Do you handle personal data in your research

  • Slides: 10
Download presentation
Do you handle personal data in your research? The EU’s General Data Protection Regulation

Do you handle personal data in your research? The EU’s General Data Protection Regulation (GDPR) and Research Päivi Lindström, legal counsel

What is Personal Data? _ It is any information relating to an identified or

What is Personal Data? _ It is any information relating to an identified or identifiable person • information which is sufficient on its own to identify an individual e. g. name, email address, voice, video, DNA, dental records, personal identification number • information which can be used to identify an individual fairly easily e. g. location data, an unusual job title, a very rare disease, a position held by only one person at a time (for example the CEO of a named company), a student ID number, insurance policy number • information that on its own is not enough to identify someone but, when linked with other available information, could be used to deduce the identity of a person e. g. age, gender, education, occupation, household composition, income, marital status, mother tongue, ethnic background, place of work or study, postal code, municipality, major region

What to do? Do you handle personal data in your research? _ I am

What to do? Do you handle personal data in your research? _ I am using, collecting, or otherwise processing personal data More details and templates: https: //www. aalto. fi/en/services/ how-to-handle-personal-data-in-research Ascertain and document the legal basis for processing of personal data Plan the entire life cycle of personal data processing (collecting, storing, using, research cooperation, further research, archiving, deletion, etc. ) yes no I am not processing personal data this does not apply to you Inform the research participants of your research + processing of their personal data Use only Aaltoapproved information systems and document the systems that you use

More information • New course titled “Research Ethics for Doctoral Students”, see the section

More information • New course titled “Research Ethics for Doctoral Students”, see the section “Personal data in research”: https: //mycourses. aalto. fi/mod/book/view. php? id=420477 • For more information on what is “personal data”, see section 4. 1. under the link • See also sections on pseudonymization and anonymisation (sections 4. 2 and 4. 3) • What constitutes “processing”? (See section 4. 5) • The EU’s Working Party 29 Opinion on anonymization techniques: https: //ec. europa. eu/justice/article 29/documentation/opinion-recommendation/files/2014/wp 216_en. pdf

Planning is the key • Plan the entire life cycle of the data •

Planning is the key • Plan the entire life cycle of the data • • • how you collect personal data (from which sources), what type of personal data you collect, what you will do with the data (describe your research), who is the controller / processor of data, what is the legal basis for processing the data (in research public interest or consent), will you share the data with anyone outside of Aalto, will you transfer data outside of the EU, how long will you store the data, will you pseudonymise or anonymise the data at any point (and when)? will you archive any data and where? when will the data be destroyed? 17. 1. 2022 5

Inform the data subjects • • • Data subjects must always be informed of

Inform the data subjects • • • Data subjects must always be informed of how you will process their personal data, the legal basis for the processing, and their rights under the GDPR The information to be provided slightly varies depending on whether the data is collected directly from the data subjects or from other sources (GDPR Article 13 / Article 14) https: //tietosuoja. fi/documents/6927448/8214536/Information+subjec t+to+the+notification+obligation. pdf/b 70 fd 21 a-2 cf 9 -433 f-8 af 5023 df 7 ca 7 cd 4/Information+subject+to+the+notification+obligation. p df 17. 1. 2022 6

Consider who is the processor/ controller of personal data • • • Legal obligations

Consider who is the processor/ controller of personal data • • • Legal obligations arise under the GDPR on the controller and processor of personal data Is Aalto University the controller or processor of personal data? Or is it the researcher who handles personal data in his/her research? What about students? Remember that if Aalto University is the controller or processor of personal data (instead of the researcher), you cannot take the data with you without separate arrangements 17. 1. 2022 7

Sharing personal data outside of Aalto University? Remember to • inform the data subjects

Sharing personal data outside of Aalto University? Remember to • inform the data subjects about any disclosures and transfers of data (inside and outside of the EU) • agree with anyone you share personal data with about the roles and responsibitilies • if you plan to transfer personal data outside of the EU, ensure that it is legal https: //ec. europa. eu/info/law-topic/data-protection_en 17. 1. 2022 8

Consent to participate in research vs. informing data subjects of the processing of their

Consent to participate in research vs. informing data subjects of the processing of their personal data If you collect personal data directly from data subjects, you need to BOTH • Obtain the data subjects’ consent to participate in the research, AND • Inform the data subjects what you will do with their personal data (GDPR Article 13) • no consent required to the processing of personal data, if the legal basis for processing is public interest 17. 1. 2022 9

More details and templates https: //www. aalto. fi/en/services/how-to-handle-personal-data -in-research 17. 1. 2022 10

More details and templates https: //www. aalto. fi/en/services/how-to-handle-personal-data -in-research 17. 1. 2022 10