1. Find out whether your research task involves the processing of personal data
Personal data is defined in the EU General Data Protection Regulation (2016/679) as follows: “‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
Direct identifiers include names, personal identification numbers, photos, videos, audio, email addresses and traditional signatures. A person can be indirectly identified if a sufficient number of identifiers is known and can be used to identify the person without undue effort, for example, the person’s professional title and job or position (Chairman of the City Executive Board), in which case the identification of the person requires little effort.
Special categories of personal data: Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation are prohibited, but there are exceptions to the prohibition, including for scientific research purposes and express consent.
The processing of personal data is defined in the GDPR as follows: “‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.
Example: If you save a survey respondent’s name, or the respondent can be identified otherwise afterwards, you are processing personal data.
Personal data can be collected in various ways: through a questionnaire, interview, observation, collection of personal data from online services, etc. An anonymous survey also processes personal data if the data collected can be used to identify the respondent directly or indirectly. A person may also be identifiable on the basis of collected background information (e.g. age, gender, education, place of residence, professional title, workplace).
If you are conducting a survey and cannot determine in advance whether the answers will generate personal data, you should assume that you are processing personal data. An interviewee’s voice, photo or video are personal data. If you conduct an anonymous survey, you process personal data if the respondent can be identified directly or indirectly from the collected data. The collection of background variables alone can lead to the identification of a person (e.g. age, gender, place of residence, professional title, workplace). Recognisability does not require that a large number of people identify a person, it is sufficient that the people close to the person or the author of the survey can identify them. The starting point of statistical research is that groups of less than five respondents are not processed, so if you get the only 68-year-old male midwife student to respond to your survey, you must eliminate the possibility of identifying the respondent during analysis so that individuals can no longer be identified in the final thesis. This should also be communicated to respondents in advance.
There are many kinds of health information, such as dental charts, genetic data and other data that uniquely identify a person. You may also conduct a survey about how a hospital’s emergency services have been functioning during a certain period of time. Even if you do not ask the respondent for any background information or even the reason for visiting the emergency room, just the fact that they have been a customer there is personal data, and also special information in that you have to keep the information strictly confidential. The processing of such data should be agreed in detail with the customer and discussed with the supervisor.
If you have received a list of contacts from the thesis supervisor, you can use them to contact people. However, when you contact someone, let them know right away where you got the information. It is also recommended to agree with the supervisor that you will destroy the data when you no longer need it. You can leave the information in your email or other personal files.
If you use photos of an individual person in your thesis, agree with them about it. If you are taking photos at an event and the photo shows several people, it is a good idea to announce that you will take photos that may be published in the thesis. It is recommended to give participants the chance to avoid the camera. When photographing children, you should be especially careful and find out in advance whether you need the consent of their parents to take and publish pictures.
Be careful when processing personal data obtained from public material. Public material includes legal cases, for example. In that case, note that even if a person’s information is visible somewhere in public, you must have grounds for including them in the thesis as they are. If it is a person performing/having performed a public task, you can also use the information in public, but if it is a private person, for example, and it is not necessary to specifically mention their name, you should avoid this. For example, if you are referring to a case, even if the Supreme Court documents show the name of the person whose case has been processed, you can refer to the case and the person, e.g. with the letter X.
You can still refer to publications using the author’s name, and this does not require any special measures in terms of data protection.
Although you do not know in advance whether the answers will generate personal data, it is advisable to prepare for it when considering background variables. The more background variables are obtained via questions, the more likely it is that personal data will be formed. Only ask about the background variables you genuinely need.
2. If your research task involves the processing of personal data, clarify your role and responsibilities in the processing of personal data
Data controller refers to an entity that alone or jointly with others determines the purposes and means of processing personal data. Therefore, the data controller is the party for whose purposes the personal data is processed and who makes the decisions concerning the processing of personal data. The data controller is responsible for ensuring that the processing is carried out correctly and legally, respecting the rights of the data subject.
The data controller may be the author of the thesis, an issuer or cooperation organisation, another cooperation party or a university of applied sciences. If the data controller is not a student, they have the main responsibility for the processing of personal data, but you must still be careful and comply with the requirements set for the processing of personal data in your thesis.
Data processor means any natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller. In that case, the data controller is another party and the data processor processes personal data on behalf of the data controller. For example, a person providing marketing services may be a processor of personal data when receiving customer name and contact information from the data controller. In that case, there must be a written agreement between the data controller and the data processor regarding the processing of personal data. The data processor is also partly responsible for the processing of personal data, but their responsibility is more limited.
3. Familiarise yourself with the responsibilities of your role as defined by the GDPR and national law
If you process personal data, please inform the data subject about it. No provision is made for a specific form of notification channel (e.g. a report), but as a general rule the information must be provided in writing. This allows you to take care of the data controller’s accountability, which is a key principle of the GDPR and means that the data controller must be able to demonstrate compliance with data protection legislation. The privacy statement you have prepared will remain with you and, if necessary, you can use it to demonstrate that you have complied with the data protection legislation. If you wish, you can attach it to your thesis. As the statement does not serve as a communication tool in this context, you can delete your contact information from it and only leave your name visible.
The privacy statement may also serve as a basis for the creation of information to be provided to data subjects. You can also use a form to inform research participants of the thesis related to your degree. In the form, you can give more detailed information about your thesis and key data protection issues. Please note that the processing of personal data is only justified when it is necessary for your thesis. Do not collect data just as a precaution, but only collect data that is necessary for your thesis (intended use).
The processing of personal data must always have legal grounds that must be determined before the processing begins. It is not possible to change the grounds later. The grounds for processing affect the rights of the data subjects in relation to the data controller.
In scientific research, the legal basis for processing is generally public interest (processing is necessary for the performance of a task in the public interest, in this context for the conduct of scientific research). It is also a suitable processing basis for a thesis, but usually theses related to bachelor’s degrees do not meet the criteria of scientific research. In that case, the consent of the data subject, for example, should be used as the grounds.
You should ask for the consent to participate in the survey of anyone from whom information is collected. The consent to participate can be requested in writing, orally at the beginning of the interview or as an option to be selected in the survey.
Note: The survey may include two types of consent:
Consent to the processing of personal data (legal basis for processing.
Ethical principle of consent (the legal basis for processing is not the data subject’s consent)
Please note that if consent is the basis for the processing for your survey, you must also ask for it, for example, by using a consent form in writing or electronically, in such a way that the survey participant understands in sufficient detail what they agree to. If the data subject withdraws their consent, this means that identifiable data must be deleted from the work if consent is the only basis for processing.
Personal data should not be included in the completed thesis without a reason. The material must be anonymised or pseudonymised.
Anonymisation means the processing of personal data in such a way that the person can no longer be identified from them. Personal data can be erased from the information, and data about an individual person will no longer be in identifiable form. Identification must be prevented irrevocably and in such a way that the data controller or any other external party can no longer make the data identifiable again with the information in its possession.
Pseudonymisation means the processing of personal data in such a way that the personal data can no longer be linked to a specific person without further information. Such additional information must be carefully stored separately from personal data. Even if the information is pseudonymised, it can still be used to identify an individual by combining additional information. Pseudonymised data remain personal data and must be processed in accordance with data protection provisions.
Please take care of information security. Store the material in a safe place and ensure adequate protection. If personal data is lost or becomes available to third parties, this constitutes a security breach. If you suspect that this has happened, please notify the data controller immediately or send an email to firstname.lastname@example.org for further instructions. You have a secrecy obligation concerning any confidential personal information you receive from a data subject, and you cannot discuss it with third parties. The exception to this is the thesis supervisor, with whom you can go through the material if necessary, because they are not external to your thesis.
Taking care of the lifecycle of personal data is particularly important. After the survey, research material containing personal data must not be stored unnecessarily but must be disposed of (as a general rule) securely. Material containing written personal data must not be placed in a paper collection or waste bin. The University of Applied Sciences has lockable data security rubbish bins where you can leave the material in question. Files stored on a network drive or Webropol must be deleted, and other material must be disposed of securely.