Gå till huvudinnehållet

Research Data: Sensitive data, personal data, GDPR

Tips and support for data management for researchers at ÅAU

Data protection and research

The concept of "personal data" is extensive, and was further expanded by GDPR (May 2018). It includes any information that can be connected to a living person. Some of the data is sensitive. Read more about data protection on the ÅAU intranet

  • Name e-mails with names, social security numbers, photos, voice or biometric identifications (iris, fingerprints) are direct identifications. A combination of indirect identifications can also make a person recognizable.
  • Information on occupation and workplace may not identify a person directly but indirectly, if several such data are combined. This also includes address, IP address, telephone number, gender and records of positions of trust, such as chairman. An exhaustive directory cannot be created because all information that can be connected to a natural person can act as a personal data.
  • Sensitive information includes information on ethnic origin, political opinions, health, religious or philosophical belief, health, sexual life, genetic information, biometrically unambigious identifying information.

 

Collecting personal information in research projects requires planning ahead

Collecting, storing, using, transferring and transferring personal data is considered as processing of personal data. Such information shall not be

Tasks often require actions such as

  • Pseudonymisation or anonymisation
  • ​Documentation/plan for responsible handling before the handling commences
  • Clear information on the management of the data and risks that the data subject (the person whose data is handled) may be subject to

Data protection notices

  • Use the template form for privacy notices (data protection notices) on the ÅAU intranet: Data protection templates. Using the template, you compile the information that you must give to your research subjects when you process their personal data (mandatory information according to GDPR). Additionally, using the template, at the same time, you will fulfill your part of the duty to register collections that contain personal data at ÅAU. 

 

Other sensitive data

Confidential information such as data of the Armed Forces or those with biosecurity aspects

Biodiversity information on e.g. endangered species - Read more at Laji.fi

Data collected from social media sites - Read more here at Responsible Research

AI tools for research and transcription

Keeping in mind some restraining factors, AI tools for research can be used, for example, to facilitate reading and writing without causing data protection problems. AI tools for transcription might be tempting for researchers to save time. However, using AI in research is both a matter of responsible research, data protection and data quality. The quality of AI transcriptions or AI translations need to be carefully checked. As researcher, you are responsible for assessing the risk level of your research data. Think through and identify the data you are processing and accordingly, choose research tools providing the right level of security. You must also consider what you promise to your research subjects. Transcribing interviews always involves processing of personal data because a person’s voice is personal data. Additionally, interviews often concern sensitive data. What really matters from a data protection perspective is where the data processing takes place and which parties are involved. When you upload interview audio files to an app or cloud service for AI transcription, or another purpose, you are actually commissioning a data processor. You are then responsible for checking that everything included in the service's terms of service complies with the GDPR. It involves, among other things, to have a valid personal data processing agreement and not to allow the service to use your material for purposes other than your scientific research purpose. AI transcription tools also often involve personal data being transferred outside the EU through a cloud service. Although European service providers certify that they are committed to data protection and GDPR compliance, they often use sub-processors outside the EU. It is always the data owner’s responsibility to do a compliance check and sufficient risk assessment. When assessing the suitability of specific tools, you as a researcher need to consider data protection as well as other laws and agreements, for example, intellectual property and copyright issues. 

Safe use of AI Tools in a university environment

The flow chart presents a simplified decision-making process as to whether to use an AI tool in research. Source: Michel Rouleau-Dick, Lise Eriksson, Anna-Maria Nordman, Jan Wennström, Dionysia Kang, Matti Karinen, Kalypso Filippou, & Victor Popescu. (2023). Safe use of AI Tools in a university environment. Zenodo. https://doi.org/10.5281/zenodo.8250395 CC BY 4.0

The flow chart presents a simplified decision-making process as to whether to use an AI tool in research.

Anonymisation and pseudonymisation

Pseudonymisation means that data is processed so that it can no longer be linked to a certain person so that they can be re-identified eg. using a code key.

Anonymisation means that personal data is deleted or processed so that information about an individual cannot be discerned and cannot be restored.

Free anonymization tools for research data: https://amnesia.openaire.eu/

Read more at:

The Office of the Data Protection Ombudsman: pseudonymised and anonymised data

FSD/Tietoarkistos guide: https://www.fsd.uta.fi/aineistonhallinta/en/anonymisation-and-identifiers.html

Ethical evaluation

Some data collection endeavours require ethical assessment. At ÅAU, this is taken care of by the Board of Research Ethics. More information on the intra pages: Ethical assessment

More on research ethics by TENK, the Finnish National Board of Research Integrity:
https://www.tenk.fi/en