Who is the controller and who is responsible for the processing of personal data
The controller is the one who is responsible for processing personal data. The controller defines the purposes and means of collecting and processing personal data. For theses, this is usually the student jointly with the university. When writing a thesis, personal data is processed for the purposes defined by the student and with the means decided by the student, but because theses are carried out due to university studies, and in some cases the thesis supervisor may influence in the decisions what personal data is collected and what methods are uses. Therefore, the student and the university are jointly responsible for personal data.
Although students are mainly responsible for the daily activities of processing personal data, supervisors' task is to support and guide students in the processing of personal data. The University has an important role in informing students about the responsible and legal processing of data. This means that supervisors should explain matters relating to the processing of personal data before students begin work on their thesis.
As an exception to the joint controllership, the University of Helsinki serves as the controller of personal data if the thesis is completed under an employment contract with the University and/or as part of a research project at the University. The University may also be considered the controller of personal data on a case-by-case basis if the person conducting the research does so under the close supervision of, or in a close relationship with the University (the University has played a deciding role regarding the processing of personal data).
If completed thesis contains personal data, the University of Helsinki is the controller of personal data after the thesis has been submitted to the University for assessment and archiving.
Main legislative points to consider
Recognise roles: Who is the controller of the data file (usually the student jointly with the university), and who are the data subjects?
Define the purpose of processing personal data as well as the personal data required:
- What is the topic of the thesis, and why are personal data collected?
- Which data need to be collected (minimise the amount of data collected)?
- Define the purposes of using data in advance: must personal data be included in the end result of research, i.e., the thesis?
- Is it possible that there will be interest in using the data later, for example, for other research purposes?
Define the legal grounds for processing personal data:
- Master’s and equivalent theses: The processing of personal data is based on public interest (“scientific research carried out in the public interest”).
- Lower-level theses: The processing is based on consent (if data is collected directly from the research subject) or legitimate interest (if data is collected from other sources). If legal basis is legitimate interest, an interest balance test must be carried out and assessed what are the benefits of the research and what potential negative effects may occur to the research subject due to their participation to the research.
Consider how to minimise potential risks to data subjects through, for example: Pseudonymisation of data, minimisation of collected data, restriction of storage periods, use of secure services and systems.
Inform data subjects: A link to the data protection statement template can be found in the data protection guidance for researchers (Flamma).
Useful links