« Back

Data Protection and Thesis

Are you starting a thesis? Great job! Some theses carry out surveys, interviews or otherwise process people’s personal information. Before you start your thesis, it is a good idea to consider what this means for your thesis.

When you take privacy into account, you demonstrate a professional approach and knowledge of privacy issues in your own substance area. The purpose of data protection legislation is to prevent personal data from getting into the wrong hands or being misused.

The background to data protection is the European Union Data Protection Regulation (the so-called General Data Protection Regulation – GDPR) and the very Finnish Data Protection Act (1050/2018).


It’s easy to figure out that name, social security number, and contact information are personal data, so you must always take privacy into consideration when handling them. However, there are many things that are not immediately considered personal data. Here are some examples for you to consider:

  • Name or other identifier (student ID, social security no, etc.)
  • Email if it contains a name or student ID.
  • Personalized health information (eg dental chart)
  • A photo that identifies the person
  • Vehicle registration number, other machine / equipment unique identifier that can be assigned to the owner
  • List of hereditary diseases of grandparents
  • Tracking data
  • IP address
  • Veterinary records, which of course show owner information

Then, combining the following information may form personal data which identifies a person:

  • Age
  • Sex
  • Domicile (Home town)
  • Place of birth
  • Workplace
  • Professional status
  • A field of study
  • An identifier that links, for example, the service to a specific person.

For example, even if someone is 24 years old, is not such personal data, which can identify someone, but if it is combined with other information, for example, a 24-year-old woman working in a male-dominated workplace x may be personal data, which identifies a person if no other person fulfills the same criteria.

And even if, you are NOT asking for personal data but you use mail or other contact list, please note that the list of email addresses or contacts may contain personal data and means that you are processing personal information.


Data protection legislation does not prevent the processing of personal data. After all, we need to be able to reliably identify other people. Neither does privacy prevent the disclosure of personal data. Even if you are interviewing the CEO of Company X Inc., you should be able to tell her/his name if the person is a representative of the company.


If you are conducting a survey and you do not know in advance whether the answers will include personal data, you should prepare as you it would. Principles of statistical research are based on the fact that groups of less than five respondents are not treated. So if you get a 68-year-old male midwife as a respondent in your survey, the analysis would fade the identifiable person away. You should inform the respondents in advance how you process data, so also respondents can be sure they cannot be identified from the report.

If you do not know in advance whether your answers will contain personal information, it is a good idea to be prepared. Be careful to define background variables. More background variables you ask, more likely it is that personal data will be generated. Ask only the background variables you really need.


Consider beforehand whether you will anonymise the interviewee and how you will do it, or whether the interviewee will appear in the study under their own names or, for example, as representatives of their organization.

The interviewee must know where and how to you store the interview material. Although it is agreed that you use interviewee’s name, you must take care that unnecessary background information does not fall into the wrong hands. Particularly important data protection is if interview material may lead to problems for the interviewee, for example, health and job satisfaction interviews.


There is a wide variety of health data, e.g. dental charts, genetic information and others that identify a person. Information that someone has visited hospital might be sensitive information, even without any other data such as why. It is a good idea to discuss regarding such data with your supervisor and with the hospital.


If you have received a list of contacts from your thesis client, you can use them to contact respondents. However, when contacting them, tell where you received the information. You should also agree with the owner of such data how and when you destroy the contact data. You should not leave data on your email or otherwise in your own files.


If you want to use pictures of individuals in your thesis, you should agree with them. If you are photographing in an event and there are several people in the picture, it is good practice to inform participants that pictures will be taken and they may be published in your thesis. It is a good idea to give participants the opportunity to stay away from the pictures. Take special care when photographing children and find out in advance whether you need parental consent to take pictures and publish.

If publishing your photos is related to journalistic, academic, artistic, or written expression in Section 27 of the Privacy Act, you may want to read this section better.


Usually, you can trust that if you refer to public material where names and other personal data has been published, you are also allowed to use personal details. For example, all authors of PUBLICATIONS you refer.

However, there is also public material, you should be more careful. For example, legal cases or other related information. If you refer to a legal case, even if the Supreme Court papers show the name of the person who is the party of the case, you can refer to the case and the person, even by using a letter X, if it is not for some reason necessary use names or other personal data.


If you handle personal DATA (that is, other than the names and publications of books and article writers), you should plan how you will inform those, whose data you are processing. It’s a good idea to include this in your thesis plan.

If you have a client to your thesis, informing might be their responsibility and sometimes it is up to you. This must be agreed in the thesis contract. The easiest way to communicate your privacy is to provide privacy information for your thesis. There you can tell how and why you collect information, how you process it and who have access to it (whether the supervisor or client) and how long you store it.


As a rule, the thesis agreement should not be included in the annexes of the thesis, nor is the research permit form as such. However, if these are to be included in the thesis for one reason or another, they should cover the contact details of individuals and any personal identification numbers. If the thesis is remunerated, also consider carefully whether you want it to appear in the contract attached to the thesis.


If you handle personal data in your thesis, it is a good idea to describe in your report how you took this into account. Discuss privacy with your client and supervisor. If, even after that, you encounter problems that you cannot solve together, you and your supervisor can ask for advice at: tietosuoja@oamk.fi

Good luck with your thesis!

« Back

This article was published in these categories: [:fi]saavutettava ohje[:en]accessible guideline[:], English version available, Uncategorized, Oamk , GUIDELINE, Bulletins & Guidelines, for students.Add a permalink to your favourites. Follow comments to this post with a RSS feed. Post a comment or leave a trackback: Trackback URL.
Log in to comment this article