short-term work related to research or test subjects | Aalto University

Useful alternatives to a financial compensation, is to offer a short training or workshop to the participants about a topic of their interest (as far as it fits with your competences), a blog or a webpage where you publish thought pieces and useful knowledge about the topic on a regular basis. Such a blog or a webpage can also contribute to your external visibility as an expert in the field. However, don't get bogged down in details and spend too much time on this. Your focus should be on your research project!!

2. Do interviewees need to give written consent?

No, oral consent is also acceptable, but in all studies where you process personal data, you need to provide privacy notice for the participants and other relevant information regarding the study. Such information could also be given orally, but as there is so much information that needs to be included, it is most convenient to give all relevant information to the participant in written form. 

A best practice is to record the explicit consent of the participants to participate in the study before each interview. Participants usually appreciate this practices because it shows to them that we process their data carefully and that we commit ourselves to high ethical standards. You can proceed as follows: Pre-talk/Off the record: "We ensure strict confidentiality and will use the interview data only for scientific purposes. It is University Policy to record that you explicitly give your consent to participate in this study and, in order to analyzethe data, that this interviewis recorded. Do you consentto this interview being recorded? Thank you, I will now switch the recorder on. On tape: We briefly need your consent to participate in this study on tape: So, as said, we ensure strict confidentiality, and we will use the interview data only for scientific purposes. Do you give your consent to participate in this study and to record this interview? Great! Thank you! I would like to start with …

Another (complementary) best practice is that you add a short paragraph at the end of your e-mail. Participants usually also appreciate this practices because it shows to that we process their data carefully and that we commit ourselves to high ethical standards. You can proceedas follows: Data collection and processing: Alldata will be kept strictly confidential, will exclusively used for scientific purposes and stored on a secured server at Aalto University that is dedicated to research projects. We will publish results and data from this study in a manner, that your identity will not be disclosed for the public. For detailed information on data collection and processing, please click on the following Link: privacy notice

 (be aware of the difference between anonymisation and pseudonymisation) 

Questions related to GDPR and personal data 


1. What are “GDPR roles”? What is a data controller and a data processor?

Controller and processor are roles related to personal data defined in GDPR. All parties who have access and will process personal data, must have a role defined under GDPR. There are three major roles under GDPR; controller, processor and joint controller. The roles of the parties must be defined clearly before the start of the study, as depending on the roles, the parties have different legal obligations. The data controller determines the purposes and means for processing personal data. The data processorprocesses personal data only on behalf of the controller and strictly under instructions given by controller. Joint controllers determine the purposes and way of processing together.

2. How do I know, what are the right GDPR roles of other parties in my research collaboration (i.e. other universities, research institutions or companies participating in the research)?

The roles may not be freely chosen by parties, the decision and interpretation of the roles should be made based on actual facts and setting of the processing. In case you need help with determining the right roles after reading the instructions, please contact Aalto lawyers. In some cases, it may be possible to justify several options and outcomes, and the roles are not obvious. Generally, there are three options:

  • Aalto is data controller and the collaboration partner is data processor. In this case, Aalto determines how and where data is processed, and processor just processes the data on behalf of Aalto and may only use the data in accordance with strict instructions given by Aalto. In this case, it is always mandatory to complete a legally binding DPA agreement.
  • Both partiesact as individual controllers. In this case, the parties usually have individual research plans, and both conduct their own study with the data, so there is no clear joint research project and both parties work quite independently. The cases of individual controllers are various, it can be a situation where company transfers data for Aalto, that the company has collected first for other purposes than research, or it can be that a party has collected the data and discloses it to another research institution for completing their own and individual study. In this case it is not mandatory to conclude any agreement related to personal data. However, the roles must always be clear and agreed. 
  • Joint controller, parties jointly determine the purposes and means of processing and therefore act as controllers of personal data together. This must be agreed with the collaborators and it must also be clearfor the researchsubject that the parties act as joint data controllers and their responsibilities. Joint controllers are not required to have a legally binding and written contract, but you must have a transparent arrangement that sets out your agreed roles.  The roles must be included in the privacy notice that is given to the participant, most important liability is transparency for the data subject. Usually in this case, the parties agree one point of contact for the research participant. 

3. What are the most common mistakes related to GDPR in the ethics process? 

The most common mistake is the misunderstanding between the terms pseudonymous and anonymous data

Pseudonymous data means, that attributing the personal data to a single individual and their identity requires additional information. For example, interview data where names and other direct identifiers have been replaced with random identifiers and you have consent forms and code key list in a separate place, is psyeudonymous data. Pseydonymous data is still personal data and same principles, and legislation is applied to pseudonymous data.

Anonymised data is no longer regarded as personal data. It must be impossible to identify the individuals from such data in any way. The prevention of identification must be permanent and make it impossible for the controller (you or any member of the research team included) or a third party to convert the data back into identifiable form with the information held by them. Whether an individual data item can be considered anonymous or not requires case-by-case evaluation. The bar is quite high and in case you are not sure if data is anonymous, never claim the data as anonymous. 

Other common mistakes are that researchers have not used Aalto privacy notice template, or the template has not been filled in a careful manner. Please remember to read all the instructions that are included in the template. One common mistake as well is that the researcher have not given thought on the question of what are the GDPR roles of all parties involved in the research. 

Reusing, storing and deleting the data

1. Reusing data: What happens if someone wants to keep the data for longer than a few years, as they could be useful for future projects which are unforeseen in advance?

The question about how long the data will be stored and what purposes it is used, is determined in the privacy notice and also information sheet given to the participant. You may use the model sentence; in case you plan to use the data for the same research theme longer in the future: “ Research data containing personal data is retained for research data to be used for further scientific research in the same scientific discipline or in other disciplines that support this research study. Research data containing personal data is deleted after five (5) years since the last publication where this research data has been used and exploited. “

In case you have already collected the data, please note that you must follow the principles what has been told for the participant in the privacy notice, it is binding in that sense. In case you are still planning the study, please plan carefully how long you will need the data and for what purposes. Pay careful attention to drafting the privacy notice, as it will define where you may use the data and for how long. 

In case there is a clause regarding using the data for further research and the research is within the same discipline using the data for such study may be possible (see first section here and privacy notice template). In case there is no such clause, and you wish to make essential changes to the privacy notice and add completely new use purposes for the data, such use may require new consent from the participant, in case such use has not been recorded in the privacy notice given to the participant. However, re-using the data for new research study is somewhat difficult question from legal and research ethics perspective. Please consult legal and ethical experts, in case you are unsure.

2. Related to storing and deleting data, when someone leaves the university, who is responsible for deleting that person's data?

The principal investigator or supervisor is responsible in official manner. In practice the data transfer, usage after or deletion is to be agreed between the researcher in questions and the principal investigator, or in case there are differing opinions include the head of the department. See also the instructions on data ownership vs data authorship.  Note that you should inform the participants on major changes in use of personal data – e.g. by updating privacy notice. 

Annukka Jyrämä

Annukka Jyrämä

U901 Research Services
  • Published:
  • Updated: