Processing of personal data in the development of operations
Background for the instructions
The processing of personal data related to the development of operations is described here. The processing of personal data in the study is dealt with in the Data protection in research text.
Built-in data protection
Data protection and data security must be built into the solutions. In practice, this means that these issues are taken into account from the planning stage of the solutions onwards. Data security and data protection cannot be added to an implemented solution at the end. It is recommended that you contact the Information Management already during the idea generation phase. For instance, the principles of processing personal data are available in a short check list for personal data processing.
Personal Data Processing Agreements (DPA)
If the controller uses, for instance, subcontractors or partners to process personal data, the necessary agreements must be concluded. A more detailed description of this is available at . An agreement must be concluded, for instance, if personal data is processed in the cloud services.
Whenever personal data processing is related to development, it should be assessed according to the instructions at https://digipedaohjeet.hamk.fi/data-protection-impact-assessment/ whether there is a need for an impact assessment.
Informing the data subject
If there are changes to the processing of personal data through development measures, the impact of these changes on the provision of information to the data subject should be examined. HAMK’s existing data protection notices are available at https://www.hamk.fi/tietosuoja/ and https://www.hamk.fi/privacy-policy/?lang=en. If existing data protection notices do not cover the solution planned, more detailed instructions for informing the data subject is available at https://digipedaohjeet.hamk.fi/data-protection-informing-the-data-subject/.
Other principles related to the processing of personal data
Personal data relevant from the perspective of research is collected
Whenever possible, research material is processed as anonymised or pseudonymised data. However, pseudonymised material remains personal data. Additional information on this is available for instance at https://www.fsd.uta.fi/aineistonhallinta/en/anonymisation-and-identifiers.html. In international research projects, it is particularly important to anonymise the material if the material is processed outside the EU / EEA.