Data Protection

In Europe, data protection has been a common topic since EU’s renewed regulation concerning data protection (GDPR, GenaralDataProtectionRegulation) came effective in May 2018. In Finland also a law concerning personal information in telecommunication is effective. (Also Tietosuojalaki in Finnish and Swedish). Previous section discussed about information security that is one way to put data protection in practise. By taking care one’s information security protection of personal data can be ensured.

Each person has right to protect ones personal information and the meaning of data protection is to guarantee these right whenever personal information is handled. Personal information is not allowed to be handled if there is no legal basis to do so. This means that e.g. any registers containing personal information are not allowed unless there is a statutory right.

Thus the GDPR especially pertains any registrars including associations, companies, public authorities and other parties that collect, store and administer personal information. You might come acroos this topic when starting you thesis. Many of them require collecting information that is considered personal.

Personal information means any information that can be associated with a single person. Some examples are

• name
• address
• email address that identifies a person
• phone number
• passport identification number
• car register number
• patient information
• location data of a cell phone

Company registration, non-identifiable email address, or any anonymized data is not considered as personal information. This means that anonymization of data can be used in research that does not require the participants being identified later on. Anonymization means that any personal information is removed and the data is no longer possible to be associated with a single person. It needs to be noted, that removing name and address, e.g. is not enough if there are other information that can be combined to identify the person in question. Such situation might be encountered e.g. if a research deals with uncommon disease. Thus data always needs to be considered as a whole and the methods of anonymization applied based on this consideration.

Person always has right to know what information is stored in a register. Incorrect or inadequate information must be corrected and unnecessary information removed. The same applies in all EU countries, which means that one can check his or her information e.g. in a foreign online shops consumer register, if needed.

Any personal information must be handled according to law, confidentially and safely. Data must only be collected for a specified use and only in the extent needed. Any incorrect data must be corrected or removed and it is allowed to store the data in an identifiable form for as long as it is needed to store the information (e.g. as long as a research is conducted). Registrar must offer information on what purposes the information is gathered for, how it will be handled and stored. Registered person must get a comprehensive view on how the information is managed. E.g. when conducting a research, a privacy policy statement should accompany the questionnaire or other documents describing the scope of the research, what information is needed, who will be able to handle the information and how. By signing an informed consent form the person allows to collect information and to use it according to what was described in the document.

More of data protection from Office of the Data Protection Ombudsman.