Files can be exported to or moved from the project according to certain principles. Read the following instructions on the output checking procedure and data protection carefully.
It is possible to export the researcher’s own files to FIONA. The export of datasets is made by the Research Services. The researcher cannot move files to FIONA.
Send the files to be exported to FIONA to the Research Services at tutkijapalvelut@stat.fi. If the file contains research data, give the source of the dataset in the contact message. The files are checked in the Research Services before being exported to FIONA.
Exporting datasets to FIONA may require updating of the user licence.
Data concerning an individual person or enterprise must not be identified from files or tables. Data with a disclosure risk must be protected by planning the contents of outputs to be acceptable for data protection, for example by using sufficiently rough classifications.
Cells containing a disclosure risk can be protected in the table
When selecting the protection method of a table, efforts should be made to find a method that sufficiently protects the table but retains the features important for its intended use as well as possible.
Changing the structure of the table means controlling the number of variables or changing the classification. By changing the classification, the cells with a risk of disclosure are removed from the table by combining the categories containing them with other categories in the table. In practice, changing the classification usually means that the whole classification becomes less detailed.
Cell suppression includes primary suppression of cells with a risk of disclosure and secondary suppression. Secondary suppression ensures that the values of primarily suppressed cells cannot be disclosed by means of table row or column totals. Suppression can also be made specifically for each row. If only a small number of statistical units belong to a particular row total of the table (fewer than the used threshold value), the row is suppressed in total without regard to the number of statistical units in its different cells.
Further information about the data protection methods can be found in the materials of the Remote access to research data online guide.
Research outputs and other material may be exported from the system only through a checking process. The checking ensures that no individuals or enterprises can be identified from the published data.
The number and size of files containing outputs must be kept reasonable. In practice, a reasonable number means only a few individual files that are meant to be published, not dozens of different versions or long log files intended for comparison by a group of writers, for example.
To export outputs from remote access use, open the Output check icon on the FIONA desktop. Fill in the opening form where you describe which material you intend to export from the remote access system. After this, the outputs are either checked manually in advance or if you are subject to random checks, you can receive the outputs directly to your email.
All outputs of new users are checked in advance. The probability of being subject to random checks rises when the user experiences approved consecutive preliminary checks. To avoid unnecessary rejections, all additional information affecting checking of the outputs should be written on the output checking form.
If there are breaches or errors in the output checking request or if the requested data are not described on a sufficient level, the Research Services may reject the output checking request. Then the streak of the user’s approved requests breaks, and the random checking procedure will be reset to preliminary checks. The sanction for serious and repeated breaches is removal from the random checking procedure and other measures resulting from data protection breaches.
If you are unsure about the data protection of the output, please contact the Research Services already before asking for the output to be exported from the system. The contact and advance assessment of the output's data protection do not affect how quickly the researcher can be subjected to random checks but it may reduce the occurrence of unclear situations.
If you intend to request outputs from FIONA that are based on datasets according to Findata's user licence, the Findata form must be appended to the output checking request. The form can be found in FIONA and on Findata's website.
Fill in on the form
Statistics Finland and Findata cooperate in monitoring the output checking requests, so the requested outputs from FIONA do not need to be delivered afterwards to Findata for checking, but it is sufficient to fill in the form properly.
The researcher is responsible for the data protection of their research outputs. The researcher must ensure that the outputs requested to be exported from the remote access system do not contain unit-level datasets or the possibility to disclose data concerning an individual observation.
Consideration should be applied when exporting outputs from the remote access system. Only outputs intended to be published should be exported from the system. The contents of the tables and graphs should be in the same format in which they are meant to be published. Outputs that cannot be published due to data protection cannot be exported from the system.
The outputs must show the numbers of observations used in calculating tables, images, key figures, etc. If data that deviate from the data protection guidelines are to be exported from the remote access system and data concerning individuals cannot be disclosed, the Research Services must be contacted before making the output request.
By means of the MOOC online course you can practise your data protection skills. The course is especially meant for users of the remote access system. The password is huonedata.
The Remote access to research data online guide provides further information on remote access use of research datasets and the SISU microsimulation model and data protection. The course also contains examples of the protection of tabular datasets.
The following gives instructions and rules for ensuring the data protection of various output types. Because there are many different research projects and different output types, the data protection of each dataset and output cannot be assessed and instructed separately. It is therefore necessary to lay down the general “rules of thumb”.
In respect of some of Statistics Finland’s datasets and datasets released for research use by other authorities, data protection guidelines may differ from the rules presented below. These deviating rules can be found in the dataset descriptions in the data catalogue and if necessary, they are also recorded in the user licence decision. If researchers are unsure about the data protection of some output or wish to ask for clarification of the given instructions, they should contact the Research Services (tutkijapalvelut@stat.fi).
It is common for all output types that the disclosure risk of the observations underlying the outputs is usually lower if the used dataset is only a (random) sample of the total dataset. However, the lower disclosure risk possibly caused by sampling does not mean that the protection rules presented in these guidelines could be automatically relaxed for outputs produced from sample datasets. If the risk of disclosure of an observation has to be assessed case-specifically in some output (e.g. if the distribution parameter is revealing or whether the observation behind an individual image point can be identified from the image), then the use of the sample has an effect on the assessment.
It should be noted that the total dataset does not always mean only all persons resident in Finland or all enterprises operating in Finland. From the perspective of data protection and when assessing the disclosure risk of observations, all enterprises in a certain industry, for example, form a total dataset rather than a sample dataset, because it can generally be concluded whether an individual enterprise belongs to a “sample” that is limited to cover all enterprises in a particular industry.
Aggregated data in table format may contain personal data, enterprise data or both. For example, both the person and enterprise levels must be protected in employee-employer datasets. Data describing occupational groups may also indirectly contain business data if (nearly) all persons belonging to a specific occupational group are employed by only one (monopoly) enterprise, in which case the data protection of that enterprise must be ensured.
The number of cell-specific observations must be visible in the tables, as must the number of observations used in calculating estimates and parameters. The main rule in the protection of tables containing both enterprise and personal data is threshold value 3. In other words, data from a table cell or observation group may only be published if they are based on at least three (unweighted) observations. Data on the number of observations may not be published for small cells or groups either. More detailed instructions on protection methods are given in a separate section later on in the text.
The use of the threshold value rule as the main rule is the easiest way to calculate the disclosure risk of individual observations possibly directed to the tables to be published. Identifying an observation as the only or rare case in its group may increase the risk of identifying the observation and/or reveal additional information about it (e.g. by means of other tables and outputs concerning the same dataset or topic). For this reason, the threshold value should be applied even if only numerical data are published in the table.
In addition to the above-mentioned main rule, the following rules must be considered:
The publication of coordinate or grid data is subject to special conditions: No entire grid dataset may be published. Data based on grids can be exported from the remote access system and published when there are at least 10 observation units in the grid. The released data must be aggregated to a larger area level, proportioned or otherwise processed so that persons and household-dwelling units cannot be identified.
The minimum and maximum are usually connected to one observation, so they cannot usually be published. For example, the largest enterprise in an industry can usually be identified, so the connected maximum turnover data cannot be published. If the minimum or maximum cannot be linked to an individual observation and the threshold value is realised, they can be published.
Distribution parameters (excl. minimum and maximum), such as deciles, form an exception of tables where the number of observations left in between the distribution parameters correspond with the cell frequencies. If these numbers exceed threshold value 3 applied in the tables, the distribution parameters can be published.
Modes can be published if (nearly) all observations do not get the same value.
Means, ratios and higher moments of distribution (e.g. variance) can be published if at least three observations have been used in their calculation.
When publishing shares, threshold value 3 must be realised for all groups forming shares. In other words, if you want to publish, for example, that women's proportion of the total population is 58 per cent, that 58 per cent, as well as men's 42 per cent, must include at least three persons. Therefore, it is not enough that the total population includes at least three women and men.
Index point figures, correlation multipliers and test aggregates (t, F, Χ², etc.) can usually be published if at least 10 observations have been used in their calculation.
The regression model can be published as a whole if the model is based on enough observations (at least 10) and the model does not depict a time series based on observations of one enterprise or person. Individual coefficients of the model can usually always be published.
The numerical results of more complex statistical models can usually always be published if the model is based on enough observations and the model does not describe a time series based on observations of individual enterprises or persons.
Like numerical outputs, images may not disclose data of a single observation and the numbers of observations behind the images must also be noted in the output. Images drawn based on the dataset are permitted if a single image point or a part of the image cannot reveal the underlying individual observation.
Bar charts and other images used to present a classified dataset are typically accepted for publication as long as each category has enough observations. The information of such an image can usually also be presented in table format and the same data protection rules can be applied to it as to other tabulated datasets (see Frequency and magnitude tables).
Distributions, histograms or cumulative distribution functions that have been adjusted from distribution charts or are presented at a sufficiently crude scale are allowed. Some distribution charts may contain data on deviating observations or outliers, which may, case by case, reveal data on an individual observation. Software drawing functions often automatically mark deviating observations in box plots, for example. Images identifying deviating observations are not suitable for publication unless the researcher can well justify that the deviating observations recorded in the image cannot be identified.
Scatter plots are typically used to show the values of two continuous variables. As a rule, the dots of the scatter plots describe the data of an individual observation, which means that they are trickier in terms of data protection than the previous image types. When assessing the data protection of scatter plots, special attention should be paid to the nature of the dataset, for example, in relation to the size of the sample, the sensitivity of the data and occurrence of deviating observations. The scatter plot does not meet data protection requirements if data on the largest enterprise in an individual industry can be directly seen or easily inferred from it. The data protection of the scatter plot can be improved by classifying the underlying dataset so that there are several observations underlying one point in the scatter plot. An alternative way to reduce the disclosure risk of units in some cases is to add “jittering” to scatter plot points.
The file format of outputs, especially images, must be such that there is no risk of disclosure of unit-level data. It must be possible to open the file for examination with the tools found in FIONA. Image formats suitable for checking include:
In Stata software, the above-described image formats can be created with the graph export command. In SPSS software, the image format can be selected in the Export output function. In R software, information about the drawing function is available with the command help(grDevices). Certain image types, like Stata gph files, as a rule save the material used for drawing the image, which means that they are not necessarily suitable for checking and exporting.