All data related to an identified or (directly or indirectly) identifiable person are personal data. In other words, they are much more than just a name, personal identity code or contact information. Samples and analyses of samples are also considered personal data if they can be linked to an individual via, for example, a pseudonymisation code. Consequently, the processing of samples for research purposes almost always means that research datasets are, by nature, sensitive personal data.
Research at the Faculty of Medicine usually always processes personal data. Personal data are collected from patients and healthy volunteers (e.g., by analysing various samples and taking various measurements as well as using questionnaires) and from different registers. Research is regulated and guided by data protection legislation (GDPR and the Finnish Data Protection Act), special regulations concerning medical research (such as Medical Research Act, Biobank Act, Act on the Status and Rights of Patients), regulations concerning registry studies (Act on the Secondary Use of Social and Health Data) as well as University-level policies and guidelines.
Researchers and their organisations are responsible for the lawfulness and ethical conduct of research. The right to privacy and the appropriate processing of personal data are fundamental rights of research subjects. Legislation provides the framework and guidelines for processing a research dataset and the personal data it contains in compliance with ethical standards. By processing personal data ethically and legally, you will gain the confidence of the research subjects, secure their rights and freedoms, and protect data from unauthorised access. By planning your research carefully in advance and informing the research subjects appropriately of your plans, you will ensure that you will be able to conduct your study throughout its planned life cycle.
In accordance with data protection legislation, research subjects may prohibit the use of their data and receive information on how their data are used. More information on the rights of research subjects is available on the Data protection guide for researchers page.
The secure processing of datasets is part of the implementation of data protection and one of the requirements for receiving a favourable opinion on a research project from an ethics committee. Advance planning and compliance with legislation also secure the researcher’s position if, for any reason, data fall into the wrong hands.
The University of Helsinki and CSC – IT Centre for Science provide researchers with secure storage environments for processing sensitive data.
More information about IT for research is available in Flamma
Some of the research at the Faculty of Medicine is conducted in collaboration with HUS Group or some other healthcare service provider. The cooperation must take into account the practices and guidelines of the collaboration partner in question. You must apply for a research permit from the organisation whose patient data or other data (e.g., samples) you intend to process in your research. The University of Helsinki does not have or use a research permit procedure, but this is a practice often used at hospital organisations. If the research project intends to use registry data in your research, permission for doing so must be obtained in accordance with the Act on the Secondary Use of Health and Social Data from Findata or an individual controller, as provided by law (see section Registry studies). Biobank permissions must, in turn, be obtained from the biobank whose samples you wish to process.
HUS guidelines for researchers (in Finnish)
The University of Helsinki and HUS Group collaborate closely and some of the researchers at the Faculty of Medicine are employed by HUS Group. It is important to note that the University of Helsinki and HUS Group are two separate legal persons. Whenever the University of Helsinki engages in research collaboration with HUS Group (or any other body outside the University), relevant necessary agreements must be concluded with this cooperation partner.
As HUS Group and the University of Helsinki are two separate legal persons, each is responsible for its own obligations. A cooperation agreement and agreements related to the processing of personal data (joint controller agreement and/or personal data processing agreement) will be concluded and other necessary documentation (such as a data protection statement or impact assessment) will be drawn up in conjunction with other documentation. The agreements define the rights as well as responsibilities and obligations of the agreement parties.
The University of Helsinki is not a healthcare treatment unit nor does it have its own patients. If you are conducting research targeting patients, you will need to request a statement from the research ethics committee of the relevant wellbeing services county as well as a research permit from the relevant health care unit (such as the HUS Helsinki University Hospital).
Patients are the responsibility of the treating unit (e.g., HUS Helsinki University Hospital), in which case the patient data controller is the organisation in question. In order for HUS Group patient data to be processed at the University of Helsinki, the required research permits (in registry studies, a data usage permission) must be obtained, and the data can only be processed within the scope of the rights granted by the permits. A research dataset constitutes its own research data file or dataset, and its controller must be determined separately; in other words, it is not the same as a patient data file (e.g., the HUS patient data file). More information on data controller duties is available on Data protection guide for researchers page.
All intervention studies on patients and clinical drug trials research are performed by wellbeing services counties and city of Helsinki, HUS Group and Åland, and their legal counsels can also provide legal support related to such research, if necessary. In the case of commissioned research carried out at HUS Group (sponsored or commissioned by, for example, a pharmaceutical company), a research agreement must be concluded with Clinical Research Institute HUS. Clinical Research Institute HUS coordinates all commissioned HUS Group research as well as certain other research funding.
The use of data originating in the social services and healthcare sector as research data constitutes secondary use of such data stored in the data files of relevant service providers. The collection and processing of such data is governed by the Act on the Secondary Use of Health and Social Data.
Data contained in data files can be obtained with data permits or data requests. In the case of data permits, data is disclosed on individuals (for scientific research), while data requests result in the disclosure of aggregated statistics (for scientific research or development and innovation activities). Further information on Flamma Secondary use of health and social services data in research and Findata website.
The University of Helsinki is committed to the principles of open science and research and operates on the principle that research data are ‘as open as possible, as closed as necessary’. Funders and publishers may also require open access publications or opening of research datasets. Read more about open science.
However, particularly careful consideration must go into the publication and opening of datasets related to research conducted at the Faculty of Medicine. Publications must ensure the protection of the identities of the research subjects. This means that opening datasets might not be at all possible or it can be done only in a very limited manner. This is because datasets may include sensitive information about people and the processing of the material is limited by Finnish special legislation in addition to the General Data Protection Regulation. When making research publications and research data openly available, it is important that they do not contain any unnecessary personal data. More information on opening identifiable information is available on Flamma.
When making data openly available, particular attention must be paid to what information has been provided to the research subjects and what permits or consents you hold regarding the data. The transfer of data outside the EU is also subject to legislative restrictions. Particular care is required when transferring data that cannot be anonymised (e.g., genetic data or samples, especially those containing DNA).
For example, if the relevant publisher (scholarly journal) or cooperation partner requires you to upload your data to a specific database, this is not necessarily permitted by law. Or this reason you should discuss the matter with the cooperation partner or publisher before taking any action. Often publishing metadata and descriptive data is enough.
Before commencing a research project at the Faculty of Medicine of the University of Helsinki, the principal investigator must ensure that all the documents, permits and agreements included in the below checklist have been concluded and granted. In case of a pure registry study, the documents mentioned in sections 4 and 5 are not required (a consent to participate and information sheet on the research project and a statement by the research ethics committee, unless required by the publisher or funder). Templates provided by the University can be used as documents but in collaborative projects templates provided by other organisations are also accepted as long they have been drawn up carefully.