Personal data and Research ethics
Researchers collecting personal data must comply with appropriate legislation, ethical principles of research in the humanities and social and behavioural sciences and proposals for ethical review and Aalto guidelines on the processing of personal data in scientific research.
What is personal data and when does legislation apply ?
General Data Protection Regulation (GDPR) is EU legislation and GDPR is enforced starting 25.5.2018.
In GDPR personal data is defined as any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal data is a broad concept and includes for example images and sound files. Interviewing persons produces personal data and location information collected from cellphones is personal data, as it can show exactly where a person lives and works.
Data protection legislation is applicable when personal data is processed. Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
A new requirement is defining the lawful basis for processing and informing the data subject of this basis. The GDPR has a list of information that has to be provided for research participants, if their personal data is processed. Informing participants has to comply with research ethics and with GDPR. Here you can find a template of privacy notice for research participants and instructions for informing data subjects on processing of personal data.
Accountability is also a new requirement. Aspects of personal data handling have to be documented. In cases of high risks to research participants the GDPR requires a data impact assessment, DPIA . The French supervisory authority has published a well functioning DPIA tool.
GDPR leaves important issues related to research for national parliaments. The Parliament of Finland is debating this legislation.
Steps to handle personal data
Processing personal data requires planning the collection and use of data and careful attention to security. In the Data Management Plan, the researchers can justify why the data or part of the data can’t be shared openly. Read more on information on personal data and open research data in Horizon2020 (signing into OpenAIRE required).
Store data in appropriate, secure locations. Cloud services (Dropbox, Google, OneDrive, etc) are generally not all right. See the Aalto reference for data storage locations (more info on Aalto network drives).
Avoid sending files by email, especially to addresses outside the university. Store data only in its original system, unless it is absolutely mandatory to export the information into another. Instructions on sending encrypted e-mail are found here. For internal use, better yet is to get a network drive and share via that location.
Frequently asked questions are answered in this Q&A page.
A researcher can request an ethical review from the Aalto University Research Ethics Committee (login required). Ethical review is mandatory in cases where there is additional risks to research participants, for example when sensitive personal data is collected. See more information on when ethical review is required. Furthermore, editorial policies of journals may require that research projects involving the use of personal data (e.g. participants, surveys, interviews) must be approved by the author's institutional review board. This ethical review of the planned collection and use of personal data has to be obtained before the collection of the personal data can start. if the results are to be published in a journal that requires an ethical review, authors must include a statement identifying the institutional committee that has approved the processing of personal data.
The Finnish Social Science Data Archive FSD is a certified research data repository serving researchers who wish to archive data. FSD offers advice on data management and management of personal data see : http://www.fsd.uta.fi/aineistonhallinta/en/
Anonymised data is no longer personal data. Anonymisation results from processing personal data in order to irreversibly prevent identification. In doing so, several elements should be taken into account by data controllers, having regard to all the means "likely reasonably” to be used for identification. See Working Party 29 Opinion 05/2014 on anonymisation techniques.
Anonymisation of personal research data is the solution for complying with both the data protection legislation and the requirements of open data. See more on anymisation techniques in the UK Information Commissioner's Office guide to data protection and anonymisation, which describes the steps to take in ensuring that anonymisation is conducted effectively, while retaining useful data.
To publish open data, data containing personal data has to be anonymized. Before the anonymization, personal data has to be handled according to the above mentioned legislation, principles and guidelines.
If you wish to collect and reuse personal data that is not wholly anonymized, for example, interviews from professional experts on a certain field, contact the FSD repository staff to see if archiving could be achieved before you start collecting information, so that research participants can be informed in a manner required by the repository . The staff of the repository can help researchers with data curation and steps leading to a successful collection and preservation of research data. Use of pseudonymised data is still personal data and allowing only restricted access can be used as a measure.