Data management planning and the beginning of research

Good scientific practice is at the core of science and guides responsible research data management already from the planning stage onwards. Ethical and legislative aspects are among key approaches to good scientific practice. They always affect data management, i.e. how research data is collected and processed, what kind of rights are associated with the data, where the data can be stored, how and to whom the data can be shared.  If necessary, ethical review must be carried out before the research begins. An ethical review is applied by the Ethics Committee. 

• University of Eastern Finland, Committee on Research Ethics: non-medical research in human sciences. 
• The Regional Committee on Medical Research Ethics – the Hospital District of Northern Savo: medical and health science research. 

In addition to ethical review, research may also require a research permit. Research permit practices vary depending on the discipline and type of research. For example, conducting medical research always requires research permit (KYS: organizational permit). In a clinical trial, permission is applied by Fimea. Research using genetically modified organisms (GMOs) also requires its own permits (Genetic Technology Board). The University of Eastern Finland is committed to complying with good scientific practice and the guidelines prepared by the Finnish National Board on Research Integrity  in its research activities. The primary responsibility for research ethics lies with the researcher. 

Scientific research is regulated by numerous laws and regulations that set the limits and the freedom to conduct research. Freedom of scientific research is safeguarded by The Constitution (§ 16), the Charter of Fundamental Rights of the European Union (Article 13) and The Universities Act (§ 6).  This means that when conducting scientific research, a researcher is free to choose their research subjects and research methods.  

Act on the Openness of Government Activities (§ 27 – 28) stated that data and information that is otherwise classified as secret or protected can be used as research data in scientific research. For example, secret documents of an authority may be provided for research use. On the other hand, documents related to research are classified as confidential in themselves when they are part of the authorities' regular activities and the principle of public access that defines it (Act on the Openness of Government Activities, § 24.21). In this case, for example, the research plan must be kept secret when it is one of the documents concerning the university's operations. 

The section below provides general information on the most important statutes and their impact on the management of research data, especially from the perspective of data protection.  

Data protection is a fundamental right of the individual and its aim is to protect the privacy of personal data (read more about data protection legislation and the UEF Data Protection Policy). Personal data is any information that can be used to identify a person and that must be handled and collected without compromising a person's privacy. Information security is one way to implement data protection and its purpose is to secure personal data, health data, and other important information from outsiders through technical and possibly other measures, such as information security training, firewalls, and control software.  

The key pieces of legislation affecting data protection are the national Data Protection Act and the EU General Data Protection Regulation (GDPR). According to this regulation,  the processing of personal data is permitted on the basis of performing a task in the public interest (Data Protection Act, § 4; General Data Protection Regulation, Article 6.1 e). However, the General Data Protection Regulation does not apply to the personal data of deceased persons.  Additional information on the data protection legislation from the viewpoint of scientific research is given on the website Office of the Data Protection Ombudsman.   

Medical and health science research is regulated by several statutes.   

The Medical Research Act (488/1999), aka so-called Research Act applies to medical research including human movement sciences and nutritional sciences involving intervention in the integrity of a person for the purpose of increasing knowledge of health, the causes, treatment and prevention of diseases. 

The Act on Clinical Trials on Medicinal Products (983/2021) applies to medical products.  

The Secondary Use Act (552/2019) or the Act on the Secondary Use of Social and Health Data. The objective of the Act is to ensure the secure secondary use of personal-level customer data generated in social welfare and health care service activities. Secondary use of data refers to its use for other purposes, such as teaching and research, for which it was originally stored. Findata operates as a data permit authority under the Secondary Use Act. Read more, the Secondary Use Act. 

Confidential data (e.g. data on endangered species, trade secret 

The information in the research datasets can be public, limited in some way or even secret. Confidential or secret can be classified in addition to personal data for example information on the endangered species aka presence of species (Act on the Openness of Government Activities, § 24.14)  when the species is protected, endangered or sensitive to local disturbances. Similarly, access to information on a species may be restricted for reasons of biosafety, for example when a plant or animal disease threatens the health of other organisms. 

Confidential data are also information related to national defence, trade secrets and information that may cause financial damage to the trader (Act on the Openness of Government Activities, § 24.10 and 20). 

Who owns the research material or data?

The ownership of research material and data may be difficult to determine, especially if the research combines materials or data from different sources. Moving from one organisation to another may also cause confusion regarding ownership. A useful starting point for determining the ownership of research material and data is the funding type and authorship of the research.  

From the perspective of funding, research can be roughly divided into two types: open research (free research or basic research) and contract research (Act on the Right in Inventions made at Higher Education Institutions § 3).  

Open research refers to research carried out  

• without external funding or contracting partner 
• with external funding but without publication provisions 
• joint agreement defining the research as open.  

Contract research is defined as either a  

• paid service activity  
• research with an external source of funding such as research funded by the Academy of Finland, Business Finland or Horizon Europe. 

At the University of Eastern Finland, all paid service activities carried out by the University as well as research involving at least one party outside the University, either as an author, funder, or other participant, are considered as contract research (see UEF transfer of rights in UEF Intranet).  The party to the contract is the University of Eastern Finland instead of the researcher. When a researcher enters into a rights transfer agreement with the UEF, the ownership of the resulting output is transferred to the university. 

However, it is important to note that in the transfer of rights, the researcher does not give up all ownership or access rights to research data, for example, but only to the extent required by the funding conditions. In general, a rights transfer agreement applies to the output generated by the project, such as research data and data, as well as methods. The transfer of rights is always case-specific. The transfer of rights is a standard part of all employment contracts made at the University of Eastern Finland, as even if the researcher does not work in a contract project at the time of signing the employment contract, the situation may change over time.  

When the research material or data has been produced as part of open research, for example with a personal grant, as a rule, the researcher owns the research material or data. In this case, the researcher may, if they so wish, transfer the right to use the material to the university by means of a separate agreement. Access rights to research material and data are essential especially if, for example, they are being distributed to a third party or archived for preservation. 

Intellectual property rights

Intellectual property rights (IPR) protect traditionally intangible or abstract objects. 

Intellectual property rights can be divided into  

• industrial property rights which protect patents and industrial designs 
• copyrights protect artistic and literary works, both research materials and data.  

Copyright in Finland is governed by the Copyright Act (404/1961) and copyright can only be created for a natural person, such as a researcher. However, copyright may be transferred to the employer,  if a work has been made when fulfilling an obligation arising from an employment relationship (§ 40). If the work has been created by more than one person, copyright will be created jointly for these persons (§ 5).  

The creation of copyright requires sufficient originality of the work, i.e. the work must exceed the work threshold. Copyright applies to the result of the creative work, i.e. the expression of the work, and not, for example, to theory or knowledge. Under the Copyright Act (§ 49), tables, catalogues and databases also receive protection, in order to take into account, the compilation work required to collect them. With regard to databases, it is good to find out who has participated in creating them, as databases often accumulate as the research continues for a longer time. In addition to copyright protection, databases can be protected by the Sui generis right (EU Directive 96/9/EC). 

As a result of research may be generated objects subject to intellectual property rights (IPR), such as patents, databases, catalogues, etc. If an invention is created as the result of contract research, the organization may assume the invention's industrial property right and protect the invention with a patent (the Act on the Right in Inventions made in Higher Education Institutions (369/2006). If an invention is created as a product of open research e.g. with a personal grant, the researcher owns the industrial property right. In this case, the researcher may transfer the rights to the invention to the university. Higher education institutions also have the opportunity to assume the rights to an invention if the researcher does not publish or utilize the invention within a certain period of time. When determining intellectual property rights related to inventions, it is worth consulting UEF's Entrepreneurship and Innovation Services. 

At the University of Eastern Finland, the copyright of research material (or teaching material) that exceeds the threshold of work is considered to belong to the researchers themselves. Copyright Agreements can be used to agree on the use of such material. If necessary, the university may be granted an exclusive right to the research material or the right to use it. The research material can also be licensed, which means the right granted by the copyright or other intellectual property holder to use a protected work, such as research data. Read more, The principles of the protection of the intellectual property rights at the UEF, Agreements related to projects. 

The definition of personal data is much broader than just the name or the background information of the query. There are different levels of personal data: some are data that are sufficient on their own to identify a person (direct personal data), but any data relating to an identifiable person (indirect personal data) is considered personal data.  

Direct identifiers include, but are not limited to, name, personal identity code, voice, image, e-mail address containing a real name, or fingerprint. 

Indirect identifiers, on the other hand, are the municipality of residence, age, profession, weight, or gender, on the basis of which a person cannot be identified alone, but whose combination makes it possible to identify them. For example, an individual can be identified from a group that is in principle small and strictly limited.  

Special personal data (delicate information), that is also called sensitive data, include the categories of personal data which indicate 

• ethnic or racial origin 
• political opinions 
• religious or philosophical beliefs 
• trade union membership 
• genetic or biometric data (for identification purposes) 
• health information                     
• sexual orientation or behaviour. 

Personal data related to criminal convictions and offences should be mentioned separately. 

Handling of personal data means any measure related to personal data, such as the collection, storage, organisation, sharing or destruction of personal data. Read more UEF guidelines for the handling of personal data and datasets. Even if the study does not directly target humans, but instead the distribution of a species with the means of data collected through interviews, then the study processes personal data. 

Processing of sensitive personal data is permitted only in exceptional cases  

• the data subject, i.e. the person whose data are being processed, has given their consent to the processing of the data 
• the data subject has made the data public 
• the processing is necessary in the public interest on public health grounds 
• the processing is necessary in the name of archiving in the public interest, scientific or historical research or statistical purposes (Article 9 of the Data Protection Regulation).  

The Data Protection Act (1050/2018) (§ 6.7)  also takes into account the possibility of processing sensitive data in scientific research . 

As a rule, such personal data relating to criminal convictions and offences may only be processed under the supervision of an authority. However, the processing of such data is permitted under EU law or the national law of the Member State which provides for appropriate safeguards to protect the rights and freedoms of the person (Article 10 of the Data Protection Regulation). In the Data Protection Act (§ 7.1.2) the processing of personal data relating to criminal convictions and offences is allowed for scientific or historical research purposes or statistical purposes. 

Pseudonymised, anonymised and aggregated data 

Personal data may be processed or collected in such a way that the person can no longer be identified. In this case, we talk about pseudonymised or anonymised data and, in the case of groups of people, about aggregated data. 

Pseudonymisation: Data IDs such as names, place of residence are replaced by, for example, an alias or code. However, it is still possible to determine individual’s identity. The code key can consist of a randomly produced number sequence, which is stored separately from the data in a secure location, for example in a lock cabinet. 

Anonymization: Data is processed so that persons can no longer be identified from the data, i.e. it no longer contains direct identifiers or a combination of indirect identifiers that would enable the identification of the person. If pseudonymisation is carried out in such a way that re-identification of the person becomes impossible, the data can be considered anonymised. 

Aggregating: Editing data so that information about individuals or groups it is no longer identifies. As a result of processing, information is combined into larger categories or groups, for example, based on age (so-called composite data), in which case it describes a group of persons rather than an individual person that can be identified. 

Data controller and data processor

Data subject: The individual whose personal data is processed.  

Register: A Data set containing personal data.  

Data controller defines for what purpose and how personal data is processed. Data controller may be a person (such as a researcher) or an organization (such as a university or hospital). There may be several data controllers, in which case they are referred to as joint controllers. When determining the controller, it is essential to consider who has real control over the personal data being processed. The controller must be appointed as soon as the collection of personal data begins at the start of the study. 

The data controller’s responsibility is  

• maintain a privacy statement on the processing of personal data   
• informing the participant, i.e. the data subject.  

At the University of Eastern Finland, the recommendation is to provide information on the privacy statement as a separate document. The content of these and a few other key data protection documents is discussed below in a separate section.  

Data processor is a person or organization who actually performs the processing of personal data in the register. The data controller does not necessarily process personal data itself, but it is done by the data processor. An example of a processor of personal data may be Webropol Oy if the data is collected as a survey. Transcription or translation work carried out as an outsourced service also makes the service provider the processor of personal data. 

The data processor’s responsibility is 

• to comply with the data controller’s instructions (this must be determined either by an agreement between the controller and the processor or by another similar legal document) 
• to ensure that any person entitled to process personal data undertakes to comply with the obligation of professional secrecy 
• to ensure the encryption and inimizationion of personal data and the confidentiality of the processing systems 
• to delete or return all personal data (depending on the choice made by the controller) to the controller after the processing has ended 
• to demonstrate that the personal data have been processed in accordance with the GDPR 

Both the data controller and the data processor are bound by the principles on the processing of personal data, such as lawfulness and transparency, data inimization and accuracy, and confidentiality of the processing. 

 Further information on processing personal data can be found here:  

• The instructions of the Office of the Data Protection Ombudsman: Inform the data subject about the processing  
• UEF personnel training material: Processing of personal data in research activities and in connection with higher education studies (requires UEF IDs)  
• The Data Management Guidebook: Informing on the processing of personal data  
• The Qualitative Methods Guidebook: Research permit, consent, information and data protection 

Privacy statement (privacy notice)

The privacy statement contains all information that should be communicated to the subjects when processing personal data in scientific research. A privacy statement describes also the processing of personal data. The privacy statement can serve as a basis for preparing information for research participants. The privacy statement of a research project is prepared whenever personal data is processed, even if direct personal identifiers are not processed.  

The privacy statement describes  

• a data controller 
• all parties involved in the study and their responsibilities   
• the description of the study is related to the definition of the purpose of processing personal data.  
•  what personal data and where it is collected 
• how long the personal data is stored and where it may be archived after the study. 
• transfer or disclosure of data to external parties  
• transfer or disclosure of data outside the EU/EEA. 

In the processing of personal data, it is important that access to them is controlled and planned. However, it may be necessary to disclose information outside the research group, for example, if the transcription of the interviews is outsourced. In such a case, the transcriber is defined as the data processor with whom a data protection agreement must be signed (the template document can be found on the UEF’s internal network Data Protection Agreement). 

If the data is transferred or disclosed outside the EU or the European Economic Area, it must be justified. The data transfer is possible as long as the country concerned can guarantee an adequate level of data protection. Read more, the grounds for transferring personal data in Chapter V of the Data Protection Regulation. 

The UEF's guidelines remind, that if the research data is stored on, for example, a computer hard drive or an external drive and the researcher is carrying the device outside the EU or ETA, it is likely to be a transfer of data outside the EU. On the other hand, if data is processed outside the EU through a cloud storage service, it may not necessarily constitute a transfer of data outside the EU. Read more, Rules on international data transfers. 

Participant information - research announcement 

The participants are informed of the processing of personal data by means of a separate bulletin, which must be available to the participants. Information is needed whenever personal data is processed. The research announcement describes the name and purpose of the research and presents a request to participate in the research. It states, among other things, the voluntary nature of participation, describes the course of research and the communication of research results. 

The participant is provided with information on the following

• data controller (contact details) 
• contact details of the data protection officer (if designated) 
• the purpose of processing personal data 
• grounds for the processing of personal data (if based on a legitimate interest, indicate which interest is at stake) 
• what personal data is processed 
• where personal data is transferred or disclosed (including whether it is transferred outside the EU or the ETA with justifications) 
• the period of retention of personal data or at least the criteria for determining it 
• rights of the participant 
• if the processing is based on consent, information on the right to withdraw consent     
• information on the right to lodge a complaint with the supervisory authority 
• whether the participant is obliged to provide the necessary personal data and justifications 
• where the personal data were obtained 
• whether automatic decision-making is used 

Templates for research announcement are available on the UEF Intranet website Processing of personal data in scientific research. 

 Participant consent 

In scientific research, consent may  be requested from the participant for 

• the participating in the research, if it is processed personal data in the research, it may be based on something other than consent e.g. public interest  (§ 4 of the Data Protection Act).  
• the processing of personal data: whenever specific or sensitive personal data are processed or if the basis for processing is consent (Articles 6.1.a and 9.2.a. of the Data Protection Regulation).  

 The composition affects what kind of rights the data subject has. 

The data protection impact assessment (DPIA) assesses the risks associated with the processing of personal data (Data Protection Regulation Article 35). It assesses which rights or freedoms of data subjects could be at risk and what kind of damage could be incurred by data subjects from the envisaged processing of their personal data. Damages may be physical, material or intangible (e.g., fraud, financial loss, loss of reputation, reversal of  pseudonymisation). The data protection impact assessment must be carried out well in advance before the beginning of the research and the processing of personal data, as the collection of personal data is already considered to be processing.  

An impact assessment is mandatory when  

• the intended processing of personal data may pose a high risk to people's rights and freedoms for example processing on a large scale of personal data relating to criminal convictions or offences or of special categories of personal data, biometric, genetic data or for example location information 
• the data subject has not been informed, for example, due to a large number of participants in the study. 

If it is unclear whether an impact assessment is required when planning the study, it is advisable to carry out a preliminary evaluation of data protection. It can be used to determine whether the criteria for the actual impact assessment obligation are met. If risks are identified, their severity and likelihood of realisation are assessed on a high-low scale. 

Criteria for high-risk assessment include

• assessment or scoring of personal data (e.g. profiling, disease anticipation) 
• automatic decision-making with legal effects (e.g. rescission of contract, denial of citizenship), 
• systematic monitoring of data subjects 
• processing of data belonging to special categories of personal data or otherwise very personal 
• large-scale processing of data 
• combining datasets (e.g. the same controller combines datasets created for different purposes)      
• processing of personal data of those in a vulnerable position (e.g. child, patient, asylum seeker)    
• application or innovative use of new technology or organisational solution (e.g. fingerprint recognition in access control). 

Read more, When is a Data Protection Impact Assessment required? Further guidance from the European Commission; Data protection roadmap for scientific research, The Office of the Data Protection Ombudsman.