THESE INSTRUCTIONS SUPPLEMENT THE NATIONAL DATA MANAGEMENT PLAN INSTRUCTIONS. READ THE INSTRUCTIONS SIDE BY SIDE!
Purely to make this guide easier to understand, we call "sensitive personal data" the data described above. However the exact legal term is "special categories of personal data".
The processing of personal data is regulated by legislation. The legislation governing the processing of personal data is the EU's General Data Protection Regulation (GDPR), along with the Data Protection Act that supplements it. The purpose of the new legislation is to improve people's opportunities to decide how information about them is processed, and it also has implications for how personal data is processed in research. New features include the accountability requirement, which means the controller or processor of the personal data must in the future demonstrate in writing that they comply with data protection legislation and the principles of processing personal data while ensuring the legal rights of the data subjects. In addition, there are changes to the rules governing how personal data collected with the consent of the subject can be used.
There are also organisation-specific instructions for many stages of the processing of personal data which must be followed.
Data management planning is particularly important when processing datasets containing personal data, as it allows you to protect your rights and the rights of your organisation, as well as the rights of your research subjects. The breach of data protection legislation may result in administrative sanctions, criminal liability and liability for damages. Letting personal data fall into the wrong hands may cause serious damage to the research subject.
Further information: The Data Protection Ombudsman's office is currently drafting instructions on applying the new data protection legislation: https://tietosuoja.fi/en/home
|Kommentoitava versio löytyy täältä: https://wiki.helsinki.fi/x/EvOKDw|
1. General description of data
1.1 What kinds of data is your research based on? What data will be collected, produced or reused? What file formats will the data be in?
The data management plan should describe the kind of personal data the collection and analysis methods generate. The justifications for the research and the reasons for collecting and processing personal data should be included in the research plan.
Describe all relevant data sources in the data management plan. For example, list the people or groups of people, authorities and registers involved in the research.
For each data source:
Please note that when you collect personal data or sensitive information, you must also ensure the security of the media used to collect and transport the data. A more detailed description of this is included in section 4.1.
1.2 How will the consistency and quality of data be controlled?
Consider the quality of the data throughout its life cycle, from collection to publication and archiving. What are the biggest risks and how will they be managed? Does the collection of data which contains personal information feature elements that require special attention in relation to the quality of the data? (Information security will be covered in section 4.1)
2. Ethical and Legal Compliance
2.1 What ethical issues are related to your data management, for example, in handling sensitive data, protecting the identity of participants, or gaining consent for data sharing?
Indicate in your plan who, or what organisation, is the data file controller of the data you collect or produce.
Also indicate who the processors are who process the personal data on behalf of the controller. The processing of personal data means any operation which is performed on personal data, such as collection, recording, organisation, use, storage, adaptation or alteration, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data processing also includes cases in which parties outside the organisation or research project analyse samples. Processing agreements must be drafted with such third parties.
The processor must take protective steps to safeguard the rights of the data subject. Such protective measures include:
Your plan should indicate how the impact assessment will be carried out.
The purpose of the impact assessment is to describe how the personal data will be processed. Assess the necessity and proportionality of the processing and assess the risks resulting from the processing as well as measures necessary to address the risks. Impact assessment is required when the processing of personal data is likely to carry a high risk. The purpose of the impact assessment is to help the controller comply with the requirements of the GDPR and to demonstrate this compliance. Data protection impact assessment should begin as early as possible when the processing of personal data is being planned. The assessment must be constantly monitored and updated whenever necessary.
2.2 How will data ownership, copyright and Intellectual Property Right (IPR) issues be managed? Are there any copyrights, licenses or other restrictions which prevent you from using or sharing the data?
The ownership, copyright and intellectual property rights of the data must also be recognised. This is particularly important for sensitive data of any kind.
3. Documentation and metadata
3.1 How will you document your data in order to make it findable, accessible, interoperable and re-usable for you and others? What kind of metadata standards, README files or other documentation will you use to help others to understand and use your data?
4. Storage and backup during the research project
4.1 Where will your data be stored, and how will it be backed up?
If your research involves collecting or using personal data or sensitive personal data:
4.2 Who will be responsible for controlling access to your data, and how will secured access be controlled?
Access control: who is granted access and on what grounds, how is the access restricted, and who is responsible for access control?
5. Opening, publishing and archiving the data after the research project
5.1 What part of the data can be made openly available or published? Where and when will the data, or its metadata, be made available?
Material containing personal data can only be released once it has been anonymised. Pseudonymised data still constitutes personal data and can consequently not be released. Material which contains personal data may, however, be shared with interested parties upon request for the purpose cited in the original basis for processing.
The basis for processing material containing personal data, for example a statutory reason or consent, may restrict the ways the data can be used later.
Acceptable ways to release or publish material which contains personal data include:
5.2 Where will data with longterm value be archived, and for how long?
When drafting an archiving plan, it is important to consider which parts of the material will be archived, and for what period of time. It is also important to decide which parts will be destroyed and how this can be done securely.
Traditionally, the recommendation has been to destroy all sensitive data after the research project, as storing it carries risks and requires special arrangements. Other unnecessary files and intermediate files generated by IT systems must also be deleted once they are no longer necessary.
Just deleting a file and emptying the recycle bin on the computer does not mean that the file has been permanently destroyed. It is possible to retrieve deleted files even after the hard disk has been reformatted. A variety of applications exist for permanently destroying data, based on overwriting data or magnetising the hard disk. It is also possible to mechanically crush the storage device so that it cannot be read.
Archiving material that contains sensitive personal data requires permission from the National Archives, and the data must be minimised before archiving. Any later use of such material requires a research permit.
5.3 Estimate the time and effort required for preparing the data in order to publish or to archive it.
When evaluating the costs associated with the management of sensitive data, consider: