Guidelines on data management and security for bachelor’s and master’s thesis advisors
Quick guide to personal data processing in theses
- Choice of topic
- Check with the student whether the research data contains personal data. → If a person can be identified either directly (name) or indirectly (voice), then there is personal data involved - > In this case, the student must follow the data protection regulations when processing the data.
- Advise the student to choose a topic that does not involve processing special categories of personal data (e.g. sexual orientation, children).
- Required documents: Privacy notice, consent forms and research permit
- If personal data is collected, the student must always draw up a privacy notice.
- In bachelor’s and master’s theses, the legal basis for processing personal data is usually the research participant’s consent, because such theses rarely fulfil the criteria for scientific research.
- In addition, the student must obtain the research participant’s consent to participate in the research.
- Advise the Aalto bachelor and master students to use the template (including all three documents: privacy notice, consent to processing of personal data and consent to participate in the research).
- Check whether the student needs a research permit from the organisation, e.g. if the participants are Aalto University students.
- Agree with the student the roles and responsibilities and the tasks related to processing personal data.
- Data collection
- Make sure that the data is collected using programs approved by Aalto University IT Services.
- Data storage and anonymisation/pseudonymisation
- Make sure the data is stored safely (e.g. on an Aalto network drive) and that the access to it is limited.
- Check that no individuals can be identified from the final thesis – even if the names have been erased, the analysis may reveal the person indirectly.→ Ensure anonymisation or pseudonymisation. -> Also check that the thesis appendices do not contain any personal data, such as consent forms.
- Thesis advisor
- It is the thesis advisor’s task to guide the student in the responsible processing of data and to be the primary point of contact in data protection issues.
- If the supervisor needs advice or additional information, Aalto Student Services will assist and direct the inquiry to the appropriate contact: studentservices@aalto.fi
Data protection concepts
Personal data refers to data that may be used to identify an individual. Such information includes name, personal identity code, car registration number, location information from apps or devices, fingerprint, voice, etc.
Some of this information, such as a name or a fingerprint, allows a person to be identified directly. Such information is referred to as direct personal data or direct identifiers.
Sometimes a person can be identified by combining individual pieces of information with other information. Such information is referred to as indirect personal data or indirect identifiers. These may include the person’s professional title, gender or place of residence. Individually, they might not reveal identity, but when combined with other data, they can make identification rather easy.
- Note: At Aalto University, it is recommended that no special categories of personal data be included in bachelor’s theses as they do not undergo an ethical review. Even if master's theses may undergo an ethical review, the processing of special categories of personal data is not recommended in them either as it leads to additional research ethical requirements.
- Special categories of personal data contain sensitive information that reveals the person’s:
- Racial or ethnic origins
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Data concerning health
- Sex life or sexual orientation
- Genetic or biometric data for the purpose of uniquely identifying a person.
- Also data concerning criminal convictions is, as a rule, considered sensitive data.
- Processing special categories of personal data requires specifying the legal grounds for the processing.
In everyday language, special categories of personal data are often referred to as sensitive personal data.
| Practical tip: In interview-based research, participants may themselves disclose information that belongs to special categories of personal data, even if the research topic itself is not sensitive. Such situations cannot always be anticipated. Follow the principle of data minimization: do not collect unnecessary information, and remove sensitive parts from the data as soon as possible before analysis. |
Controller
- A person, higher education institution, company, authority or community.
- Defines the purposes and means of processing personal data, i.e. why and how personal data is processed and is responsible for the processing of personal data.
- In bachelor’s and master’s theses the controller of personal data is typically the student. The student decides which personal data they collect and process in their research.
- An exception to this are studies carried out as an assignment or during an employment relationship or a research project of the school. In such cases, the student does not decide independently on the purposes and means of collecting personal data.
If more than one party decides on the above matters, they are referred to as joint controllers
Processor
- Processes personal data on the behalf of and in accordance with the instructions given by the controller.
- May also be the recipient of personal data to whom the data is transferred or disclosed.
- For example, Webropol Oy is the recipient of personal data when the survey questionnaire has been prepared using the Webropol questionnaire tool.
Aalto University recommends that personal data be processed with tools that have been reviewed by the university for information security and whose providers have agreements with the university regarding data processing
| Note! Use of AI-based services in the processing of personal data is prohibited. |
- Case 1: The thesis is an independent work by the student. → The student is the controller.
- Case 2: The thesis is made for a project in an employment relationship with an Aalto school. → The school is the controller.
- Case 3: The thesis is related to a project in progress at the school, but the student is not in an employment relationship with the school. → The controller is defined on a case-by-case basis.
- Case 4: The thesis is done as an assignment (contract research). → The controller is the company etc. who has ordered the research.
- Case 5: The school/thesis advisor provides the student with the survey data.→ The school or the thesis advisor will remain the controller. Although the data is used for new research for which it was not originally collected, the controller responsibilities are not transferred to the student. NOTE: However, the organisation or the thesis advisor has to obtain permission from the research participants for reusing the data for a purpose different from the original research.
Roles in processing personal dataWhat do the terms processor and recipient [of personal data] mean in a privacy notice? The processor processes personal data on behalf of and in accordance with the instructions given by the controller. For example, a company that produces the interview transcripts is a processor of personal data. The recipient is a broader concept than the processor. The recipient may be a provider of a technical platform or cloud service, like Google or Microsoft, to whom the data is disclosed/transferred when the data is stored. For example, service providers may use subcontractors for backing up data. |
As processing personal data always involves risks, the student and thesis advisor must discuss them to decide on risk mitigation measures.
Examples of risks to the research participant:
- unauthorised disclosure of personal data
- access to personal data by unauthorised persons
- accidental destruction of personal data
- unauthorised alteration of personal data
- loss of personal data
Risks are assessed from the perspective of the data subject, meaning the research participant.
In theses and research, one of these is selected as the legal basis for processing personal data:
- Consent of the data subject: This basis is used for the Aalto University bachelor’s and master’s thesis, because they do not typically fulfil the criteria for scientific research. That said, the boundary between a thesis and independent scientific research is not always clear-cut: theses may be different in different disciplines and thesis quality may vary even within a single discipline. For more information on the conditions for a valid consent, see https://tietosuoja.fi/en/consent-of-the-data-subject
- Public interest: Public interest may be a processing criterion if the criteria for scientific research are met.
- In some cases, it may also be possible to use legitimate interest as the legal basis for data processing. In such cases, a balance test is required. Note: This does not apply to bachelor’s and master’s theses. See Office of the Data Protection Ombudsman: Controller's legitimate interests.
|
The different meanings of consent Depending on the legal basis of the processing, you must obtain from the research participant:
Participation in the research is voluntary, and the participants may withdraw their consent at any time without consequences. Practical tip: If it is not possible to request written consent to participate in the research (ethical consent), the participant can give their consent verbally at the beginning of the interview. The consent is then recorded in the interview recording. The student must also personally record from whom the consent was obtained and in what manner. In an online survey, consent to participate in the research can be given by marking the consent at the beginning of the survey form. (For additional information, see The ethical principles of research with human participants and ethical review in the human sciences in Finland. Finnish National Board on Research Integrity TENK guidelines 2019) |
- The privacy notice is a document that informs the research participants of how their personal data is processed.
- The drawing up of a privacy notice is based on the General Data Protection Regulation of the EU (GDPR), which aims to protect the privacy and rights of individuals.
- Privacy notice is required whenever personal data is processed, regardless of the legal basis selected. This applies also to bachelor’s and master’s thesis, in which the primary legal basis is the research participant’s consent.
- The privacy notice must be sent to the participants at the earliest possible stage (preferably when contacting them in the first place, e.g. in the survey cover letter) before participants decide on their participation.
Processing personal data in accordance with the data protection principles is a key element in research ethics: you must obtain an ethical consent to participate in the research (ethical consent) from each research participant, as well as their consent to the processing of their personal data (if the processing is based on consent) and to the possible reuse of the data. Read more about the legal bases for processing personal data.
Research ethics apply to all research. They are essential to both responsible research and research integrity, two practically inseparable concepts.
Research ethics include honesty, care and accuracy at all stages of research, and these take various forms depending on the research topic. Ethical concerns gain particular importance in research with human participants.
Data protection at different stages of thesis work
This guide addresses data protection issues related to the handling of personal data at different stages of a thesis. The topics are presented in the typical order of the process, but many aspects must be considered throughout the entire research project. The guide is primarily intended for supervisors of bachelor’s and master's degree students.
Based on the following document: Kanerva, P., Mure, L., Laine, K., Hyrkäs, E., Hynnä, N., Satama, M., Huuskonen, S., Päällysaho, S., & Marjamaa, M. (2024, June 12). Opinnäytetyön aineisto ja tietosuoja. Zenodo. https://doi.org/10.5281/zenodo.11619156