RESEARCH LAW A VERY BRIEF OVERVIEW BY SIRPA
RESEARCH & LAW A VERY BRIEF OVERVIEW BY SIRPA KOVANEN, LEGAL COUNSEL, RESEARCH SERVICES Presentation Name / Firstname Lastname 04/01/2022 1
WHEN DO DATA PROTECTION LAWS APPLY TO MY RESEARCH? • The GDPR applies whenever the University of Helsinki processes personal data, regardless of where the processing takes place • Processing: Practically anything you can do to personal data, including for example collection, use, storage and deletion • In the majority of research projects, the data controller is the University of Helsinki rather than the researcher as an individual Presentation Name / Firstname Lastname 04/01/2022 2
WHAT IS PERSONAL DATA? • Data related to an identified or identifiable living natural person • Identifiable: Directly or indirectly, for example by combining data from multiple sources • Example: A 123, a 45 -year-old man, lives in Smalltown (a village with 50 residents), favourite color: green • Data may be personal data even if you do not know a person’s name, social security number, contact details or other direct identifiers • It is very likely that your project involves processing of personal data Presentation Name / Firstname Lastname 04/01/2022 3
DATA PROTECTION PRINCIPLES 1) Lawfulness, fairness and transparency • As a main rule, data subjects have to be informed about the processing of their personal data. See notice template: https: //www. yammer. com/helsinki. fi/#/groups/13861941/files • Legal grounds for processing in the GDPR 2) Purpose limitation • Personal data may only be collected and processed for specified, explicit and legitimate purposes 3) Data minimisation • Collect and process only data that is necessary for the purposes of processing Presentation Name / Firstname Lastname 04/01/2022 4
DATA PROTECTION PRINCIPLES 4) Accuracy 5) Storage limitation • Timely pseudonymisation/anonymisation, deletion of data that is no longer necessary, definition of the duration of processing 6) Integrity and confidentiality • Appropriate security of personal data, taking into account the risks inherent in the processing and the sensitivity of the data 7) Accountability • Must be able to demonstrate compliance with requirements Presentation Name / Firstname Lastname 04/01/2022 5
TRANSFERS OF PERSONAL DATA • As a main rule, research participants have to be informed if their personal data may be transferred to recipients outside the University • Agreements on the transfer of personal data to recipients outside the University of Helsinki are required • Please note that HUS is also a separate entity from the University • ”Recipients” also include service providers such as transcription services, cloud services, survey platforms etc. • Preliminary assessment form for data protection impact assessments: https: //elomake. helsinki. fi/lomakkeet/98944/lomake. html Presentation Name / Firstname Lastname 04/01/2022 6
COMMON MISTAKES RELATED TO DATA PROTECTION • Using free consumer versions of cloud services and online survey services • It is not possible to conclude the agreements required by law, risk of insufficient level of information security • Anonymisation vs. pseudonymisation • The threshold of anonymisation is very high. In most cases, the data is actually pseudonymised, not anonymised. • Wrong definition of ”personal data” • This may lead to problems if you, for example, promise to delete all personal data while actually meaning that direct identifiers will be deleted. Presentation Name / Firstname Lastname 04/01/2022 7
LEGAL SERVICES • University lawyers can assist researchers with agreements and legal questions related to University research projects. • Please contact tutkimuksenjuristit@helsinki. fi whenever you are planning on cooperating with parties outside the University or procuring services! • Why are agreements necessary? • Compliance with laws such as the GDPR, procurement and state aid laws, as well as obligations set by funders • Agreeing on the ownership of intellectual property rights • Ensuring the University receives due payments for performing research for others • Ensuring the University can publish the results of its research • Ensuring the level of services procured by the university is sufficient • Etc. Presentation Name / Firstname Lastname 04/01/2022 8
DATA OWNERSHIP • No simple guidelines: Discuss with the PI • Affected by factors such as: • Source of funding • Cooperation with other parties • Employment relationship • A data transfer undertaking must be signed by all participating researchers in projects that involve external funding paid to the University or cooperation with parties outside the University. Presentation Name / Firstname Lastname 04/01/2022 9
MORE INFORMATION Yammer data protection group: • https: //www. yammer. com/helsinki. fi/#/groups/13861941/files (templates, longer presentation on data protection in research) Data protection guides on Flamma: • https: //flamma. helsinki. fi/group/turvallisuus/tietosuoja Finnish data protection authority: https: //tietosuoja. fi Research agreements and legal matters: https: //flamma. helsinki. fi/group/tutkimuksen-tuki/tutkimussopimus-ja-lakiasiat Legal services for research: tutkimuksenjuristit@helsinki. fi or researchlawyers@helsinki. fi Presentation Name / Firstname Lastname 04/01/2022 10
- Slides: 10