Guidelines on processing personal data for studies - frequently asted questions
Titles that can be associated with a specific individual at a specific company are considered personal data.
Examples of personal data processing
- The collection, storage and destruction of email addresses used to conduct survey or interview research for a thesis
- The collection, storage and destruction of the consent forms of persons who participated in the research
- The collection, analysis, storage and destruction of participants’ responses from which individuals can be identified
- Searching for personal data from an electronic system, such as a social media channel, even if the channel is public and the information therefore retrievable by anyone
- Transcription of an audio recording of an interview.
Conducting a survey completely anonymously, so that no personal data is collected or processed, is challenging. In general, the accumulation of personal data in survey research cannot be entirely avoided in advance, even if the survey is planned so that participants can respond completely anonymously. On the other hand, the erasure of all items relevant to the research just in order to avoid personal data processing with its ensuing obligations may no longer be reasonable to serve the purpose. In theory, an anonymous survey would require that no contact details be collected, no participants’ identities be recorded, and no participants be identifiable by means of e.g. a link or an IP address they used. However, free text fields in a survey pose a risk, as participants may write practically anything, including information that allows them to be identified. No information should be collected from participants that could be used to identify a participant, for example, when assisted by information from a personal data file in the public domain, or that could be used to identify a participant or some other individual based on the response written in a free text field.
One should always seek to use anonymisation as the implementation method, generally speaking. However, if you are uncertain whether the material collected in a survey is completely anonymous, it is safer to make a privacy notice for the survey and to take care of all the data protection obligations, in case personal data processing proves unavoidable.
Case 1:
Students who are independently writing a thesis are considered to be the controller of the personal data they process.
Case 2:
If a student is writing a thesis in an Aalto University research project and is in a contractual employment relationship with Aalto, the controller is Aalto University.
Case 3:
If a student is writing a thesis for a company as a commissioned work or for a company with which the student is in a contractual employment relationship, then the controller is usually the company. If you are writing a thesis as a commissioned work for a company, ensure that the personal data processing conforms to the company’s guidelines; to do this, contact the company’s data protection officer or the equivalent who is in charge of the company’s personal data processing. When planning thesis research with a company, it is important to underscore that the completed thesis will be a public document.
Case 4:
Students who write theses jointly without a commission or a contractual employment relationship are most likely joint controllers. In that case, it is important that they have a clear agreement on how the work and the responsibilities will be divided between themselves so to ensure that personal data will be processed in the proper manner.
The legal ground is usually the consent given by the data subject for the processing of their personal data. The consent must be a specific, freely given, informed and unambiguous expression of the data subject’s wishes. The consent may also be withdrawn. See:
The student and thesis advisor or thesis supervisor must agree on the personal data processing. Before beginning the collection or other processing of the personal data, the processing must be described in the research plan and, if necessary, in other documentation (e.g. the privacy notice or data management plan), depending on the case.
Most probably you have pseudonymised the material. However, the material may still contain personal data.
Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be associated with a specific person without additional information. An example of pseudonymisation is to substitute a random code for all names, addresses and any other identifying information about participants in a survey. Pseudonymisation is commonly performed in research in order to protect and to minimise the processing of personal data. Pseudonymised data must still be processed as personal data. Keep in mind that data may be deemed personal data even if a student processing the data for their research is unable to ascertain the identity of the research participants.
Anonymisation means that the data processing is irreversibly prevented from disclosing the identity of the individuals in it; the data is rendered such that not even the controller or an outside party with the information in their possession could change the data back to where the individuals could be identified. Erasing the identifiers, such as participants’ names, from the research material is usually insufficient for anonymisation.
Certain kinds of research require an ethical review procedure. If you are planning to process sensitive data, for example, you must follow the guidelines of the Aalto University Research Ethics Committee. To obtain an ethical review, you must complete the application together with your thesis advisor and do so before beginning to collect the research material. Before completing the application, the research and the processing of personal data must be well planned and documented. Determine the need and possibility to apply for an ethical review well ahead of time, already at the stage when you are choosing a research topic.
Link: How and when should you apply for ethical review of research | Aalto University
Some organisations may require that you apply for a research permit in cases where you are studying, for example, the organisation’s students, customers, patients or employees. Before completing the permit application, the research and the processing of personal data must be well planned and documented. Determine the need and possibility to apply for a research permit from the organisation in question well ahead of time, already at the stage when you are choosing a research topic. Note that the party granting the research permit may require that an ethical review be performed.
Learn more about situations where you will need an Aalto University research permit.