All research involving humans must always follow ethical principles, research integrity, and good scientific practice, even when an ethical review by an ethics committee is not needed.

In Finland, researchers in all fields are guided by general ethical principles:

  • The researcher must respect the human dignity and right to self-determination of the research participants
  • The researcher must respect material and intellectual cultural heritage and natural diversity
  • The researcher must conduct their research without causing significant risks, damage or harm to human participants, the community or other research objects

In addition, all research must be conducted according to the Finnish Code of Conduct for Research Integrity.

Ultimately, research ethics help maintain the participants’ and the public’s trust in science.


General ethical principles in research with human participants

Rights of the research participant

  • Voluntary participation and the right to refuse. Participation must not be coerced, pressured, or persuaded, nor should there be fear of negative consequences for refusing.
  • The participant’s consent must be documented orally, in writing, electronically, or by other appropriate means (see below).
  • The right to withdraw participation at any time without negative consequences. This includes temporarily or permanently opting out of research or any of its phases, without needing to give a reason.
  • The right to revoke consent to participate in the research. People participating in research have the right to withdraw their consent at any time without any negative consequences.
  • Participants have the right to receive clear and truthful information about the content and aims of the research, the processing of personal data, the practical implementation of the study, and any potential harms or risks involved. Possible impacts and benefits must be presented realistically. This information should be provided in a language the participant understands, preferably in an information sheet [link to template]. Participants must also be given the opportunity to ask questions about the research and sufficient time to consider their decision to participate.
  • Participants must be aware that they are part of a study, especially if the researcher holds another role in relation to them, such as supervisor. The researcher must also disclose any relevant conflicts of interest to the participant.

 

Informed consent

Informed consent is a crucial ethical principle when conducting research with people.

If you are, for example, studying group behavior, measuring activity, conducting interviews, recording conversations, taking photos, or conducting a survey, you must obtain informed consent from participants before the participant enters the research (prospectively).

Before asking for consent, you need to clearly explain what the study involves: what you are researching, what participation entails, any potential risks or harm, and how data and personal information will be handled.

Once participants have received enough information, they decide whether to take part. Their decision must be respected – participation must be voluntary.

The researcher documents the participant’s consent either orally, in writing, electronically, or by other means.

 

Consent in anonymous surveys

It is important to remember that even when conducting an anonymous survey, you must clearly inform participants about the purpose of your study, the confidentiality of the survey, the voluntary nature of participation, and obtain their consent to participate. Below are example sentences you can use in your survey:

  • Participation details: “You are invited to complete an online survey on [topic] that will take approximately [estimated time] to finish.”
  • Voluntary participation: “Your participation is entirely voluntary. You may skip any questions you prefer not to answer and can discontinue the survey at any time.”
  • Confidentiality: “The survey is anonymous; no identifying information will be collected, and your responses cannot be traced back to you.” Keep in mind that an IP address can identify a person and is considered personal data (see below). If your survey tool collects IP addresses, the survey is not truly anonymous. Be sure to check and adjust the survey settings to avoid collecting IP addresses.
  • Consent: “By proceeding with the survey and submitting your responses, you indicate your consent to participate in this study.”

 

Processing personal data in research

If you collect information from or about people, you are very likely processing personal data.

Any information that can be used to identify a person is considered personal data. Personal data is not limited to obvious identifiers like names or social security numbers. It refers to any information that could identify a person, either on its own or when combined with other data. Even seemingly general details—such as workplace, role, and gender—can make someone identifiable when used together.

Processing personal data means any operations performed on personal data, including, for example, collection, storage, dissemination, and use or adaptation of research data that contains personal data.

Consider the examples of personal data below (see tietosuoja.fi):

  • E-mail address, such as firstname.lastname@company.com
  • Telephone number
  • Home address
  • Identity card number
  • Car registration number
  • Voice in an interview recording
  • Recordings of Teams or Zoom meetings
  • Other video recordings
  • Physical characteristics
  • Job and educational history
  • Positioning data (e.g. from a mobile phone)
  • IP address
  • Patient records
  • Data on the hereditary diseases of the person's great-great-grandparents
  • The name and business ID of a private entrepreneur
  • Pseudonymized data (see below)

Examples of data that are not personal data:

  • A company's business ID
  • A shared e-mail address, such as info@company.com
  • Anonymized data (see below)

Information does not need to be confidential or sensitive to be considered personal data. What matters is whether an individual can be identified — either directly or indirectly. This means that even if only a small group of people, such as family members or colleagues, could recognize the person based on the information, it is still considered personal data.

Remember, the principle of data minimization means you should only collect and process personal data that is essential and relevant to fulfill the purpose of the research.

Personal data should be removed from research data when it is no longer needed (e.g., participant contact information once it is no longer necessary for linking the data). If direct personal data is kept only for linking purposes, it must be stored separately and securely from the data being analyzed. Access should be restricted to those with a legitimate need to process the data.

The privacy of people who have participated in the research needs to be protected in publications as well. Typically, this means anonymization of research data.

Anonymization means changing the data so that it is no longer possible to tell who the information is about – not now, and not in the future. All details that could reveal someone’s identity are removed or altered in a way that makes it impossible to trace the data back to a specific person. Once data is anonymized, it cannot be linked to the individual again.

Research participants must not be promised complete anonymity if this cannot be guaranteed. This may be the case, e.g., in research focusing on prominent public figures.

During the research process, personal data may also be pseudonymized.

Pseudonymization means that personal data is handled in a way where names and other direct identifiers are removed and replaced with codes or fake names. However, the person’s identity could still be figured out if the original identifying information is available and linked back to the data. Pseudonymized data is still considered personal data and must follow data protection rules.

 

Legal basis for processing personal data

When you use personal data in your research, you need to have a legal basis for doing so. You will also need to state who is responsible for the research data (the data controller, see below) when planning your study.

Please note that informed consent to participate in a study (see above) is different from the consent used as a legal basis for processing personal data. In practice, this means that you must request separately from the participant:

  • consent to participate in the study, and
  • consent to the processing of personal data, if such data will be processed.

Participants must be informed about their rights and how their personal data will be used in clear, easy-to-understand language. Research participants cannot be required to obtain information about the processing of their personal data and their rights themselves.

In academic research, the legal basis for processing personal data is usually scientific research carried out in the public interest.

 

Special categories of personal data

The processing of special categories of personal data additionally requires a separate legal basis.

List of special categories of personal data:

  • ‘race’ or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • health information
  • trade union membership
  • sexual orientation or behavior
  • genetic or biometric data for identification.

If your data contains special categories of personal data, it is very important that the data is handled responsibly.

Processing sensitive data is generally prohibited unless explicit consent is given by the participant. Explicit consent can be obtained through written statements, electronic signatures, or two-step verification, such as confirming consent via email followed by a confirmation link or code.

Thus, if your study involves sensitive personal data, you must:

  • Clearly inform participants about what data you are processing and identify which data is sensitive.
  • Obtain written consent from the participant for processing this data. Oral or implied consent is not sufficient.

 

Personal data register

Personal data forms a personal data register, and the data controller determines the purpose and method of processing the data and is responsible for ensuring its privacy.

Data controller means the body that determines the purposes and means of the processing of personal data. The data controller for the research study is responsible for decisions regarding its data protection. In theses, where personal data is collected for specific thesis research, the student is usually the data controller (unless, e.g., the thesis research is conducted as part of a larger RDI project).

You must plan the entire lifecycle of data processing:

  • data collection
  • use during the study
  • potential research collaboration and data sharing
  • use in follow-up research
  • anonymization
  • archiving
  • destruction

This plan must be described in a privacy notice [link to a template] before you begin data collection and processing. In the notice, you will need to show to the participants what kind of a lifespan has been envisaged for the research data. For example, you will need to explain what will happen to the research data after the study is completed – will it be archived (and if so, where and for how long), or will it be destroyed.

If you are processing special categories of personal data (see above), the data controller must take special measures to protect participants’ rights and reduce risks to an acceptable level.

One tool for risk assessment and reduction is a Data Protection Impact Assessment (DPIA), which is required when processing could pose high risks to individuals' rights and freedoms. You can also use the DPIA model and tools anytime when planning data processing. See also DMP Tuuli.

 

Information about the processing of personal data for the research participants

The General Data Protection Regulation requires research participants to receive the following information about the processing of their personal data. The table below is published as an appendix in the TENK guidelines:

Information required under the obligation to inform

When personal data is obtained directly from the research participant

When personal data is obtained other than directly from the research participant

Identity and contact details of the data controller

x

x

Contact details of the data protection officer (if named)

x

x

Purpose for processing personal data, sufficiently specific

x

x

Legal basis for processing personal data

x

x

If the legal basis for processing personal data is consent (or special categories of personal data are processed namely on the basis of consent), information about the right to withdraw consent at any time without this affecting the lawfulness of the processing of personal data conducted before the withdrawal

x

x

Legitimate interests if processing is based on the legitimate interests if the data controller or a third party

x

x

Storage period of personal data or if this is not possible, the criteria for defining the storage period

x

x

Personal data categories                  

  

x

Information about whether the personal data was obtained from

  

x

Information about the rights of the data subject

x

x

Information about the right to lodge a complaint with the supervisory authority

x

x

Recipients or category of recipients of personal data

x

x

The necessary information relating to the transfer of personal data to third countries

x

x

Information on whether providing personal data is a contractual or statutory requirement and the consequences of failing to provide the data

x

  

Further reading on personal data in research: