According to Article 8.1 of the PDA, personal data shall be processed only if the data subject has unambiguously given his or her consent. The consent must be a voluntary, detailed and conscious expression of will. The main rule is that personal information is always collected with the consent of the data subjects. Consent can be given orally, in writing or by behaviour (e.g. responding to a questionnaire) (TENK: Ethical principles of research in the humanities and social and behavioural sciences and proposals for ethical review). A written consent is however seen as a guarantee that the consent can later be verified (Lehtonen 2004). If research intervenes in the physical integrity of subjects, consent must always be given in writing or in some other certifiable way, unless this is contrary to the interests of subjects (TENK: Ethical principles of research in the humanities and social and behavioural sciences and proposals for ethical review).
There are separate requirements in the PDA for the processing of sensitive personal data and personal identity number. The Act sets up a general prohibition to the processing of sensitive data (cf. Section 11). Relevant within research, the prohibition does not prevent the processing of sensitive data with the express consent of the data subject, or the processing of data for purposes of historical, scientific or statistical research (cf. Section 12.1 number 1 and 6). (See also Exemption from consent.)
The provision of derogations from the prohibition to process sensitive data also states that the data shall be erased immediately when there is no longer a lawful reason for the processing. The reason and the need for processing shall be re-evaluated at five-year intervals at the longest (cf. Section 12.2).
Regarding personal identity number, the Act states that this may be processed based on the unambiguous consent of the data subject, or if it is necessary to unambiguously identify the data subject for purposes of historical, scientific or statistical research (cf. Section 13.1.3).
The legal age of consent
The National Advisory Board on Research Ethics has called for the legislation to be clarified with regard to research involving minors. The Board, however, points out that in practice, it cannot be assumed that researchers should always request separate consent from a guardian when research involves minors. Among others, the Board emphasizes that children should be able to influence matters pertaining to them to a degree corresponding to their level of development. Further, requesting the guardian's consent may endanger the collection of comprehensive research data on the conditions and behaviour of minors, thus restricting the freedom of science (TENK: Ethical principles of research in the humanities and social and behavioural sciences and proposals for ethical review).
Obligation to provide information
When collecting personal data, the data controller shall provide the following information to the data subjects (cf. Section 24):
· The purpose of the processing of the personal data.
· The regular destinations of disclosed data.
· How to make use of his rights relating to the data processing.
This information must, except in certain exceptional circumstances, be provided at either:
· The time of collection and recording of the data.
· If the data is not obtained from the data subject and is intended for disclosure, at the time of first disclosure of the data at the latest.
Exemption from consent
The processing of sensitive data or personal identity number for research purpose is, as mentioned above, pointed out as an alternative to consent in respectively Section 12.1.6 and 13.1.3. In addition, chapter four of the PDA concerns the processing of personal data for special purposes, including “purposes of historical or scientific research” (cf. Section 14.1). The following criteria apply for the processing without consent for this purpose:
· the research cannot be carried out without data identifying the person and the consent of the data subjects cannot be obtained owing to the quantity of the data, their age or another comparable reason;
· the use of the personal data file is based on an appropriate research plan and a person or a group of persons responsible for the research have been designated;
· the personal data file is used and data are disclosed therefrom only for purposes of historical or scientific research and the procedure followed is also otherwise such that the data pertaining to a given individual are not disclosed to outsiders; and
· after the personal data is no longer required for the research or for the verification of the results achieved, the personal data file is destroyed or transferred into an archive, or the data in it are altered so that the data subjects can no longer be identified
In principle, the Data Protection Ombudsman has the possibility to check that the extent of exposure is truly necessary for the purpose of the processing (Lehtonen 2004).
The processing of personal data for statistical purposes is also specified as a special purpose, in which data may be processed without consent if (cf. Section 15):
· the statistics cannot be compiled or the underlying data requirements fulfilled without using personal data;
· the compilation of statistics is an activity in where the controller is engaged; and
· the file is used for statistical purposes only and data are not disclosed in a way allowing for the identification of a given individual, except where the data are disclosed for official statistics
The duty of providing information to the data subjects may be exempted if (cf. Section 24.2):
· the data subject already has the relevant information, or
· when data is collected from other sources than the data subject, if information would be impossible to give, or would involve a disproportionate effort
Lehtonen. L.2004. The Implementation of EU Directive 95/46/EC and the Protection of Sensitive Health Data in Medical Research in Finland. In: D. Beyleveld, D. Townend, S. Rouille-Mirza and J. Wright, ed. 2004. Implementation of the Data Protection Directive in Relation to Medical Research in Europe. Ashgate. pp. 87-95.
National Advisory Board on Research Ethics, 2009. Ethical principles of research in the humanities and social and behavioural sciences and proposals for ethical review [pdf]. Available at: <http://www.tenk.fi/sites/tenk.fi/files/ethicalprinciples.pdf> [Accessed 9 September 2014].
The Personal Data Act, 1999 [pdf] Available at: <http://www.finlex.fi/fi/laki/kaannokset/1999/en19990523.pdf> [Accessed 10 September 2014].