Personal data processing in thesis projects or study attainments

Published 11.12.2024 | Updated 11.12.2024

Check list before starting personal data processing

1. Talk to your supervisor Find out whether it is necessary to process personal data and how it is done in accordance with data protection legislation.
2. Define the purpose. Make a note in your thesis plan or research plan of the data that you plan to collect and the reason for collecting it. Only collect necessary data.
3. Identify the controller. Find out whether the party responsible for the processing of personal data is you or the organisation for which you are conducting your thesis.
4. Plan the way you will collect the data. Find out where the data is stored and what will happen to it once your thesis or other study attainment is finished.
5. Select the basis for processing personal data. There must always be a legal basis for processing personal data, and you have to decide it before starting to collect personal data.
6. Inform the subjects. Inform the subjects clearly of the processing of their personal data and ask for their consent.
7. Process the data securely. For conducting surveys, use tools approved by the university, such as Webropol. Make sure that the data is not transferred outside the EU/EEA.
8. Delete the data after completion. Delete the data in a secure way, for example, in the university’s data protection bins or from the electronic system.

Personal data processing contact persons

The supervisor of your thesis project will also support you in the data protection matters related to your thesis and is your primary contact person with regard to all personal data processing matters.

You can also contact Uniarts Helsinki’s data protection officer: tietosuoja@uniarts.fi

What is personal data?

Personal data entails all data on the basis of which a person can be directly or indirectly identified. Personal data includes:

• Name
• Home address
• Email address
• IP address (network address)
• Phone number
• A photo or video where the person can be identified
• Sound if the person can be identified based on it
• Student number

Indirect data, such as an unusual job title or nickname may also constitute personal data, if the person is identifiable on the basis thereof. Read more about the definition of personal data (tietosuoja.fi).

Personal data processing methods

Personal data processing refers to all methods of using personal data, such as collecting, viewing, storing, editing or deleting.

If your thesis project is related to living persons, in all likelihood, you are processing personal data. For example, collecting data by means of a survey, interview, observation or video equals personal data processing. When you process personal data, you must adhere to data protection laws.

Pseudonymisation means that the person’s identification data is removed, but the person may be identifiable on the basis of additional data. Pseudonymised data is still personal data. Anonymisation means modifying the data to such a degree that the person can no longer be identified. Anonymised data no longer constitutes personal data. Therefore, the GDPR requirements do not apply to it. Pseudonymisation and anonymisation are also forms of personal data processing. Read more about personal data processing (tietosuoja.fi).

Avoid processing sensitive personal data

Sensitive personal data refers to data belonging to special categories of personal data, theprocessing of which could create significant risks to the rights of the individual. Such data includes the individual’s ethnic background, political opinions, religion, trade union membership, health, sexual orientation as well as genetic or biometric data. As a rule, the processing of such data is prohibited, although it may be permitted in specific situations, for instance, if the individual clearly indicates their consent or if the data is related to scientific research.

Students should avoid processing such data in a thesis project, unless it is necessary. If processing is required, it is important to assess whether the data can be securely processed and then acquire the required consent. If the thesis entails extensive processing of sensitive data, it may also be necessary to conduct a Data Protection Impact Assessment (DPIA) in order to establish the impact of the personal data processing on the subjects. To determine the need, you should conduct a Protection Impact Assessment (PIA).

In such situations, it is always a good idea to talk to your thesis supervisor in advance and follow the thesis instructions.

Discuss the need for processing personal data with your supervisor

Before starting your thesis project or study attainment, talk to your supervisor about whether you need to process personal data at all in your thesis project or study attainment. If it is necessary to process personal data, carefully plan in advance the way you are going to do it. This way, you can ensure that the data protection rules are met throughout the processing.

Remember that even if you processed personal data for your thesis, the final work may not contain personal data.

Start personal data processing by defining its purpose

In your thesis project plan or research plan, for example, specify what personal data you are collecting and why you are collecting it, i.e. what the purpose of the processing is. When planning what data to collect, take into account the essential data protection principles of data minimisation and purpose limitation.

According to the minimisation principle, personal data may only be processed when necessary. For your thesis project or other study attainment, only collect data that is necessary for it. Once it is no longer necessary to identify the data subject, anonymise or pseudonymise the stored personal data.

According to the purpose limitation principle, the purpose of processing personal data must be carefully planned before the start of processing. You may not later on process the personal data in a way that is not aligned with the original purpose.

When planning the processing, also remember to consider which tools and solutions are secure enough for processing personal data.

Identify the controller

The controller is the party who determines the purpose and methods of personal data processing.

In an independently conducted thesis project or other study attainment, you as the student act as the controller. This means that, as the person conducting the research, you are responsible for the legality and appropriateness of the processing. Amongst other things, the controller has an obligation to inform the data subjects. 

If you are conducting your thesis in a university project and you are employed by the university, the controller is usually the university. Even then, you should notify your supervisor. 

If you are determining the purpose and means of data processing together with another party (such as another student, the university or a company), you are joint controllers.

If you are assigned to conduct your thesis project by a company or another organisation, the party ordering the thesis may be the controller (or joint controller) if it determines the purpose and means of processing.

A data subject is the person whose personal data is being processed.

Plan the life cycle of personal data processing

Describe the life cycle of personal data processing in your research plan, for example. Plan the way you are going to collect data, where the data is stored and what will happen to it once your thesis or other study attainment is finished.

Remember that, according to the minimisation principle, the personal data storage period must be as short as possible.

Ensure that the personal data is not transferred outside the EU/EEA

Ensure that the personal data is not transferred from your computer outside the EU/EEA via cloud storage, for example. Transfers like this are subject to certain statutory additional requirements. For instance, if you are using image processing software or free cloud services on your mobile device or computer, the data may be transferred outside the EU/EEA.

Select the basis for processing personal data

When it comes to personal data, there must always be a basis of processing pursuant to the GDPR, i.e. a legal basis for processing, which must be determined prior to the start of processing. You may not change the basis once you have started the processing of personal data.

For thesis projects, the basis for processing is often the data subject’s consent as in most cases a thesis is not deemed to meet the criteria of scientific research. Take a closer look at the prerequisites of qualified consent (tietosuoja.fi).

In some cases, legitimate interests may also constitute a basis for processing. Legitimate interests may apply in a situation where the data is collected from a source other than directly from the data subject. This requires a balance test. The GDPR balance test refers to an assessment to establish whether the processing of personal data may be based on the controller’s legitimate interests. The test is performed in order to ascertain that the rights and liberties of the data subject (the person whose data is processed) are not overlooked for the interests of the controller or a third party. Additional information: Controller’s legitimate interests

In scientific research, the legal basis for processing is usually public interest (the processing is necessary for conducting scientific research). If your thesis project plan meets the scientific criteria, the basis for processing may be public interest, in which case you do not have to use the subject’s consent or legitimate interests as the basis for processing. Always talk to your supervisor first if you think that your thesis project meets the criteria of scientific research.

The selected basis for processing is added to the data protection statement (more on that below) and explained in the information given to the subjects.

However, if you are collecting data directly from a person, you also have to get their consent to participate in the research even if it is scientific research (the consent to participate in research is separate from consent as a legal basis for processing).  You can request the consent to participate in writing, verbally at the start of the interview or in a survey as a box to check once the subject has received a separate notification of the survey. We recommend the written option.

Draw up the data protection statement

Inform the subjects by drawing up a data protection statement clearly describing the way personal data is processed. The data protection statement should also inform the data subject of the controller, the purpose of processing personal data and the storage period. Read more on the obligation to inform (tietosuoja.fi)

To draw up your data protection statement, you can use the Uniarts Helsinki data protection statement form template which you can get from your supervisor. Fill in the necessary information and notify the data subject.

If you are collecting personal data from a source other than the data subject themselves, inform the data subject within a reasonable period of time (at the latest within a month). If the personal data is used before that to communicate with the data subject or transferred to a third party, the data subject must be informed at the time of communication or transfer, respectively.

How can you securely process personal data?

Personal data collected for a thesis project or other study attainment must be processed in a secure way. Read more on data security at Uniarts Helsinki on the personnel’s intranet-Arts or ask your supervisor or teacher for the Uniarts Helsinki guidelines.

Students must take care when processing information containing personal data. If personal data is lost or if unauthorised parties gain access to it, it constitutes an information security breach or incident. It is a case of an information security breach if, e.g. your computer is stolen, data is stored in the wrong system or unauthorised parties gain access to the data in some other way. If you suspect that this may have occurred, immediately report it to receive additional instructions: tietoturva@uniarts.fi. 

If you are conducting a survey, only use Uniarts Helsinki’s designated electronic survey tools for collecting data. The primary tool used by Uniarts Helsinki is Webropol. Read more about the Webropol tool.

Processing personal data once the thesis or study attainment is finished

When your thesis project or study attainment is finished and approved, as a rule, you should destroy any materials containing personal data in a secure manner to prevent unauthorised parties from gaining access to it. Any printed materials you can deliver to the university data protection bin. You can find them near the multipurpose printers. You should delete the electronic materials from the storage location, such as the network drive or Webropol. Sometimes, at the end of the research, the data may be submitted anonymised to the Finnish Social Science Data Archive or the Language Bank of Finland.

Finally, ensure that the finished thesis or study attainment does not contain any personal data and that no individuals can be identified on the basis thereof without the individual’s consent.

Always process personal data anonymously when the data subject’s identity is not essential to the implementation of research.