Skip to Main Content
It looks like you're using Internet Explorer 11 or older. This website works best with modern browsers such as the latest versions of Chrome, Firefox, Safari, and Edge. If you continue with this browser, you may see unexpected results.

Research Data: Sensitive data, personal data, GDPR

Tips and support for data management for researchers at ÅAU

Data protection and research

The concept of "personal data" is extensive, and was further expanded by GDPR (May 2018). It includes any information that can be connected to a living person. Some of the data is sensitive.

  • Name e-mails with names, social security numbers, photos, voice or biometric identifications (iris, fingerprints) are direct identifications. A combination of indirect identifications can also make a person recognizable.
  • Information on occupation and workplace may not identify a person directly but indirectly, if several such data are combined. This also includes address, IP address, telephone number, gender and records of positions of trust, such as chairman. An exhaustive directory cannot be created because all information that can be connected to a natural person can act as a personal data.
  • Sensitive information includes information on ethnic origin, political opinions, health, religious or philosophical belief, health, sexual life, genetic information, biometrically unambigious identifying information.

Collecting personal information in research projects requires planning ahead

Collecting, storing, using, transferring and transferring personal data is considered as processing of personal data. Such information shall not be

Tasks often require actions such as

  • Pseudonymisation or anonymisation
  • ​Documentation/plan for responsible handling before the handling commences
  • Clear information on the management of the data and risks that the data subject (the person whose data is handled) may be subject to

The documentation can be done using ÅA's diagnostic forms / forms:

Other sensitive data

Confidential information such as data of the Armed Forces or those with biosecurity aspects

Biodiversity information on e.g. endangered species -

Data collected from social media sites - Read more here at Responsible Research


> The Data Ombudsman in Finland guide for research (2020)

Anonymisation and pseudonymisation

Pseudonymisation means that data is processed so that it can no longer be linked to a certain person so that they can be re-identified eg. using a code key.

Anonymisation means that personal data is deleted or processed so that information about an individual cannot be discerned and cannot be restored.

Free anonymization tools for research data:

Read more at:

Data protection ombudsman:

FSD/Tietoarkistos guide:




Ethical evaluation

Some data collection endeavours require ethical assessment. At ÅAU, this is taken care of by the Board of Research Ethics. More information on the intra pages: Ethical assessment

More on research ethics by TENK, the Finnish National Board of Research Integrity: