FAQ about personal data processing

If the links in the text lead to Finnish-language pages, change the language on the page to English (menu FI/EN).

Do you process personal data?

First, determine whether you process personal data, i.e., data that can be used to identify a person directly or indirectly. If you are unsure what personal data is, familiarize yourself with the concept Identifiability and anonymization - Data Archive

If you process background variables and open-ended responses, there is always a risk of identification. Identification does not require that a large group of people recognize the data subject; it is sufficient that, for example, the person's acquaintances or family recognize the person.

The following typical indirect identifiers may lead to identification:

Gender: female

Job title: data protection officer

Region: Central Finland

Employer: university

This would involve the processing of personal data.

Background variables combined with open-ended responses

Gender: other

What kind of personality do you have, both good and bad sides: I am sociable, outgoing, and talkative. However, I do not trust people; I consider them to be self-centered and unreliable, only looking out for their own interests. I cannot stand authority figures; I hated them even in school.

What are your dreams for the future? I would like to live in a small lakeside house in Saraavesi, Laukaa, with my husband Waldo and our dogs Tarzan, Mustanaamio, and Zorro.

This involves the processing of personal data.

Answer the questionnaire you have created yourself and consider what kind of answers are possible. Do the answers involve a risk of identification?

If the survey is otherwise anonymous, but you want to follow up by email or hold a prize draw, etc. You are processing the email address as personal data, so you must provide the data subject with information about the processing of personal data. However, in survey software, you can separate the request for an email address from the rest of the survey so that the responses cannot be linked to the person who provided the address (taking into account the principle of minimizing the processing of personal data). However, since you are processing personal data, i.e., email addresses, please read these instructions to the end (informing the data subject).

If you are not processing personal data - the survey is anonymous, you do not need to provide data protection information (privacy notice), as data protection legislation does not apply to the processing of anonymous data. For scientific research, ethical consent must be obtained even if you are not processing personal data. A template for this can be found on the committee's website Instructions for submitting a request for a statement | University of Jyväskylä 7. Ethical consent form – no personal data.

If you process personal data, you must specify the controller, the legal basis for processing, the privacy notice (as part of the personal data lifecycle), and a secure processing environment.

Define the controller

The controller defines the purposes and means of processing personal data (why, what, where, and how it is processed). When conducting a survey is part of an employee's job, the university is the controller. The university may also be a joint controller with another organization if the purposes and means have been defined jointly, e.g., JYU and JAMK may be joint controllers. The controller, including joint controllers, must be specified in the privacy notice (also indicate the key processing responsibilities of the joint controllers), such as which party is responsible for informing the data subject (privacy notice), whose survey software is used, and which party is responsible for anonymizing or destroying the data when the personal data lifecycle ends.

Define the legal basis for the processing of personal data (depending on the purpose of the processing) and state it in the privacy notice

In scientific research, the legal basis for processing is a task in the public interest (the basis is already included in the privacy notice template).

If it is a matter of a monitoring or investigative task carried out by the university based on obligations imposed on the university, such as Section 87 of the Universities Act to evaluate education, research, and their effectiveness, then Section 4(2) of the Data Protection Act can be used as the legal basis for processing insofar as personal data must be processed, Section 4(2) of the Data Protection Act (processing is necessary and proportionate for the performance of a task carried out in the public interest by a public authority) or Section 4(3) may be used if the primary purpose is to produce statistical data (processing is necessary for statistical purposes and is proportionate to the objective pursued in the public interest). Section 4(2) does not allow the processing of special categories of personal data.

In communications concerning existing customers, such as customer feedback, the legitimate interest of the controller, the use of legitimate interest, usually requires a balancing test Informing the data subject about the processing of personal data | University of Jyväskylä (perform a balancing test).

The data subject's consent may also be a legal basis for processing, but the controller does not recommend its use if there is another basis for processing. The criteria set for consent in the law are strict, and obtaining lawful consent can be difficult. See Consent of the data subject | Office of the Data Protection Ombudsman The consent required in scientific research to participate in the research is different from the consent required in the General Data Protection Regulation as a legal basis for the processing of personal data.

Take care of informing the data subject (privacy notice)

Scientific research uses its own templates Informing the data subject about the processing of personal data | University of Jyväskylä

For other surveys, the template can be taken from existing privacy notices (adjust the content to suit your situation, including the legal basis for processing) Processing of personal data at the University of Jyväskylä | University of Jyväskylä

Students' coursework uses templates reserved for this purpose Informing data subjects about the processing of personal data | University of Jyväskylä

Please note: when personal data is collected from a data subject, a privacy notice must be provided (e.g., a link to the notice (shared from SharePoint, for example) or attached as a PDF file to the survey presentation) when the data is obtained. You cannot request certain information in the survey software and only inform the data subject about the processing afterwards. Even if you later anonymize the personal data, this does not remove your obligation to inform the data subject. If you use consent as the basis for processing, please note the requirements for valid consent.

Secure processing environments

Only survey software approved by JYU may be used for processing personal data. See the confidentiality table for up-to-date information on this: Confidentiality guideline application table — Intranet Uno. Please note that survey software providers are usually so-called personal data processors, with whom a personal data processing agreement must be in place (JYU has a processing agreement with Webropol, for example, while REDCap survey software operates in its own data center, meaning there is no separate processor).

Permanent surveys for staff and students

As an employer or education provider, the university conducts certain surveys that are generally repeated, such as employee well-being surveys and graduate career follow-up surveys. For these surveys, personal data is processed within the framework of existing privacy notices, so these guidelines apply to them as appropriate. For these surveys, the content of the privacy notices is reviewed regularly and communicated when the survey is relevant.

If the University of Jyväskylä is the controller or joint controller of personal data processing, data protection, and security issues must be checked before systems or applications are implemented. This review will be based on material provided by the supplier (service provider) and you. Contracts may also need to be renegotiated. If the application or system is not mentioned in the University's table of processing confidential information it is unlikely to have been assessed - sufficient time should be set aside for data protection and security assessments.

Check has the system or application been reviewed: table of processing confidential information 

If the system or application you want is not listed in the table, submit an alignment request in KA-Vasara in accordance with the overall architecture (OA) alignment process.

You must follow the Table of processing confidential information.

Table at Uno

There is no precise definition of scientific research in the law. However, it is important to recognise when it is scientific research and when it is other research (e.g. opinion poll, planning and or other studies, etc.).

Perhaps the most useful in practice is the decision is from the Supreme Administrative Court (KHO 2013:181), where the characteristics of a scientific study were considered to be:

• a proper research design
• sufficient scientific competence of the authors
•  the requirements of autonomy and publicity
• and the main scientific objectives of the research.

In the case in question, a company engaged in pharmaceutical epidemiological research had applied for a research authorisation under Article 28 of the Publicity Act in order to obtain anonymised access to the data contained in the prescription file of the National Social Insurance Institution (Kela) for research funded by a pharmaceutical company. The company's research plan as such met the qualitative requirements for a proper plan and the researchers had sufficient scientific qualifications. The involvement of the pharmaceutical company as a sponsor of the study did not exclude that the study could not be considered scientific. However, the study had to meet, inter alia, the requirements of autonomy and publicity. 
 

The problem was that the survey allowed the prescription data to be used to collect information on the purchase and use of medicines that were relevant to the pharmaceutical company funding the study. The limitations of the study were not without problems and the possibility for the pharmaceutical company to influence the content of the resulting publications was not excluded. Therefore, it could not be concluded with sufficient certainty that the main objectives of the study were scientific. Because of the way in which the study was carried out and its scientific shortcomings, the Social Insurance Institution could have rejected the application for a research authorisation on the basis of Article 28 of the Publicity Act.

In order to take account of the specific characteristics of private sector studies, the Social and Health Research and Development Centre Stakes, the National Institute of Public Health, the Social Insurance Institution of Finland, the Health Insurance Institution of Finland, the Centre for Health Care and the National Institute of Occupational Health have jointly drawn up a memorandum (dated 2 June 2006) on the principles and practices for the disclosure of confidential register data. The memorandum defines what is meant by scientific research and the conditions under which confidential data may be disclosed. According to the Working Party Memorandum, the following characteristics and definitions, among others, apply to scientific research:  

Autonomy means that the way in which information is generated must be independent of the opinions of the researcher, the scientific community, and outsiders. Scientific research must not be influenced by the economic, political, religious or moral desirability or undesirability of the results.  The principle of public access means that the conduct and results of research must be public. The argumentation of a claim must be public so that everyone can be convinced of the legitimacy of the claim. Progress means that the truthfulness of the research increases through the acquisition of new knowledge and the elimination of inaccuracies and errors in old knowledge.

It is worth noting that the above examples have concerned the handling of confidential information.

In one decision (dn. 859/45/98) before GDPR came into effect concerning a thesis study on the services of funeral parlours carried out by students of the School of Economics and Administration of the University of Applied Sciences, the data protection ombudsman considered that the study was not scientific, but rather market research or opinion polling.

E.g., for very young or pre-literate children, transparency measures may also be addressed to holders of parental responsibility given that such children will, in most cases, be unlikely to understand even the most basic written or non-written messages concerning transparency (WP29 transparency guidelines). This can also be done if a person is not a child but is illiterate and has a guardian. 

GDPR article 12.1 states that the information shall be provided in writing, or by other means, including, where appropriate, by electronic means. Information may be provided orally to a data subject on request. In the context of persons who are visually impaired or if an adult cannot read informing them orally may be an option. It could be an innovative idea to do e.g., recording so that the participant may listen to it even multiple times if they prefer. Because of the accountability principle it is important to document how and what information was given.

Equally, if it is a vulnerable person, including people with disabilities or people who may have difficulties accessing information, there is a need to estimate the likely level of understanding and evaluate whether it is possible to give any information in writing (e.g., the university has simplified research notification, privacy notice and consent template). 

If the data subject is blind, they usually use a particular software to read digital documents (data may need to be e.g., in PDF, if it is the only format compatible with such a software).

In these situations, you will need to do a case-by-case analysis to estimate what is the best way to inform participants.

Cultural, or legal differences do not make it possible to deviate from the informing obligations when the data controller is in the EU (European Union). However, notice that you have the right to modify model templates so that those are as understandable as possible (plain and simple language).  

If you are targeting data subjects speaking a different language, you usually need a translation if you are not sure they understand the chosen language. A person for whom e.g., English is not a first language may claim that they were unable to understand, the legal basis, controller, or the purpose of the processing as set out in the privacy notice — such that the processing is not transparent in accordance to Article 5(1)(a) or 12 and 13 of the GDPR and therefore unlawful.

If a participant has e.g., a higher education degree, in which the language of tuition/instruction is English, completed in an EU/EEA country, the United Kingdom, Switzerland, the United States, Canada, Australia, or New Zealand one could assume that they have the capability to understand information which is in English. You may also consider if the participant assures that (s) he has the necessary language skills. However, the threshold would be that they need to understand the language used.

Now JYU model templates are in Finnish, English, and Swedish but you may need also translations depending on your target group. 

Also, notice that where the information is translated into one or more other languages ensure that all the translations are accurate and that the phraseology and syntax make sense in the second language(s) so that the translated text does not have to be deciphered or re-interpreted (WP29 transparency guidelines p. 10). A machine translation can be a risk.

The GDPR (EU 679/2016) does not apply to the processing of personal data about deceased persons or situations where personal data is not collected (where persons cannot be, directly or indirectly, identified from the collected data; for example, anonymised data is used). However, when writing about deceased persons, the memory of the deceased should always be respected. [2] The most significant exceptions to the application of the GDPR are intended to guarantee the freedoms of speech and information when personal data is processed in terms of a journalistic, academic, literary or artistic expression.

The concept of academic expression has not been defined in the GDPR or the Finnish data protection act (1050/2018). Academic expression cannot be the primary grounds for processing when conducting scientific research. However, e.g. if a very rare disease is being studied, the research subject may be identified from the research results. As a result, an academic expression may be necessary to report the results or present criticism of official or political decisions who are identified from the research results.

Yes. Identifiability does not require that a person is known by everyone or a large group of people.

In principle, you are collecting data from persons, and to resolve this situation, you should assess whether these persons can be identified from this data, directly or indirectly (e.g. by combining this data with other data). This assessment may be challenging and also change over time (the volume of data available online is constantly increasing). In other words, it would be safer to process this data as if it were personal data (you will need information sheet and data privacy notice).

Yes. Persons can be identified from videos at least on the basis of images and possibly also on the basis of their voices.

The Data Protection Ombudsman’s definition of what constitutes personal data (https://tietosuoja.fi/en/what-is-personal-data).

You can add an introduction (i.e. a notification for your research subjects) to your survey in which you indicate the controller, the purpose and duration of the survey, and any other key issues that may have an impact on the willingness of your research subjects to participate in your survey. Next, you can add e.g., more detailed information about the processing of personal data (a privacy notice)and research notification through a link or separate file (SharePoint).

You can find consent forms to participate and guidelines from the ethical committee's website:

Appendix 7. Consent form for research subjects (the informed consent process 2/2) | University of Jyväskylä

No information (research notification or privacy notice) needs to be given if this is impossible or unreasonably difficult, or if this is likely to prevent the fulfilment of the research goal or make this significantly more difficult. In these situations, however, information needs to be made publicly available (on the internet).

These exceptional situations are interpreted to a limited extent, and any non-provision of information needs to be justified (documentation obligation).

Example

When is it unreasonable to provide information?

History researchers who aim to study a family history on the basis of last names have access to large volumes of data, consisting of personal data about 20,000 data subjects. However, this data was collected 50 years ago, and it has not been updated since. Furthermore, no contact details are included. Considering the size of the database and especially the age of the data, it would be unreasonable if the researchers needed to trace every data subject to provide them with information about the processing of personal data.

You will still need to fill out a privacy notice and you will need to publish it. 

Exceptions to information to be provided to the data subject according to article 14.5 gdpr

DPIA must be done when personal data is collected personal data from a source other than the individual without providing them with a privacy notice because of application of article 14 5 b GDPRin conjunction with at least one other following criteria:

• personal data is processed for evaluation or scoring of the data subject
• processing of personal data aims automated-decision making with legal or similar significant effect
• processing of personal data is used systematic monitoring of data subjects
• sensitive personal data or data of a highly personal nature is processed
• personal data is processed on a large scale
• processing of personal data includes matching or combining datasets
• processed personal data is concerning vulnerable data subjects
• personal data is processed in innovative use or applying new technological or organizational solutions
• processing of location data prevents data subjects from exercising a right or using a service or a contract

WP29 transparency guidelines.

The research lifespan consists of

· the time needed for the processing of personal data for the study, and

· for how long it is necessary to keep the personal data after the study, for example, to ensure the reliability of the research findings.

The estimated, sufficient length of the study is provided by the researcher to the data subjects in the privacy notice. Be aware that what you tell a data subject about data privacy is a commitment that sets limits on the processing of personal data in your study.

The research lifespan includes data collection and analysis, publishing the results, and storing the data. When the study is completed, you need to consider what needs to be done with the research data, specifically personal data (e.g., erasure, anonymising, archiving).

The research lifespan should be planned and stated as being long enough to allow sufficient time to keep the data for analysis and publishing. If the study involves processing personal data, the stated length must be within reasonable limits and in line with data protection legislation. However, longitudinal studies can last, in principle, for a person’s entire lifetime. Thus, when keeping the data, the arrangements may depend on what has been agreed with the research funder.

If personal information is collected by telephone, callers should be advised what that information will be used for and what their rights are according to the GDPR.

Personal/confidential information should preferably not be discussed in an open reception area. Wherever possible, customers/research participants should be escorted to a private interview room or office where it is appropriate to discuss the matte

Even if you would be collecting personal data from Internet or other publicly available source you will still need to follow the data protection legislation (data protection ombudsman).

The guidance document on Ethics in Social Science and Humanities published by the European Commission (pages 8 – 10).

You must follow the Table of processing confidential information.

Table at Uno