The GDPR and E-lomake
The new General Data Protection Regulation (GDPR) [Wikipedia] of the European Union significantly improves the rights of EU citizens to all personal data about them that has been stored in digital systems and which is personally identifiable. This also affects every IT-system at the University of Helsinki that collects personally identifiable data. All individual forms within E-lomake have the potential to contain their own person registry.
All data collected with E-lomake is stored securely on the University’s own servers but the system lacks some of the logging requirements on personal data that the GDPR brings, so it is not meant as a means of collecting sensitive personal data at all (which has in fact always been the case). Now this requirement is more strongly worded in the instructional material.
Personal data consists of all records concerning an individual or his/her personal attributes or life circumstances that can be identified with him/her or his/her family or those living in the same household, like for example the personal identity number, contact information, study information, relationship status etc.
Sensitive personal data is, for example, information concerning race and ethnicity, social activism, political or religious beliefs, criminal acts, health, sexual preference or social care needs. Handling sensitive personal data needs to be grounded by a legal requirement.
What to do if you have e-lomake forms collecting personal data?
- Concerning all forms that collect personal data: 1) review and remove access rights to forms from persons who do not absolutely need that access 2) Do not collect any personal information that is not strictly necessary to the function of the questionnaire. For example, don’t ask for the respondent’s personal number or address information unless you are really going to use it or can get the information from other systems such as Oodi.
- If you have forms that collect personal data (non-sensitive) and are no longer in use, please remove saved answers from them (you can export the data as an excel-file, for example, and store that file in a place suitable for storage of personal information for the amount of time needed – then remove the data from there as well) and delete old forms from eating server space if they are obsolete.
- If you have forms that collect personal data and are in active use, like forms for registering to events, you may continue to use e-lomake (you can export the data as an excel-file, for example, and store that file in a place suitable for storage of personal information for the amount of time needed – then remove the data from there as well). However, do remove saved data as soon as possible. If you have more personal data collected than the usual name-and-e-mail address -combination – for example, also including telephone numbers and home addresses – but the additional information is not sensitive in nature, and the registry continually grows with data of new people being added, please make plans for switching to another system, and take action at the latest when the University’s recommendation for a new system is available.
- If you have forms that collect personal sensitive data, please remove all saved answers before 25.5.2018 (you can export the data and store it in a place suitable for storage of sensitive personal information) and if the need for collecting the data continues, please start using a system that is suited for this type of data collection. If you have a scientific study linked to the survey form, complete the study first but immediately as it ends transfer all saved data away from the form in excel- or SPSS-format, for example, and remove the data from the e-lomake form. Studies that by necessity combine personal data with the research data should always use an anonymizing identifier code on the study form itself, and store the registry that combines the identifier code with the personal data in a separate place.
Data protection guide for researchers (Uni. Helsinki account required): https://flamma.helsinki.fi/en/HY375934
If you know of forms that could be problematic and cannot delete saved answers from them yourself due to missing rights, please contact the e-lomake support at the Educational technology services: firstname.lastname@example.org
If you have questions or problems concerning information security and processing personal data with your e-lomake survey, please contact the Information Security Group at the Center for Information Technology: email@example.com
An information security page to all the people at the University of Helsinki has been published in Flamma, complete with commonly asked questions and contact information: https://flamma.helsinki.fi/fi/HY365467
The information provided on this page may change and update without further notice in order to adapt to the current view regarding the influence of the GDPR on the University of Helsinki’s E-lomake installation. All rights reserved.