Data protection in research

The Finnish Constitution safeguards the freedom of science. The GDPR regards research as a special case of processing personal data. Also at the national level, data protection regulations, such as the Data Protection Act (1050/2018), contain special processing provisions and exceptions concerning scientific research aimed at supporting and promoting research activities. Data protection regulations protect the persons under investigation. The aim of the legislation is to strike a balance between the protection of personal data and the processing of personal data in scientific research.  

In scientific research, data protection refers to the careful and systematic processing of personal data concerning research subjects. Unnecessary collection of personal data should be avoided. In addition, the data must be protected in such a way that it cannot be accessed by third parties. Data protection regulation refers to a controller who, alone or jointly with another party, determines the purposes and means of processing personal data. In connection with scientific research, the controller may be an individual researcher, research group, university, department of the university or other separate research institute. It should also be borne in mind that the collection of data already constitutes processing of personal data, so the controller must be defined even before the research begins.  

The data controller must be able to demonstrate compliance with data protection legislation when processing personal data in research. A separate privacy notice must be drawn up for each research project, as all projects are unique. The purposes and means of processing must be identified in your research plan on a case-by-case basis. Data protection regulations become more detailed when the planned processing is likely to result in a high risk to the rights and freedoms of data subjects, such as: special categories of personal data.