Data management planning and the beginning of research

Good scientific practice is at the core of science and guides responsible research data management already from the planning stage onwards. Diligence and precision in research work can be mentioned as general principles. In working practices this means, for example, the appropriate storage of research data with folder structures and protection levels, agreement on access rights and, where possible, the opening of data. Measures that follow good scientific practice thus minimise risks, promote the evaluation of research results and prevent fraudulent activities.

Ethical and legislative aspects are also among key approaches to good scientific practice. They always affect data management, i.e. how research data is collected and processed, what kind of rights are associated with the data, where the data can be stored, how and to whom the data can be shared. In particular, you have to be careful with personal data and related data protection, as the definition of personal data may not always be simple (see the below paragraph Personal data and sensitive personal data).  

If necessary, a research permit must be applied for or an ethical review must be carried out. At the University of Eastern Finland, the ethical review is performed by either the university's Committee on Research Ethics (non-medical research in human sciences) or the Regional Committee on Medical Research Ethics – the Hospital District of Northern Savo (medical and health science research). Fimea supervises clinical drug research. An ethical review is carried out before data collection.

In addition to an ethical review, research that meets certain criteria may also require a research permit. For example, medical research conducted at the Kuopio University Hospital (KYS) or research using genetically modified organisms (GMOs) requires separate permits.

The University of Eastern Finland is committed to complying with good scientific practice and the guidelines prepared by the Finnish National Board on Research Integrity (TENK) in its research activities. The primary responsibility for research ethics lies with the researcher.

More information, sources and links

General

The Finnish Code of Conduct for Research Integrity and Procedures for Handling Alleged Violations of Research Integrity in Finland. Guideline of the Finnish National Board on Research Integrity TENK. Publications of the Finnish National Board on Research Integrity TENK 4/2023. Helsinki: The Finnish National Board on Research Integrity (TENK), 2023

Research ethics (UEF). The website contains information on the principles of good scientific practice at the University of Eastern Finland and the activities of the UEF Committee on Research Ethics.

The Finnish National Board on Research Integrity TENK. TENK is an expert body of the Ministry of Education and Culture, which promotes good scientific practice, prevents research misconduct, and promotes discussion and communication on research ethics.

Responsible Research. The website combines the functions and communication of the Federation of Finnish Learned Societies and the research support bodies operating in connection thereto.  The website provides access to the websites of the Coordination of Open Science, the Publication Forum (JUFO), the Committee for Public Information (TJNK) and the Finnish National Board on Research Integrity TENK.

Ethics reviews, permits

The Board for Gene Technology (GTLK). The Board operates in connection with the Ministry of Social Affairs and Health, and the website provides more information on matters related to the Gene Technology Act and the Board's meeting times.

The ethical principles of research with human participants and ethical review in the human sciences in Finland. Finnish National Board on Research Integrity TENK guidelines 2019. Editorial board Iina Kohonen, Arja Kuula-Luumi and Sanna-Kaisa Spoof. Publications of the Finnish National Board on Research Integrity TENK 3/2019 (second, revised edition).

Supervision of clinical drug trials (Fimea). The website gives guidance in the applications for authorisation of clinical drug trials.

Guidelines for UEF Committee on Research Ethics. The guidelines for UEF Committee on Research Ethics inform when the research requires an ethics review and instruct on submitting a request for a statement at UEF.

Research Ethics Committees (UEF, Northern Savo Hospital District)

Research Ethics Committee. The site contains information on the duties and meeting schedule of the Research Ethics Committee of the Northern Savo Hospital District, Guidelines of the Research Ethics Committee for researchers and, for example, a link to a proposal describing the process for requesting a statement of the Research Ethics Committee.

Committee on Research Ethics of the University of Eastern Finland. UEF's Research ethics website contains information on the Committee on Research Ethics assessing the ethics of non-medical research projects with human participants (annual report, committee members, meeting schedules).

Links checked 2023-06-02.

Freedom of scientific research is safeguarded by the Constitution (section 16), the Charter of Fundamental Rights of the European Union (Article 13) and the Universities Act (section 6).  This means that when conducting scientific research, a researcher is free to choose their research subjects and research methods. 

However, the legislation also sets boundaries for research, which are visible especially with regard to research data. Various research fields and data have numerous statutes related to conducting research (statutes refer to acts, decrees, directives or mandatory regulations). The section below provides general information on the most important statutes and their impact on the management of research data, especially from the perspective of data protection. 

As a general observation it can be stated that data and information that is otherwise classified as secret or protected can be used as research data in scientific research. For example, secret documents of an authority may be provided for research use (Act on the Openness of Government Activities, sections 27 and 28, subsection 2). On the other hand, documents related to research are classified as confidential in themselves when they are part of the authorities' regular activities and the principle of openness defining these (Act on the Openness of Government Activities, section 24, paragraph 21). In this case, for example, the research plan must be kept secret when it is one of the documents concerning the university's operations.

More information, sources and links

Niemelä, Tarja 2021. Tutkimuksen vapaus – poimintoja tuomioistuinten ratkaisuista. (Freedom of research - extracts from court decisions.) Blog post at the Professor blog on 7 April 2021. < https://blogi.professoriliitto.fi/tarja-niemela/tutkimuksen-vapaus-poimintoja-tuomioistuinten-ratkaisuista/> (visited 2022-10).

Responsible Science | The website combines the functions and communication of the Federation of Finnish Learned Societies and the research support bodies operating in connection thereto.  The website provides access to the websites of the Coordination of Open Science, the Publication Forum (JUFO), the Committee for Public Information (TJNK) and the Finnish National Board on Research Integrity TENK. <https://www.vastuullinentiede.fi/en> (visited 2022-10).

Väliverronen, E. & Ekholm, K. (eds.) 2020. Tieteen vapaus & tutkijan sananvapaus. (Freedom of science & freedom of expression of a researcher).  Vastapaino, Tampere.

Data protection and data security

Data protection relates to the protection of personal data and is a fundamental right of the individual. Data protection indicates when and how personal data may be processed. The definition of personal data and the roles and measures related to their processing are discussed subsequently on this website, in section Personal data and processing of personal data.

Data security is one way to implement data protection. Data security measures protect data and data systems. Due to the importance of technical measures in the digital environment,   activities of the IT department of an organisation are emphasised in matters of data security..

GDPR (General Data Protection Regulation)

It is one of the fundamental rights of individuals to be protected when their personal data is being processed. In this context, the termT data protection describes when and how personal data may be processed. The key pieces of legislation are the national Data Protection Act and the EU General Data Protection Regulation (GDPR). In scientific research, the processing of personal data is permitted on the basis of performing a task in the public interest (Data Protection Act, section 4; General Data Protection Regulation, Article 6, paragraph 1 e). Additional information on the data protection legislation from the viewpoint of scientific research is given on the website Office of  the Data Protection Ombudsman.  

According to the GDPR, personal data includes all data that can be used to identify a person either directly or indirectly (see below Personal data and sensitive personal data). Such a person is also referred to as a data subject and a group of personal data as a register. GDPR does not apply to personal data originating from a deceased person. In the case of sensitive personal data, particular attention must be paid to the access rights and storage solutions of the data: who must have access to the data, what they can do with it and for how long the data must be available.

More information, sources and links

On data protection in general

Data protection and processing of personal data in UEF | UEF Heimo, internal network (requires UEF IDs).

Scientific research and data protection | Guidance and up-to-date information from the Office of the Data Protection Ombudsman on data protection for scientific research. <https://tietosuoja.fi/en/scientific-research-and-data-protection> (visited 2022-10).

Data Protection  | The data protection section of the website of the Office of the Data Protection Ombudsman. <https://tietosuoja.fi/en/data-protection> (visited 2022-10).

Data protection principles | Guidelines for organisations on the website of the Office of the Data Protection Ombudsman. <https://tietosuoja.fi/en/data-protection-principles> (visited 2022-09).

UEF Data protection and processing of personal data | UEF Guidelines, UEF Heimo, internal network (requires UEF IDs).

Legislation

EU General Data Protection Regulation (GDPR). Officially: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). <https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:02016R0679-20160504&from=FI> (visited 2022-10).

Legislation | Information on data protection legislation on the website of the Office of the Data Protection Ombudsman. <https://tietosuoja.fi/en/legislation> (visited 2022-10).

Data Protection Act (1050/2018) | Finlex <https://www.finlex.fi/fi/laki/kaannokset/2018/en20181050.pdf> (visited 2022-09).

Medical and health science research is regulated by a number of statutes, the most important of which is the Medical Research Act (488/1999), aka Research Act. In it, the scope of the Act is defined as medical research involving intervention in the integrity of a person, human embryo or human foetus for the purpose of increasing knowledge of health, the causes, symptoms, diagnosis, treatment and prevention of diseases or the nature of diseases in general, and which is not a clinical drug trial as defined in the Clinical Trials Regulation (Research Act, section 2, paragraph 1). In this type of research setting, the Research Act also applies to research in nursing and health sciences, sports sciences and nutritional sciences.

Trials on medicinal products are regulated by the new Act on Clinical Trials on Medicinal Products. As a result of the amended Act, trials on medicinal products are no longer defined as medical research.

Key laws to be followed in medical research include the Patient Act (785/1992), the Patient Insurance Act (948/2019), the Gene Technology Act (377/1995) and Decree (928/2004), the Act on the Medical Use of Human Organs and Tissues (the Human Tissue Act 101/2001) and the Biobank Act (688/2012). The Act on the Secondary Use of Social and Health Data (552/2019), or the Secondary Use Act, should be brought up separately, becauseas it came to force it has significantly changed the procedural solutions for the research use of register data.

The Secondary Use Act or the Act on the Secondary Use of Social and Health Data

The objective of the Act on the Secondary Use of Social and Health Data is to enable the efficient and secure processing of personal data stored for the purposes of social welfare and health care activities. Moreover, it aims to enable the steering, monitoring, research and statistics of the social and health care sector as well as their integration with the personal data of the Social Insurance Institution of Finland, the Digital and Population Data Services Agency, Statistics Finland and the Finnish Centre for Pensions. The disclosure and use of social and health data in research are defined by the Secondary Use Act.

Findata operates as a data permit authority under the Secondary Use Act. Findata invoices for the extraction, processing and preservation of data. When planning the research, particular attention should be paid to the time reserved for the processing of the permit process and the delivery of the data as well as the costs of the permit and data.

Findata services include:

• Permit service (grants data permits for individual-level data and makes decisions on requests for information, i.e. obtaining statistical-level data),
• Data service (compiles register data from controllers, pre-processes the data, converts and combines the permit holder's own data),
• A secure remote access environment (an environment suitable for the processing of individual-level data, including the most relevant software required for data analysis). This environment, called Kapseli, has a user fee based on the extent of the ordered package (see current pricing here). As a free alternative, CSC runs SD data services for similar purposes.

Findata is available by email at info@findata.fi and by telephone at +358 29 524 6500. You can also read more about the Secondary Use Act on the UEF Library website.

More information, sources and links

General

Medical Research Ethics |Website maintained by the Finnish Medical Association and the Finnish Dental Association summarises the ethical requirements for medical research. The website provides open access to the Finnish Medical Association's publication Medical Ethics (see below). <https://www.laakariliitto.fi/laakarin-etiikka/koulutus-ja-tutkimus/laaketieteellisen-tutkimuksen-etiikkaa/> (visited 2022-10).

Tukija | National Committee on Medical Research Ethics (Tukija). <https://www.tukija.fi/web/tukija-englanti/frontpage> (visited 2022-10).

Legislation

Act on Clinical Trials on Medicinal Products (983/2021) | Finlex <https://www.finlex.fi/fi/laki/kaannokset/2021/en20210983.pdf> (visited 2022-10).

The Medical Research Act (488/1999) i.e. the Research Act | Finlex <https://www.finlex.fi/fi/laki/kaannokset/1999/en19990488_20100794.pdf> (visited 2022-10).

Act on the Secondary Use of Social and Health Data (552/2019) i.e. the Secondary Use Act| Finlex <https://www.finlex.fi/fi/laki/alkup/2019/20190552> (visited 2022-10).

The Secondary Use Act | More information on the Secondary Use Act and its impacts on scientific research on the website of the UEF Library. <https://www.uef.fi/en/library/act-on-the-secondary-use-of-health-and-social-data> (visited 2022-10).

When planning and implementing research data management procedures, the classification of the information contained in the data is of paramount importance from the perspective of whether the information is public, limited in some way or even secret. Personal data has been discussed above, but the data may contain other types of information, which is defined as confidential or secret.

Information on the presence of species must be kept secret when the species is protected, endangered or sensitive to local disturbances. Similarly, access to information on a species may be restricted for reasons of biosafety, for example when a plant or animal disease threatens the health of other organisms (Act on the Openness of Government Activities, section 24, paragraph 14).

Information related to national defence, trade secrets and information that may cause financial damage to the trader are similarly subject to a secrecy obligation under the same act (Act on the Openness of Government Activities, section 24, paragraph 10, paragraph 20).

More information, sources and links

The Finnish Open Science and Research Initiative (ATT) data management instructions for sensitive materials working group, Tuuli project. Supplementary instructions for the management of data containing sensitive information in 2019. Additional instructions for planning the management of sensitive and confidential data 2019. Zenodo. <https://doi.org/10.5281/zenodo.3247282> (visited 2022-09).

Act on the Openness of Government Activities (621/1999) | Finlex <https://www.finlex.fi/en/laki/kaannokset/1999/en19990621_20150907.pdf> (visited 2022-10).

Processing sensitive species data at the Finnish Centre for Species | | Guidelines for publishing species data from the relevant legislation on the Laji.fi website. <https://laji.fi/about/709> (visited 2022-09).

Services for Sensitive Data | A list of sensitive data storage and transfer services produced by CSC on CSC's website and instructions for encryption of data. <https://research.csc.fi/sensitive-data> (visited  2022-09).

What is personal data and its processing?

When planning the research, it is important to determine whether personal data will be processed at any stage of the research. Processing means any measure related to personal data, such as the collection, storage, organisation, sharing or destruction of personal data. Even if the study does not directly target humans, but instead the distribution of a species with the meansof data collected through interviews, then the study processes personal data.

Personal data are either direct or indirect identifiers that can be used to identify a person. Direct identifiers include, but are not limited to, name, personal identity code, voice, image, e-mail address containing a real name, or fingerprint. Indirect identifiers, on the other hand, include the municipality of residence, age, profession, weight or gender, on the basis of which a person cannot be identified alone, but whose combination makes it possible to identify them. For example, an individual can be identified from a group that is in principle small and strictly limited (e.g. "18-year-old municipal councillors in municipality x"). It is therefore important to review the type of  human data collected in the study, because a detailed list of personal data cannot be drawn up.

Personal data related to criminal convictions and offences should be mentioned separately. As a rule, such personal data may only be processed under the supervision of an authority. However, the processing of such data is permitted under EU law or the national law of the Member State which provides for appropriate safeguards to protect the rights and freedoms of the person (Article 10 of the Data Protection Regulation). In the Data Protection Act (section 7, subsection 1, paragraph 2) the processing of personal data relating to criminal convictions and offences is allowed for scientific or historical research purposes or statistical purposes.

What is sensitive or special personal data?

If the study processes so-called sensitive, or under the GDPR terminology, special personal data, particular attention is required in the processing thereof. Sensitive data is sometimes also called delicate information.

Sensitive data includes the categories of personal data which indicate: 

• ethnic or racial origin,
• political opinions,
• religious or philosophical beliefs;
• trade union membership,
• genetic or biometric data (for identification purposes),
• health information or                        
• sexual orientation or behaviour.

Processing of sensitive personal data is permitted only in exceptional cases. Such exceptions include cases where the data subject, i.e. the person whose data are being processed, has given their consent to the processing of the data, the data subject has made the data public, the processing is necessary in the public interest on public health grounds, or the processing is necessary in the name of archiving in the public interest, scientific or historical research or statistical purposes (Article 9 of the Data Protection Regulation). The Data Protection Act also takes into account the possibility of processing sensitive data in scientific research (section 6, paragraph 7).

More information, sources and links

The Finnish Open Science and Research Initiative (ATT) data management instructions for sensitive materialsworking group, the Tuuli project. Supplementary instructions for the management of data containing sensitive information in 2019. Additional instructions for planning the management of sensitive and confidential data 2019. Zenodo. <https://doi.org/10.5281/zenodo.3247282> (visited 2022-09).

EU General Data Protection Regulation (the Data Protection Regulation or GDPR). Officially: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). <https://eur-lex.europa.eu/legal-content/FI/TXT/?qid=1528874672298&uri=CELEX%3A02016R0679-20160504> (visited 2022-10).

EU General Data Protection Regulation. "Processing of special categories of personal data" (Article 9) | Summarised Article 9 on the website of Privacy Regulation EU. <https://www.privacy-regulation.eu/en/index.htm> (visited 2022-09).

What is personal data? Aineistonhallinnan käsikirja. (Data Management Guidebook). Tampere: Finnish Social Science Data Archive (urn:nbn:fi:fsd:V-201504200001) <https://www.fsd.tuni.fi/en/services/data-management-guidelines/> (visited 2022-09).

Services for Sensitive Data | A list of sensitive data storage and transfer services produced by CSC on CSC's website and instructions for encryption of data. <https://research.csc.fi/sensitive-data> (visited 2022-09).

Data Protection Act (1050/2018) | Finlex <https://www.finlex.fi/fi/laki/kaannokset/2018/en20181050.pdf> (visited 2022-09).

UEF instructions for processing of personal data | UEF Heimo, internal network (requires UEF IDs).

A key aspect of personal data is that based on it, a person can be identified. However, personal data may be processed or collected in such a way that the person can no longer be identified. In this case, we talk about pseudonymised or anonymised data and, in the case of groups of people, about aggregated data.

Typical personal identifiers have been removed from pseudonymised data and the person is referred to by a pseudonym (code name, alias, false name). A pseudonym can consist of, for example, a randomly produced number sequence assigned to a person. With the help of a pseudonym, data can be collected from the same individual without their identity being recorded anywhere, but in principle the pseudonymised individual can still be identified. This is possible when the number sequence code key – which should be stored very carefully and securely – is available. In other words, as long as any researcher or other person has a key to restoring personal data, the data is considered personal data.

Anonymised data has been processed so that persons can no longer be identified from the data, i.e. it no longer contains direct identifiers or a combination of indirect identifiers that would enable the identification of the person. If pseudonymisation is carried out in such a way that re-identification of the person becomes impossible, the data can be considered anonymised.

Aggregation refers to a process or statistical method in which data is combined into broader categories or groups based on age, for example (so-called composite data). The processing no longer results in personal data, but in aggregated data describing a group of persons and not an individual identifiable person.

More information, sources and links

Amnesia Anonymization Tool | OpenAire EU's anonymisation tool, which can be downloaded online free of charge (in English) <https://amnesia.openaire.eu/> (visited 2022-09).

EU General Data Protection Regulation (the Data Protection Regulation or GDPR). Aggregated data (Article 89, paragraph 162) | on the Privacy Regulation EU website summarised paragraph 162 regarding aggregated data (in Finnish) <https://www.privacy-regulation.eu/en/index.htm> (visited 2022-10).

Key terms: Aggregated data | The Findata website contains the key terms. <https://findata.fi/en/key-terms/> (visited  2022-10).

Legislation | Information on data protection legislation on the website of the Office of the Data Protection Ombudsman. <https://tietosuoja.fi/en/legislation> (visited 2022-10).

Pseudonymised and anonymised data | Website of the Office of the Data Protection Ombudsman. <https://tietosuoja.fi/en/pseudonymised-and-anonymised-data> (visited 2022-10).

Data Protection Act (1050/2018) | Finlex <https://www.finlex.fi/fi/laki/kaannokset/2018/en20181050.pdf> (visited 2022-09).

Identification and anonymisation. Aineistonhallinnan käsikirja. (Data Management Guidebook). Tampere: Finnish Social Science Data Archive (urn:nbn:fi:fsd:V-201504200001). <https://www.fsd.tuni.fi/en/services/data-management-guidelines/> (visited 2022-09).

Data controller

A data set containing personal data is a register in accordance with the GDPR. The purposes and means of processing personal data in the register are defined by a data controller, which may be a person (such as a researcher) or an organisation (such as a university or hospital). There may be several data controllers, in which case they are referred to as joint controllers.

When determining the controller, it is essential to consider who has real control over the personal data being processed: what personal data are to be processed and how. The controller must be appointed as soon as the collection of personal data begins, i.e. the controller must already be known at the start of the study.

The controller must maintain a privacy statement on the processing of personal data. The controller's responsibilities also include informing the participant, i.e. the data subject. At the University of Eastern Finland, the recommendation is to provide information on the privacy statement as a separate document. The content of these and a few other key data protection documents is discussed below in a separate section. Templates can be found in the UEF's internal network on the Data Protection Officer's website.

Data processor

The data controller does notnecessarily process personal data. The data processor is a person or organisation who actually performs the processing of personal data in the register. An example of a processor of personal data may be Webropol Oy if the data is collected as a survey. Transcription or translation work carried out as an outsourced service also makes the service provider the processor of personal data.

It is the responsibility of the data processor to comply with the data controller's instructions. This commitment must be determined either by an agreement between the controller and the processor or by another similar legal document. The data processor must ensure that any person entitled to process personal data undertakes to comply with the obligation of professional secrecy.

The data processor is responsible for the encryption and pseudonymisation of personal data and the confidentiality of the processing systems. The processor must either delete or return all personal data (depending on the choice made by the controller) to the controller after the processing has ended. The data processor shall also provide the data controller with the necessary information to demonstrate that the personal data have been processed in accordance with the GDPR.

Both the data controller and the data processor are bound by the principles on the processing of personal data, such as lawfulness and transparency, data minimisation and accuracy, and confidentiality of the processing.

More information, sources and links

Processing of personal data in scientific research | UEF guidelines and templates for research data protection and impact assessment. UEF Heimo, internal network (requires UEF IDs).

Data processing instructions at the University of Eastern Finland | UEF Heimo, internal network (requires UEF IDs).

Consent granted by the data subject | Website of the Office of the Data Protection Ombudsman. <https://tietosuoja.fi/en/consent-of-the-data-subject> (visited 2022-09).

Data protection agreement for the processing of personal data | UEF instructions and contract template for an agreement for the processing of personal data, e.g. when the university acquires a data processing service. UEF Heimo, internal network (requires UEF IDs).

Privacy statement

A privacy statement describes the processing of personal data. The privacy statement of a research project is prepared whenever personal data is processed, even if direct personal identifiers are not processed. The privacy statement is in the possession of the researcher - it does not need to be made public.

For the purpose of the privacy statement, a data controller must be defined, and you can find additional instructions for doing this in the UEF templates. All parties involved in the study and their responsibilities are recorded in the report and the study is described briefly. The description of the study is related to the definition of the purpose of processing personal data. The report also describes what personal data is collected, where it is collected, how long the personal data is stored and where it may be archived after the study.

In the processing of personal data, it is important that access to them is controlled and planned. However, it may be necessary to disclose information outside the research group, for example, if the transcription of the interviews is outsourced. In such a case, the transcriber is defined as the data processor with whom a data protection agreement must be signed. The template document can be found on the UEF’s internal network (Data Protection Agreement).

The privacy statement must state if the data are transferred or disclosed at any stage of the research outside the EU or the European Economic Area and state the grounds for the transfer or disclosure. The Data Protection Regulation (GDPR) allows for such data transfer as long as the country concerned can guarantee an adequate level of data protection. The grounds for transferring personal data are described in Chapter V of the Data Protection Regulation.

The UEF template contains a reminder, that if the research data is stored on, for example, a computer hard drive or an external drive and the researcher is carrying the device outside the EU or EEA, it is likely to be a transfer of data outside the EU. On the other hand, if data is processed outside the EU through a cloud storage service, it may not necessarily constitute a transfer of data outside the EU.

Participant information - research announcement

The participants are informed of the processing of personal data by means of a separate bulletin, which must be available to the participants. Information is needed whenever personal data is processed.

The participant is provided with information on the following:

• Data controller (contact details)
• Contact details of the Data Protection Officer (if designated)
• The purpose of processing personal data
• Grounds for the processing of personal data (if based on a legitimate interest, indicate which interest is at stake)
• What personal data is processed
• Where personal data is transferred or disclosed (including whether it is transferred outside the EU or the EEA with justifications)
• The period of retention of personal data or at least the criteria for determining it;
• Rights of the participant
• If the processing is based on consent, information on the right to withdraw consent    
• Information on the right to lodge a complaint with the supervisory authority
• Whether the participant is obliged to provide the necessary personal data and justifications
• Where the personal data were obtained
• Whether automatic decision-making is used

The research announcement describes the name and purpose of the research and presents a request to participate in the research. It states, among other things, the voluntary nature of participation, describes the course of research and the communication of research results. For all of these, there are sample clauses in the templates available on the UEF's internal network  (Heimo website Processing of personal data in scientific research).

Participant consent

In scientific research, consent may be consent to participate in the research, in which case the processing of personal data may be based on something other than consent (e.g. public interest under section 4 of the Data Protection Act). Consent may also be requested from the participant for the processing of personal data, which should be used whenever specific or sensitive personal data are processed (Article 6, paragraph 1.a and Article 9, paragraph 2.a. of the Data Protection Regulation). Consent affects what kind of rights the participant, i.e. the data subject has.

Further information on consent can be found, for example, in the instructions of the Office of the Data Protection Ombudsman (Inform the data subject about the processing), in the UEF personnel training material (Processing of personal data in research activities and in connection with higher education studies, UEF Heimo, requires UEF IDs) and in the Data Management Guidebook (Informing on the processing of personal data) and in the Qualitative Methods Guidebook (Research permit, consent, information and data protection). Templates are available on the UEF Heimo website Processing of personal data in scientific research (requires UEF IDs).

More information, sources and links

European Commission rules on international data transfers |Official European Union website (in English) for further information on international transfers of personal data. <https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/rules-international-data-transfers_en> (visited 2022-09).

Processing of personal data in scientific research | UEF guidelines and template documents for the processing of personal data and the implementation of data protection. Templates for the privacy statement, research announcement, preliminary assessment of data protection, etc.). UEF Heimo, internal network (requires UEF IDs).

Processing of personal data in connection with research activities and higher education studies | UEF personnel training material (Helena Eronen, Data Protection Officer). UEF Heimo, internal network (requires UEF IDs).

Transfer of personal data outside the EU | Website of the Office of the Data Protection Ombudsman. <https://tietosuoja.fi/en/transfers-of-personal-data-out-of-the-eea> (visited 2022-09).

Informing research participants about the processing of their personal data. Aineistonhallinnan käsikirja. (Data Management Guidebook). Tampere: Finnish Social Science Data Archive (urn:nbn:fi:fsd:V-201504200001) <https://www.fsd.tuni.fi/en/services/data-management-guidelines/> (visited 2022-09).

Inform the data subjects about the processing | Instructions of the Office of the Data Protection Ombudsman for informing the participant. <https://tietosuoja.fi/en/inform-data-subjects-about-processing> (visited 2022-10).

Data protection guide for students | A website for UEF students and postgraduate students that provides instructions on the processing of personal data in connection with theses, for example. <https://kamu.uef.fi/en/tietopankki/students-rights-and-obligations/data-protection-guide-for-students/> (visited 2022-10).

Data protection agreement for the processing of personal data | UEF instructions and contract template for an agreement for the processing of personal data, e.g. when the university acquires a data processing service. UEF Heimo, internal network (requires UEF IDs).

Research permit, consent, information and data protection | Kallinen, Timo & Kinnunen, Taina. Ethnography. In work Jaana Vuori (ed.) Qualitative Methods Guidebook. Tampere: Finnish Social Science Data Archive. <https://www.fsd.tuni.fi/en/services/research-methods-web-resource/> (visited 2022-10).

The data protection impact assessment (DPIA) assesses the risks associated with the processing of personal data. This should be done whenever personal data is processed, but an impact assessment is mandatory when the intended processing of personal data may pose a high risk to people's rights and freedoms. An impact assessment is also needed when the data subject has not been informed, for example, due to a large number of participants in the study.

The data protection impact assessment must be carried out well in advance before the beginning of the research and the processing of personal data, as the collection of personal data is already considered to be processing. The impact assessment is a risk assessment and is based on the Data Protection Regulation (Article 35).

The risk assessment takes into account the perspective of the data subject (e.g. the research participants):

• what rights or freedoms the processing of personal data could endanger, and
• what harm could be caused to a person by the planned processing of personal data.

Damages may be physical, material or intangible (e.g., fraud, financial loss, loss of reputation, reversal of pseudonymisation).

If it is unclear whether an impact assessment is required when planning the study, it is advisable to carry out a preliminary evaluation of data protection. It can be used to determine whether the criteria for the actual impact assessment obligation are met. A ready-made template for this can be found on the Heimo website of the UEF Data Protection Officer (UEF internal network): Preliminary evaluation of data protection. If risks are identified, their severity and likelihood of realisation are assessed on a high-low scale.

Criteria for high-risk assessment include:

• Assessment or scoring of personal data (e.g. profiling, disease anticipation),
• Automatic decision-making with legal effects (e.g. rescission of contract, denial of citizenship),
• Systematic monitoring of data subjects,
• Processing of data belonging to special categories of personal data or otherwise very personal,
• Large-scale processing of data,
• Combining datasets (e.g. the same controller combines datasets created for different purposes),      
• Processing of personal data of those in a vulnerable position (e.g. child, patient, asylum seeker), or    
• Application or innovative use of new technology or organisational solution (e.g. fingerprint recognition in access control).

The UEF Data Protection Officer's Heimo website (UEF internal network) contains a ready-made document template for impact assessment: Data Protection Impact Assessment (DPIA).

More information, sources and links

Processing of personal data in scientific research | UEF guidelines and template documents for the processing of personal data and the implementation of data protection. Templates for the privacy statement, research announcement, preliminary assessment of data protection, etc.). UEF Heimo, internal network (requires UEF IDs).

When is a data protection impact assessment required?  Further guidance on the European Commission's website. <https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/when-data-protection-impact-assessment-dpia-required_en> (visited 2022-09) .

Impact Assessment | The website of the Office of the Data Protection Ombudsman <https://tietosuoja.fi/en/impact-assessment> (visited 2022-09).

The Office of the Data Protection Ombudsman has produced a guide Data protection path for scientific research to assist the data controller By following its 10 steps, the data controller can take into account all essential obligations related to data protection.

The links in the list below lead to more detailed instructions available on the website of the Office of the Data Protection Ombudsman.

1. Defining the research scheme and the purpose for processing personal data.
2. Minimisation of personal data in scientific research.
3. Planning the lifespan of personal data processing, ensuring the realisation of the data protection principles and the protection of data.
4. Choosing the processing basis for personal data and ensuring the lawfulness of the processing.
5. Realisation of the data protection rights of the data subject.
6. Recognition of the roles and responsibilities for processing personal data.
7. Confirmation of the basis for transfer, if data is transferred outside the EU or the EEA.
8. Demonstration of compliance with data protection legislation.
9. Destruction, anonymisation or archiving of data at the conclusion of research.
10. Maintenance of data protection expertise.

Source

Scientific Research and Data Protection: Data Protection Path for Scientific Research | Office of the Data Protection Ombudsman. <https://tietosuoja.fi/en/scientific-research-and-data-protection> (visited 2022-10)

The ownership of research material and data may be difficult to determine, especially if the research combines materials or data from different sources. Moving from one organisation to another may also cause confusion regarding ownership. A useful starting point for determining the ownership of research material and data is the funding type and authorship of the research. (Read more about copyright in the next paragraph Research material and data from the perspective of intellectual property rights). From the perspective of funding, research can be roughly divided into two types: Contract research and open research (also so-called free research or basic research). The aforementioned terms come from legislation (Act on the Right in Inventions made at Higher Education Institutions 369/2006, section 3). Within the framework of the Act, contract research is defined as either a paid service activity or research with an external source of funding. Open research refers to research carried out (a) without external funding or contracting partner, (b) with external funding but without publication provisions; (c) based on joint agreement defining the research as open.

Therefore, at the University of Eastern Finland, all paid service activities carried out by the University as well as research involving at least one party outside the University, either as an author or funder of a partial study (or other participant), are considered as contract research (see UEF transfer of rights in Heimo). For example, research funded by the Academy of Finland, Business Finland or Horizon Europe are contract research. In contract research, the researcher participates in a contract project in which, however, the party to the contract is the University of Eastern Finland instead of the researcher. Since the University of Eastern Finland, as a contracting party, is responsible for the contractual obligations to the party that funded the contract research, such as the Academy of Finland, a transfer of rights from the researcher to the UEF is required in contract research.  For this reason, a transfer of rights agreement is signed at the University of Eastern Finland for the output generated by the project (including research material and data, methods). However, it is important to note that in the transfer of rights, the researcher does not give up all ownership or access rights to research data, for example, but only to the extent required by the funding conditions, i.e. the transfer of rights is always case-specific. The transfer of rights is a standard part of all employment contracts made at the University of Eastern Finland, as even if the researcher does not work in a contract project at the time of signing the employment contract, the situation may change over time.

When the research material or data has been produced as part of open research, for example with a personal grant, as a rule, the researcher owns the research material or data. In this case, the researcher may, if they so wish, transfer the right to use the material to the university by means of a separate agreement (see, for example, the Copyright License Agreement in the following paragraph). Access rights to research material and data are essential especially if, for example, they are being distributed to a third party or archived for preservation.

More information, sources and links

Frequently Asked Questions - UEF transfer of rights – organisation-specific information about transfer of rights agreements on the Heimo intranet (in Finnish)

Act on the Right in Inventions made in Higher Education Institutions (369/2006) – the so-called Universities Inventions Act on the Finlex website https://www.finlex.fi/fi/laki/kaannokset/2006/en20060369.pdf (visited 2022-09)

Who owns the research data? – Mari Elisa Kuusniemi's article Vastuullinen tiede (Responsible science) on the website (in Finnish) https://vastuullinentiede.fi/fi/tutkimuksen-suunnittelu/kuka-omistaa-tutkimusdatan (visited 2022-09)

Intellectual property rights (IPR) traditionally protect intangible or abstract objects. Intellectual property rights can be divided into industrial property rights and copyrights. Industrial property rights protect patents and industrial designs, for example, while copyrights protect artistic and literary works. Research materials and data are usually mainly copyrighted. Copyright in Finland is governed by the Copyright Act (404/1961) and copyright can only be created for a natural person, such as a researcher. However, copyright may be transferred, for example, if a computer programme has been made when fulfilling an obligation arising from an employment relationship, the copyright is transferred to the employer (404/1961, section 40). If the work has been created by more than one person, copyright will be created jointly for these persons (404/1961, section 5). The creation of copyright requires sufficient originality of the work, i.e. the work must exceed the work threshold. Copyright applies to the result of the creative work, i.e. the expression of the work, and not, for example, to theory or knowledge. Under the Copyright Act (404/1961, section 49), tables, catalogues and databases also receive protection, in order to take into account the compilation work required to collect them. With regard to databases, it is good to find out who has participated in creating them, as databases often accumulate as the research continues for a longer time. In addition to copyright protection, databases can be protected by the Sui generis right (EU Directive 96/9/EC).

When planning the research, it is worth figuring out whether it is likely to result in objects subject to intellectual property rights (IPR), such as patents, databases, catalogues, etc. If an invention is created as the result of the research, the university's decision-making will also take into account the Act on the Right in Inventions made in Higher Education Institutions (369/2006). If an invention is created as the result of contract research, the University of Eastern Finland may assume the invention's industrial property right and protect the invention with a patent (369/2006, section 7). If the researcher has created an invention in an open research (e.g. with a personal grant), they will then own the industrial property right. In this case, the researcher may transfer the rights to the invention to the university. Under the Act (369/2006, section 6), higher education institutions also have the opportunity to assume the rights to an invention if the researcher does not publish or utilise the invention within a certain period of time. When determining intellectual property rights related to inventions, it is worth consulting UEF's Entrepreneurship and Innovation Services.

At the University of Eastern Finland, the copyright of research material (or teaching material) that exceeds the threshold of work is considered to belong to the researchers themselves. Copyright Agreements can be used to agree on the use of such material. If necessary, the university may be granted an exclusive right to the research material or the right to use it. The Copyright Agreements page of the UEF Contract Law Unit contains the following contract templates: "Copyright Transfer Agreement" and "Copyright License Agreement".

More information, sources and links

Intellectual property rights  - more information on the creation of intellectual property rights on the innovation activities' Heimo website on the intranet (in Finnish)

Protection of intellectual property rights at the university – more information on measures and support for the commercialisation of intellectual property rights on the innovation activities' Heimo website on the intranet (in Finnish)

Contracts related to projects – more information on research agreements on the Heimo website on the intranet (in Finnish)

Copyright agreements – organisation-specific contract templates and more information on copyrights on the Heimo website on the intranet (in Finnish)

Research basics – article by Marjut Salokantele on the ownership and copyright of research data in Edilex from 2012.  https://helda.helsinki.fi/bitstream/handle/10138/39575/Salokannel_Tutkimuksen_perusteet.pdf?sequence=2&isAllowed=y (visited 2022-09)

Legal protection of databases, sui generis summary of the EU Directive 96/9 on the legal protection of databases on the EUR-Lex website https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=LEGISSUM:l26028 (visited 2022-09)

A license is directly related to intellectual property rights. The licence means the right granted by the copyright (or other intellectual property) holder to use a protected work, such as research data. A licence allows the original author of the work to determine the further use of their research data, for example by enabling full further use and editing rights under certain conditions. Research funders may have their own recommendations or requirements for licensing research material or data. Academy of Finland’s funding terms for 2022-2023 do not specify a specific licence for the research data, but the Academy of Finland as a rule requires a Creative Commons Attribution (CC BY) 4.0 licence for a research article. In theory, only the owner of the research material or data can license it, but in practice it is more complicated. For example, in contract research, the researcher concludes a transfer of rights agreement, which makes the university the owner (or co-owner) of the material, but from a technical point of view, the university does not have anyone to license the material for them and thus it ultimately remains the responsibility of the researcher. Specific licenses have been developed for codes and software, such as the GNU-GLP and MIT licenses.  Read more detailed information and instructions on licences on the sub-page Data management at the end of the research.

More information, sources and links

Frequently asked questions about CC licenses – more information on the Creative Commons website (in Finnish) https://creativecommons.fi/faq/ (visited 2022-09)

Choose a license – help in choosing your licence (in English)

Licence term definition in the Helsinki Term Bank for the Arts and Sciences (in Finnish)