The purpose of this personal data policy is to define the main principles, responsibilities and procedures that will be followed when personal data is processed at the university.
How to handle personal data in research?
Definition of personal data
If you collect information from or of persons, assume that it is personal data. Also pseudonymised data is personal data. More information on what is personal data can be found in: https://tietosuoja.fi/en/what-is-personal-data.
If you are processing personal data, do the following:
1. Plan what data you need
Understand the objectives of your study both now and in the future. Think about what data you need and also what data you do not need. Think of how you can design your study so that your data is least identifiable while still accomplishing your goals. These data minimization and privacy by default principles are core principles of the General Data Protection Regulation (GDPR)
2. Plan the entire life cycle of personal data processing
Plan the entire life cycle of personal data processing (including e.g. collecting, storing, usage, research cooperation, further research, archiving, deletion) before you begin to collect or otherwise process any personal data. Aalto’s privacy notice template can be used to help with this planning (please see the list item five below).
The Finnish Social Science Data Archive FSD is a certified research data repository and they give expert advice on personal data in their research data management instructions include expert advice on personal data.
3. Consider data security and use Aalto's information systems
Take care of adequate data security measures and use only Aalto-approved information systems.
For more information about data security, please see Aalto's General instructions for secure processing of personal data linked below (particularly sections 3, 9, 11, 12 and Special Instructions sections 1 and 2)
A list of the information systems to use with classified data at Aalto can be found on the attached document. Systems under categories "Confidential" and "Secret" are OK for personal data.
4. Evaluate risks to data subjects
4.1 Get ethical pre-evaluation
If sensitive personal data is processed in your research project, you must get an ethical pre-evaluation of Aalto Research Ethics Committee. Even in other cases a research partner, publisher or funder may require ethical review. Lack of ethical review can prevent publishing or funding of the project.
- Sensitive personal data is special category data or data related to criminal records, social security number, bank account details.
- Special category data is data concerning health or revealing political opinions, data which reveals racial or ethnic origin, religious or philosophical belief, trade union membership, genetic data, biometric data, when it is processed for the purpose of unambiguous identification of a natural person, and data concerning sex behavior or sexual orientation.
4.2 Carry a data protection impact assessment (DPIA) when needed
A data protection impact assessment (DPIA) must be done if the planned personal data processing is likely to pose a substantial risk to research participants. This situation is likely to occur in when you process large amounts of data or when you process personal data of the children or other sensitive personal data. DPIA is included in the Aalto Research Ethics committee review.
5. Define the legal basis for processing personal data.
You can only process personal data if you have a legal basis provided in the legislation. In scientific research, the legal basis is usually either “performance of a task carried out in the public interest” or “consent”.
- The choice of the legal basis is important, because it affects e.g. your obligations and possibilities in the research. If you choose “consent” as the legal basis for processing, you must e.g. enable the participants to revoke the consent and you must be able to remove the personal data if data subject requests this.
6. Draft a Privacy Notice
Choose the privacy notice template:
- When you collect personal data directly from the participants fill in and use ”Participation Confirmation” AND ”Research Data Privacy Notice” –documents.
When you collect health data or other special category data (sensitive data) use "Health and Special Category Privacy Notice for Research Study".
When you collect data that is not sensitive use "Research Data Privacy Notice" -document.
The Privacy Notice is used to inform the research participants before you start to collect or otherwise process personal data. Information given e.g. in the privacy notice and research and Data Management Plan should not be conflicting. Privacy Notice is also needed as appendix for the ethical review.
Send the privacy notice that you have given to data subjects also to [email protected]
7. Document the processing activities
Document the systems you used for storing and for other processing of personal data.
- Use the form above to document the systems and processing activities (login required)
Send the filled form together with the privacy notice to [email protected].
8. If you disclose or transfer personal data to be processed outside of Aalto note the following:
If the other party processes personal data only for purposes, which are defined by Aalto, e.g. when you transfer personal data for a subcontractor or to cloud storage service, you must make a data protection agreement (DPA) with that party.
If you transfer personal data to another university or to a research institution, which together with Aalto defines the purposes for which personal data will be processed or Aalto and the other university have a joint personal data filing system, which can be used independently by both Aalto and the other university, both universities are considered to be controllers.
If you disclose personal data to another university or research institution, which can independently define the purposes for which personal data will be processed, you must agree in detail on e.g. the purpose for processing personal data and information of research participants before you disclose any personal data.
Personal data can be transferred outside of the EEA only under certain conditions. For more information, please see: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu_en.
Aalto templates (login required):
The same person, who signs the main agreement, shall sign these agreements. Privacy agreements must be sent to: [email protected].
9. Inform data subjects about changes and update documentation
Personal data may only be processed for the purposes, which have been informed to the research participant prior to the beginning of the processing (by Privacy notice templates). If you need to process personal data for other purposes, you must inform the research participants on these new purposes and update all documents prior to the processing.
Further information on handling personal data
In addition to this guidance, please orient yourself with the best practices of your own field of science, Aalto's general data protection instructions and with Aalto’s Data Protection policy.
If you need further assistance, please contact your school’s lawyer or Aalto’s data protection officer.