Data protection at different stages of thesis work

• The choice of topic is based on a discussion between the thesis advisor and author on the suitability of the topic.
• The suitability of the thesis topic must be assessed from the perspective of processing personal data when:
  • The research involves human participants.
  • Collecting/processing materials that allow the identification of people directly or indirectly.
  • Collecting/processing special categories of (or sensitive) personal data. (Please note that Aalto University recommends that no special categories of personal data be processed in bachelor’s and master’s theses).
• The topic must be assessed from an ethical viewpoint:
  • Identifying sensitive topics and target groups.
  • Risks and disadvantages to research participants (and to the thesis author).
  • As a rule, a thesis should not be written on topics requiring an ethical review.
• The topic must be assessed from the perspective of the student's skills and time use.

• Having your personal data protected is a fundamental right for everyone. Personal data may only be processed for a reason and on a legal basis. This also applies to students who process personal data in their theses.
• The key regulations governing the processing of personal data are:
  • The General Data Protection Regulation (EU) 2016/679, referred to as GDPR
  • The Data Protection Act (1050/2018), which complements the General Data Protection Regulation.
• Guide the student to familiarise themselves with the templates of Aalto University (Note! Bachelor’s or master’s degree students have their own privacy notice, which differs from the privacy notice for scientific research): privacy notice, ethical consent form, and consent to processing personal data, all on the same form and the instructions on data protection and processing of personal data: Guidelines on processing personal data for studies | Aalto University

• The research plan or data management plan (DMP) contains a description of how personal data will be processed in the different stages of the thesis process.
• The student should always make a data management plan even if it is not mandatory.  This helps students to understand and document the data protection measures.
• In the planning stage, you need to think about the types of personal data that you will collect for the thesis. The more damage to the research participant if data was to be disclosed to a third party, the more care is required.
• The type of personal data collected has an effect on:
  • where how and with what tools personal data may be collected , transferred and analysed.
  • and where the data can be saved.
• The data processing and storage methods must be specified in the privacy notice.

• When planning data collection, the student must adhere to the principle of minimising the collection of personal data, i.e. collect only personal data necessary for the thesis.
• Data collection should be done paying attention to the information security of the data collection tool and the transfer of personal data, for instance, from the collection device to a file and from one program to another.

Example:

• In surveys, it is advisable to avoid open-ended questions that might elicit personal data in the responses.
• When conducting an interview, you can remind the research participant to keep to the subject matter of the interview and to not mention any third-party information.
• Make sure that the equipment used for recording sound and video during interviews is not used by third parties while they contain interview data.
• Transfer the recordings and destruct the original files (audio, video) from the original collection devices as soon as possible after the interview.
• Check whether a secure connection (encrypted file) is needed when transferring files from one tool to another.

How to proceed with data protection when:

Data is collected from social media:

• Clearly inform about the research and the processing of personal data in advance.
• If you cannot personally request consent, inform the target audience by, for instance, publishing a privacy notice on social media.
• Always check in advance whether the platform used allows data collection for research purposes. For example, it is possible to collect research data from X, but collecting data for research purposes from Meta's social media services is more difficult.
• Store the data collected from social media in the same way as other confidential data containing personal information.

Data is collected using a commercial application

• Use only applications approved by Aalto University's IT services in the research.
• Transfer the data to the university's systems as soon as possible.
• Process and store the data like other research data.

Personal data is processed in interviews 

• Remember that, for example, email addresses, voice, and images are personal data.
• Collecting personal data requires consent and a privacy notice, even if the research questions do not concern the respondent's personal matters.
• If personal data has been collected without proper consent, consent and a privacy notice must be obtained retrospectively.
• If the participant does not give consent, their data must be deleted.

The student must be able to demonstrate that they have processed  personal data in accordance with the data protection regulations (accountability). To this end, the student should document all actions carefully. Check that the student has the following documents:

1. Data management plan:For example, it is recommended to include it at Aalto University if a research permit is needed: Aalto University's research permit process | Aalto University.
2. Informing the research participants If personal data is processed, you should mention the processing and possible reuse of the data (e.g. using data protection form, see below).
3. Instruct the student to use Aalto University templates: privacy notice, ethical consent form, consent to participate in the research (all on the same form).
4. Research permit (if required by the organisation being studied).

1. What informing means:
   • Participants are informed about the purpose of the research and the processing of their personal data (collection, use, disclosure, storage).
   • The aim of informing is to clarify to the participants how and why their data is processed.
   • Informing can occur at several different points, but the most important thing is that it is consistent across all documents (privacy notice, research notice).
2. Planning the informing:
   • Conducted in accordance with the data protection regulation and research ethics guidelines.
   • Good informing is concise, clear, easily understandable and accessible.
   • The comprehensibility of informing should be tested by an external reader.
3. Documents and timing of informing:
   • Privacy notice (always prepared): data controller, data retention period, transfer/disclosure, rights of the data subject.
   • Ethical consent: participation in the research, further use and archiving.
   • Research notice (not necessarily used if the privacy notice already contains sufficient information): may include information about the topic of the research, objectives, benefits or disadvantages, as well as the potential further use of the research.
   • Documents are provided in writing or electronically, unless the participant requests oral information.
   • Informing takes place before data collection: directly collected data at the beginning of collection, data obtained from elsewhere within one month.
4. Methods of informing:
   • Face to face, at the beginning of a questionnaire, by email or through websites.
   • If there is no direct contact, the information is published publicly (e.g. on the project’s website).
   • Participants are given time to familiarise themselves and ask questions.
   • Changes to the processing of personal data are communicated and updated in the privacy notice.
5. Documentation and storage:
   • Consent is digitised or recorded if given orally.
   • Documents of informing are stored due to the obligation to provide evidence.
   • Aalto University templates: privacy notice, ethical consent form, consent to participate in the research (all on the same form).

If the thesis deals with personal data, the student must prepare a privacy notice that is given to the research participants. 

The privacy notice must include at least the following details:

• The purpose of the research and the legal basis for processing personal data.
• Name and contact details of controller. The controller is the party that determines the purposes and the means of personal data processing.
• What personal data is collected and from which sources
• How personal data will be processed, stored and protected
• What is the storage period of the personal data?
• To whom personal data is disclosed and why.
• What rights the participants have to their data and how they can use them. For example, the participants’ right to know what information has been stored about them, the right to ask for the data to be rectified or erased and the right to object to the processing of the data.
• How the participants can contact the controller or Data Protection Ombudsman if they have any questions or concerns about data protection.

If participants cannot be informed directly, the privacy notice can be published, for example, on a website. 

It is advisable to provide the privacy notice to the participants as early as possible, for example, already in the interview request, since the notice presents the personal data collected in the research (the contents of the research register) and one part of it is the contact details of the participants.

• Students must check with the organisation being studied in their thesis whether they need a research permit and check related practices of the organisation (e.g. what documents are needed).
• Aalto University policy: The student, together with their thesis advisor, always applies for a research permit from Aalto University if they are planning a thesis or other research involving Aalto University students or staff or if they need Aalto University data for their research. Aalto University has a form for requesting for a research permit. For details, see Research permissions process at Aalto University  Note! In most cases, the research permit process applies only to scientific research, which means that the student may not need one. However, the permit process is used to determine whether a research permit is necessary.

• Agreeing on the use of the data when the material has been provided by the supervisor First, you have to check the origins of the data: Who owns it and who has the right to access it? What has the original data collector agreed concerning the processing of personal data? Have the research participants been informed of the reuse of the data? If the data has been collected by the thesis advisor themself: Does the thesis advisor have the right to disclose the data for reuse and have they remembered to ask permission for giving it to the student? Does the data contain any copyrighted material (e.g. images) for which separate permissions are required, or personal data that can only be used after obtaining consent. The agreement on the use of the data should be made in writing it may contain provisions on, for instance, confidentiality.

Data containing personal data always involves risks, as the person can be identified directly or by combining it to other data. No one wants confidential information given by research participants to end up in the wrong hands or be accessible by any unauthorised persons. The privacy of research participants must not be compromised by careless data processing. 

Materials can be protected by various methods:

The safeguards for handling personal data are

1. Minimisation:
   • Only collect the personal data needed for the research.
   • Erase any additional information given by the interviewees from the data.
   • Erase personal data from the data as soon as they become unnecessary.
2. Pseudonymisation:
   • Pseudonymisation means replacing any the information from which a person can be identified with another information or a code immediately after the data collection begins or when its processing begins. Without information on the person(s) that the obfuscated data refers to, no individual may be identified from the data.
   • Information about which items in the dataset have been masked with terms or codes as well as the terms and codes must be kept separate from the dataset itself.
   • As long as the ‘code key’ allows the personal data in the data to be disclosed again, the data must be processed with particular care.
   • Even when pseudonymised, personal data is personal data, and data protection regulations apply. This means, for instance, that the data must be saved using GDPR compliant services.
   • If the student wishes to store the data after the end of the research process, the code key must be destructed
3. Anonymisation:
   • Anonymisation of the data means removing from the data  any data allowing an individual to be identified.
   • This may be achieved by altering, categorising or modifying the data to such a general level that identifying individual the research participants impossible. Identification must be prevented irreversibly.
   • After anonymization, a person should not be able to identify themselves in the dataset, even if they know they provided a response to the survey from which the research was conducted.
   • Creating completely anonymous data is rarely possible, and it may not be ideal for analysis. Therefore, the student may need to carefully consider different solutions to ensure that no one can be identified from the data by reasonable means, while still ensuring the usability of the data for research purposes.
   • When the data can be anonymised, it can be processed in the same way as any other data. As a result, it may be stated in e.g. the privacy notice that the processing of personal data ends with anonymisation.

Technical protection measures are

• File encryption (crypting)
• Various access management measures (passwords, two-factor authentication).

• When selecting a storage solution for research data that contains personal data, the most important thing is to ensure its information security.
• The student is advised to familiarise themselves with Aalto University's storage solutions (e.g. using the university's personal network drive (home.org.aalto.fi or, if the data is shared with the thesis advisor, OneDrive or Teams) and to follow the instructions of the university's IT services (Aalto University's storage solutions) when selecting the data storage service.
• If personal data is collected on paper, the data must be stored in a locked cabinet and destructed after the research.
• Make sure to prevent any unauthorised use of the personal data.
• Always encrypt emails containing personal data.
• Avoid using a USB memory stick. At the moment, Aalto does not offer encrypted USB memory sticks, and sticks may contain malware or be misplaced. See Cyber security for students

• The transfer of research data is about the data “moving” between different actors.  Having the option to view files over, for instance, a remote connection (e.g. remote access to a network drive) also constitutes file transfer.
• When transferring research data, the responsibility for processing personal data remains with the transferrer (cf. disclosure of data, where the responsibility for processing personal data is transferred to the data recipient and the controller changes).

• The research participant must always be informed of the reuse and archiving of the research data. Even if you initially have no plans to reuse the data, you should anticipate future needs and mention the possibility the reuse of data at least in the privacy notice. It may be difficult or even impossible to ask for permission to reuse data afterwards.
• This information may be included in one or more documents. Documents containing this information may include
  • privacy notice
  • participant information sheet
  • cover letter for the questionnaire
  • consent form
• The key is that the research participant has intelligible and correct information on the reuse of the research data. In order to protect the rights of the research participants and the possibilities of reusing the data,  you should aim for consistency of information in all the documents.
• When informing the research participant, the relevant data includes answers to at least the following three questions:
  • Where will the research data be disclosed for archiving?
  • To whom will the research data be disclosed for reuse?
  • For which purposes will the research material be disclosed later?

• Once the thesis has been approved, the student must decide whether to store or erase the data.
• The benefit of erasing the data (incl. consent forms) as soon as possible after the approval of the thesis is that erasure omits the risk of information security breaches.
• Storing the data may be justified from the viewpoint of the students’ rights, in case a need arises to review the data later. Nonetheless, students are recommended to anonymise the data before its storage.
• Note that the students’ files are removed from Aalto University's storage solutions after graduation.
• Since the thesis becomes a public document immediately after its evaluation and approval, it must not contain any secret information.