23.08.2018

New General Data Protection Regulation (GDPR) became enforceable beginning 25 May 2018 – what is the influence in research involving personal data?

The GDPR became enforceable beginning 25 May 2018. As the GDPR is a regulation it is directly binding and applicable. We still don`t have the national data protection law (Tietosuojalaki) in effect which will supplement the GDPR. Researchers collecting and using personal data must comply with appropriate legislation, ethical review and universities guidelines.

The important change is that the Controller shall be responsible for, and be able to demonstrate compliance with GDPR (“Accountability”). A researcher will have a signifigant role in demonstrating accountability and therefore, the documentation concernig the research is really important. 

  • We have gone through over three hundred descriptions of ”the research data files” (tieteellisen tutkimuksen rekisteriseloste) which the Personal Data Act required. The results are not good. It seems that the interpretation of the concept of personal data has been misunderstood or too narrow.

It is really important to understand what is personal data. It is data about living people from which they can be identified. 

  • For example indirect identifiers are the kind of information that on their own are not enough to identify someone but, when linked with other available information, could be used to deduce the identity of a person if so those are personal data. Background variables and indirect identifiers include, for instance, age, gender, education, income, marital status, mother tongue, ethnic background, place of work or study and regional variables. 

NB! Data that has been pseudonymised (with identifiers separated), where the dataset and identifiers are held by the same organisation, is still personal data. 

What issues a researcher should consider in the research plan?

The law demands that data processing is lawful, fair and transparent. Personal data protection has to be understood as a way to protect research participants.

Before starting collecting and processing personal data, you must define the purpose of processing personal data, ensure its lawfulness and inform the data subject (research participant). These need to be documented in your plans. 

Data subjects should be informed in a concise, transparent, intelligible and easily accessible form, using clear and plain language. You can use the universities Privacy Notice Template (and consent form).   

Researchers need to identify the appropriate legal basis for data processing for their project in order to meet the lawfulness requirement. You can still use “consent” or “explicit consent “ as a legal base. However ‘consent’, as defined by GDPR, is not only lawful basis for processing personal data for research purposes.

Where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, you will need, prior to the processing, carry out a data protection impact assessment. French supervisory authority has published a well functioning DPIA tool. 

  • Ethical reviews for high risk research projects will probably increase. This should also be recognized in the resourcing the work of Ethical Committee. The work is going to be even more time consuming and challenging.

 Safeguards apply widely to research for example processing personal data that’s necessary (data minimisation) and anonymising or pseudonymising where possible. Everyone working with identifiable information should understand the importance of confidentiality and should hold data securely with an appropriate level of protection. 

What about if you wish to archive the data? For example, The Finnish Social Science Data Archive FSD is a certified research data repository serving researchers who wish to archive data (http://www.fsd.uta.fi/aineistonhallinta/en/). Anonymised data is no longer personal data. Anonymisation results from processing personal data in order to irreversibly prevent identification. In doing so, several elements should be taken into account by data controllers, having regard to all the means "likely reasonably” to be used for identification. Anonymisation of personal research data is the solution for complying with both the data protection legislation and the requirements of open data. To publish open data, data containing personal data has to be anonymized. 

NB! All the same rules apply also if personal data is prosecced by students (as the data controller) in their masters or bachelors thesis. 

What about the data in social media? 

Social media refers to a variety of online internet applications. Many of the providers have they own user terms and they may change the terms (Facebook, Google, Instagram, LinkedIn, Twitter etc.). You will need to read the terms of use of the social media service, take care that you don`t hurt anyone’s copyrights (Copy Right Act) and that you have a legal ground to process personal data. 

GDPR regulates the processing of personal data – including social media data (even system usernames can be personal data). So you need the legal basis for the processing of that data. For example individuals must give their consent for their personal data to be processed and they need to be informed (privacy notice). Mostly same rules apply to processing of personal data which have been described before.

More information:
Data Protection Officer, Riikka Valkonen, riikka.h.valkonen@jyu.fi, tietosuoja@jyu.fi, tel. 040 805 3297.

The university guidelines (including templates) and current information on data protection for employees: https://uno.jyu.fi/fi/ohjeet/turvallisuus-tietoturva-ja-tietosuoja (in finnish) and https://uno.jyu.fi/en/help-centre/working-at-jyu/data_privacy (in english, more translations will be added later). Guidelines will be updated and added when relevant information is available.