Research Data: Confidential data and personal data

The concept of "personal data" is extensive, and was further expanded by GDPR (May 2018). It includes any information that can be connected to a living person. Some of the data is sensitive. Read more about data protection on the ÅAU intranet. 

• Name e-mails with names, social security numbers, photos, voice or biometric identifications (iris, fingerprints) are direct identifications. A combination of indirect identifications can also make a person recognizable.
• Information on occupation and workplace may not identify a person directly but indirectly, if several such data are combined. This also includes address, IP address, telephone number, gender and records of positions of trust, such as chairman. An exhaustive directory cannot be created because all information that can be connected to a natural person can act as a personal data.
• Sensitive information includes information on ethnic origin, political opinions, health, religious or philosophical belief, health, sexual life, genetic information, biometrically unambigious identifying information.

Collecting personal information in research projects requires advance measures

Collecting, storing, using, transferring and transferring personal data is considered as processing of personal data. Such information shall not be

• stored so that unauthorized persons can have access to it
• collected or transferred to external services with an inappropriate data management policy (such as the Dropbox, Google Drive or OneDrive cloud services). Information about how data that can be stored can be found in Anvisning för lagring och hantering av information vid Åbo Akademi (in Swedish). Overview in the management matrix. See also Tools and services for storing and sharing
• collected or handled without consent or other legal basis

Tasks often require actions such as

• Pseudonymisation or anonymisation
• Encryption of the hard disk if you use a laptop (contact the help desk, for Mac, use e.g. FileVault).
• ​Documentation/plan for responsible handling before the handling commences
• Clear information on the management of the data and risks that the data subject (the person whose data is handled) may be subject to

Data protection notices

• Use the template form for privacy notices (data protection notices) on the ÅAU intranet: Data protection templates. Using the template, you compile the information that you must give to your research subjects when you process their personal data (mandatory information according to GDPR). Additionally, using the template, at the same time, you will fulfill your part of the duty to register collections that contain personal data at ÅAU. 

Other sensitive data

• Data that are trade secrets (e.g. innovations that may be patentable)
• Data covered by confidentiality agreements
• Confidential information such as defense force data or those that have biosecurity aspects
• Biodiversity information on sensitive species data, for example data on endangered animals and plants, nature conservation or biosecurity - Read more at Laji.fi
• Data collected from social media requires thought - Read here on the Responsible Research website and the Finnish Social Science Data Archive's guide for using and archiving data from social media.

AI tools for research can with certain restrictions be used, for example, to facilitate and speed up reading and writing without causing data protection problems. However, using AI in research raises questions about responsible research, data protection and data quality. Note the following:

• The quality of AI transcriptions or AI translations must be carefully controlled. As a researcher, you are responsible for assessing the risk level of your research data. Think through and identify the data you process and choose research tools that provide the right level of security. When assessing the suitability of specific tools, you need to consider data protection as well as other laws and agreements, such as intellectual property rights and copyright issues.
• Consider what you promise your research subjects and check that the use of AI tools does not contradict it.
• Transcribing interviews always involves processing personal data because a person's voice is personal data. In addition, interviews often deal with sensitive information. What really matters from a data protection perspective is where and by whom the data processing is done. When you upload interview audio files to an app or cloud service, e.g. for AI transcription, you are actually commissioning a data processor. You are then responsible for checking that everything included in the service's terms of service complies with the GDPR. This includes, among other things, to have a valid personal data processing agreement and not to allow the service to use your material for other purposes. The use of AI transcription tools also often means that personal data is transferred outside the EU via a cloud service. Although European service providers certify that they are committed to data protection and GDPR compliance, they often use sub-processors outside the EU. It is always the responsibility of the data owner to carry out a compliance check and sufficient risk assessment.

The flow chart presents a simplified decision-making process as to whether to use an AI tool in research. Source: Michel Rouleau-Dick, Lise Eriksson, Anna-Maria Nordman, Jan Wennström, Dionysia Kang, Matti Karinen, Kalypso Filippou, & Victor Popescu. (2023). Safe use of AI Tools in a university environment. Zenodo. https://doi.org/10.5281/zenodo.8250395 CC BY 4.0

• The Office of the Data Protection Ombudsman: Scientific research and data protection. Also see: FAQ on scientific research and data protection
• Vastuullinentiede.fi: Do you use social media data in your research?

Pseudonymisation means that data is processed so that it can no longer be linked to a certain person so that they can be re-identified eg. using a code key.

Anonymisation means that personal data is deleted or processed so that information about an individual cannot be discerned and cannot be restored.

Free anonymization tools for research data: https://amnesia.openaire.eu/

Read more at:

The Office of the Data Protection Ombudsman: pseudonymised and anonymised data

FSD/Tietoarkistos guide: https://www.fsd.uta.fi/aineistonhallinta/en/anonymisation-and-identifiers.html

Some data collection endeavours require ethical assessment. At ÅAU, this is taken care of by the Board of Research Ethics. More information on the intra pages: Ethical assessment

More on research ethics by TENK, the Finnish National Board of Research Integrity:
https://www.tenk.fi/en