Both Statistics Finland and researchers are responsible for the data protection of research datasets.
Statistics Finland may release or grant permission to use confidential data collected for statistical purposes for scientific research and statistical surveys on social conditions. The right to release data for research use is based on Section 13 of the Statistics Act (280/2004).
Individual statistical units, such as individuals or enterprises, cannot be directly identified from datasets intended for research use. However, certain data may be released with their identification data.
Data may not be used in an investigation, surveillance, legal proceedings, administrative decision-making or other similar handling of a matter concerning an individual, enterprise, corporation or foundation.
The implementation of the rights and freedoms of data subjects in the processing of personal data is safeguarded by the EU's General Data Protection Regulation (EU 2016/679) and the national Data Protection Act (2018/1050) supplementing it.
Data on causes of death (data derived from death certificates) can be released to an organisation with identification data by virtue of the Act on the Openness of Government Activities (621/1999) and data on age, sex, education, occupation and socio-economic group by virtue of Section 19 of the Statistics Act (280/2004).
The persons concerned or their relatives may not be contacted on the basis of data released with identification data (Section 19 of the Statistics Act or documents concerning the establishment of cause of death). The condition for releasing data is that disclosure of data in identifiable form is necessary for the research and a data protection description concerning the dataset must be submitted to Statistics Finland for viewing (account/description of the processing of the dataset).
Interview-based research datasets in which the possibility for indirect identification has been removed can also be released to an organisation.
Research use of Statistics Finland’s unit-level datasets requires a user licence.
Only the person who has been granted a user licence is permitted to use the datasets subject to licence and the datasets can only be used for the purpose accepted in the decision on user licence. The licence must be valid throughout the processing time of the datasets.
Use violating the user licence terms or a breach of the rules has an effect on the rights of the organisation and/or researcher to obtain a user licence for Statistics Finland's datasets in future.
Each researcher handling unit-level datasets must sign a pledge of secrecy. The researcher pledges not to disclose information subject to the obligation of secrecy to outsiders. Researchers must not use confidential information for personal or another person’s gain or to injure another person.
There is a statutory penalty for violating the provisions on secrecy, non-disclosure and prohibition of use concerning use of data, which may be a fine or a sentence of imprisonment of at most one year.
When Statistics Finland releases confidential data for research use by virtue of Section 13 of the Statistics Act, the recipient of the data becomes the controller of personal data. Obligations set out in legislation concerning the processing of personal data apply to the controller.
Although a statistical unit cannot be directly identified from the data, indirect identification is possible. It is therefore de facto release of personal data.
Statistics Finland is responsible for the data protection of the datasets prior to their release for research use and for the data security of the remote access environment.
When the dataset is released for use in a research project, the researchers of the project as the controller are responsible for the data protection of the dataset they have in use. The dataset and the unit-specific data contained there must not be disclosed to outsiders when the dataset is processed or results are published.
Everyone using research datasets should familiarise themselves carefully with the data protection of datasets. To help familiarisation, the following are available:
How should data protection be considered when you are processing confidential data in the FIONA remote access system? Familiarise yourself with the topic by completing the data protection training. The training will take around 45 minutes. The password for the training is huonedata.
Under the data protection legislation, a data protection impact assessment (DPIA) must be carried out on research data when applying for extensive data belonging to special categories of personal data or data on criminal convictions and offences for research use. An impact assessment should also be carried out if the research project requires combining of data sets containing personal data and their extensive processing.
Special categories of personal data include data concerning
A data protection impact assessment or grounds for why it is not needed is required as an appendix to the application for licence to use research datasets.