Theses fall into the research category, which is why all sections of the Data protection in research page should be followed. This page summarises the issues that typically should be remembered on data protection in a thesis.

The EU General Data Protection Regulation (GDPR) and the Finnish Data Protection Act should be followed in theses.

Planning the processing of personal data

When planning a thesis, it is important to consider issues such as the following:

• See the instructions: What is personal data and specific (sensitive) personal data
• Which information needs to be collected to answer the study questions
  • Would it be possible to remove personal data (anonymisation) from the material or convert it to anonymised data using, for instance, codes preventing identification (pseudonymisation).
  • Only collect information relevant to the study question.
  • Be careful when processing personal data.
  • Assess whether there is a need for an impact assessment
• What tools do you use to collect and process information?
  • For instance, you might want to use a Webropol or another solution compliant with the data classification instructions. If you use systems other than HAMK systems in your thesis, you should ensure appropriate data protection and conclude appropriate agreements .
• How long should you preserve the material and how is it destroyed or archived?

Informing study participants

It is important to prepare a data protection notice for the participants in the study in accordance with the Informing the data subject instructions. Typically, the student acts as the controller for the thesis. The processing may be based on, for instance, consent.

Further information

• https://digipedaohjeet.hamk.fi/kb/tietosuoja/ and particularly https://digipedaohjeet.hamk.fi/ohje/data-protection-in-research/?lang=en
• HAMK thesis guidelines
• Tietosuojavastaava@hamk.fi