Data protection in research

As a researcher or student of the University of Lapland, you may process personal data during your research or studies. These guidelines will introduce you to the principles and further readings on data protection issues in scientific research.

The general data protection policy of the University of Lapland can be found at www.ulapland.fi/dataprotection

Does your research involve processing of personal data?

Any data than can be used to identify a person directly (an email address, IP-address, picture or voice recording) or indirectly (e.g. a pet’s veterinary record) are personal data. As a general rule, you are always dealing with personal data when you process any data connected with living persons.

In practice, you cannot avoid processing of personal data if you collect and work on data dealing with interviews, surveys, the recording of picture or sound, social media, and so forth. Personal data may also be involved when you collect information through an anonymous survey and the respondents provide information that may lead to indirect recognition by others. Notice that also the pseudonymization or anonymization of data is by definition processing of personal data. 

Additionally, it is worth noting that when personal data is processed, a person can almost without exception be identified through combining different direct and indirect personal data. The more data are available, the easier it is to identify a person.

Personal data that enables direct identification are, for example:

  • name
  • social security number
  • e-mail address that includes the person’s name
  • different biometric identifiers, such as the voice of an interviewee.

Personal data that enables indirect identification are, for example:

  • sex
  • education
  • age
  • nationality.

What are personal data?
Read more about scientific research and data protection >


Sensitive personal data

Sensitive personal data (racial or ethnic origin, political opinions, religion, health data, sexual orientation, etc.) merit specific protection and can only be processed in particular circumstances. The processing of such sensitive data should only be done by a professional with a legal confidentiality obligation. It is advisable to avoid the processing of sensitive data whenever possible. However, if your research requires the processing of special categories of personal data, you must proceed with extreme caution.

Processing sensitive personal data as part of studies leading to a degree is, as a rule, prohibited; it is permitted only in exceptional cases. In these exceptional cases, the processing of sensitive personal data must be agreed on with the faculty or unit in charge, and the instructions provided by the faculty or unit as well as the Data Protection Officer and the Security Manager must be followed. An example of such a special exception is, for example, research that strictly requires the processing of sensitive personal data.

If your research involves significant risks concerning the participants, you may need to carry out an impact assessment.

 Read more about sensitive personal data > 
Read more about risk assessment > 


Describe the data processing procedures in the research plan

Plan the procedures for personal data processing already in your research plan before you start to collect any data. Define the kinds of personal data you will process, how you process them, and for what purpose you process them. Remember the minimization principle and avoid the collection of any unnecessary personal data. Also, define who controls the data.

As a student, before you collect or handle personal data, you must discuss processing personal data as part of your data management and research plan with your thesis supervisor or teacher in charge of the course.

Plan the procedures for data storage: where, how, and how long you intend to keep the records of personal data and how you will take care of data destruction or archiving. Cloud services are not the right place to store personal data. Documents containing personal data must not be thrown in a paper recycling bin. The university has locked paper bins for documents that need to be destroyed according to the principles of data protection.

Who is the data controller in my research?

The data controller is the person or organisation that decides the purposes (why) and means (how) of processing personal data. If you are conducting research independently, you act as the controller together with your higher education institution (University of Lapland or Lapland University of Applied Sciences).. Accordingly, you are the principal person taking care of the data protection obligations and responsibilities. You are required to demonstrate that your processing activities are lawful and transparent by informing the participants of their rights and the data protection procedures, and by ensuring that the data are used only for the predetermined purposes.

If your research is part of a university project and you are employed by the university, the data controller is the university. If your research is an assignment from another organisation, it may be the data controller of the research, provided that the organisation defines the purposes and means of the data processing.

Informing the research participants about personal data processing

The participants in your research have the right to know how their personal data will be processed, what their rights are, and how they can exercise the rights.

As the primary investigator, you are required to appropriately inform the research participants about their rights and the limitations of these rights as early as possible. There are no rules as to the format, but it is often most convenient to use the templates provided.

It is the responsibility of each member of the Lapland University Consortium to report on all shortcomings, misuses or suspected offenses regarding data protection to the director of their unit, the Data Protection Officer and the Security Manager. 

Read more about the rights of data subjects >
Download the Privacy Notice (for research)

The basis for processing personal data in scientific research 

You are allowed to process personal data only when you have a lawful basis for it. Moreover, you are required to inform the research participants about the basis for processing their personal data. The basis cannot be unilaterally changed later. The processing of personal data for scientific, historical, or statistical purposes may be based on the controller’s performance of a task in the public interest, provided that the processing is necessary and proportionate to the aim pursued.

Scientific research must fulfil the following criteria: it must be based on an appropriate research plan with specified scientific objectives, the researcher must be scientifically competent, and the research must be autonomous and public.

Typically, the master’s thesis is completed in order to learn researcher skills, and the basis for the processing of personal data is formed by the thesis and the consent of the research participant. If the thesis is part of a larger project of the university, the basis may be formed by engagement in scientific research in the public interest.

In research that does not lead to a degree, the director in charge of the research clarifies the responsibilities and duties of each employee (person in charge, contact person or processor) regarding the processing of personal data as part of research data.

Remember that personal data must only be processed for lawful purposes and only to the extent and for as long as necessary regarding the purpose of the processing.

Read more about choosing the processing basis > 


Tips
  • It is advisable that students avoid collecting personal data always when it is not considered a necessary element by the supervisor. Personal data can be processed only with specific purposes and on an appropriate basis.
  • As part of their studies, students must familiarise themselves with the guidelines on processing personal data, and it is recommended that they complete the data protection training provided by their higher education institution before processing personal data.
  • If you are conducting a survey, use the electronic tools offered by the university.
  • Whenever possible, offer the option of anonymity.
  • Minimise the amount of personal data and avoid collecting unnecessary information. Instead of directly contacting the research participants, it is advisable to distribute the link to the survey e.g. through the target organisation’s own communication channels.
  • Anonymise the data always when it is a reasonable option.
  • Please note that you cannot discuss confidential information with outsiders. Your supervisor is not an outsider in your research and must be named in the privacy notice.
  • Make sure that no individual persons can be identified in the publications without specific consent.
Further information

Jari Rantala, University Data Protection Officer
tietosuoja (at) ulapland.fi

Last updated: 30.5.2025