Sensitive data and GDPR

What type of data is sensitive?

Sensitive data is classified information that must be protected from unauthorized access. Sensitive data can be accessible to outside parties ONLY with expressly granted permissions. The main types of sensitive data are human, ecological (e.g. location of endangered species), and confidential data.

Sensitive personal data is any data that reveals:

• personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs,

• trade-union membership,

• genetic data, biometric data processed solely to identify a human being,

• health-related data,

• data concerning a person’s sex life or sexual orientation.

Sensitive personal data is subject to specific processing conditions according to the GDPR.

To learn more, see: Definition of Sensitive Data

What is personal data?

Personal data is any information related to an identified or identifiable living individual. Personal data can also be different information that can lead to the identification of one person when collected together.

Examples of personal data are:

• a name and surname;

• a home address;

• email address;

• social security number;

• location data (for example, the location data function on a mobile phone);

• (IP) address;

• a cookie ID.

What is the difference between sensitive personal data and personal data?

Sensitive personal data is a specific set of “special categories” of personal data that must be treated with extra security. To learn more see: Definition of Sensitive Data.

What is the GDPR?

The General Data Protection Regulation is a European Union (EU) data privacy and security law that regulates the management and processing of personal data.

It defines:

• what is personal data

• what is data processing

• what are the roles of all the parties involved (Data Controller, Data Processor, Data Subject)

• key principles that regulate EU data protection

Any organization that stores or processes personal information regarding EU citizens is obliged to comply with the GDPR.

What are the roles of CSC and its service users under GDPR?

In GDPR terms, CSC is always a data processor acting on behalf of a data controller. GDPR also requires that this relationship be done in writing. Therefore, the data controller (a group leader, researcher, research organization or their legal representative) needs to sign the Data Processing Agreement with the CSC, a legal contract. CSC never acts as a data controller, but our services give CSC users all the instruments necessary to manage the access to sensitive data. The CSC service user remains fully responsible for the data and is required to choose a service that complies with the security level needed for the data.

I am not sure if the data I am working with is sensitive or not. Where can I find support?

If you need assistance to verify if SD service are suitable for processing your research data, contact your organization's data protection officer or legal office. You can provide them with supporting documents such as:

1. Service descriptions of SD Connect and SD Desktop and technical and organizational measures document.
2. The CSC Data Processing Agreement (DPA)
3. the GDPR (Description of processing activity form) that can be downloaded from your CSC project
4. The CSC Data Policy

For suppoer don't hesitate to contac us at servicedesk@csc.fi (subject: Sensitive Data).

Contact information of Finnish universities data protection / legal offices

University	Contact information
Aalto University	tietosuojavastaava@aalto.fi Data Protection Policy
LUT University	dataprotection@lut.fi tietosuoja@lut.fi Data protection policy
University of Eastern Finland	tietosuoja@uef.fi Data protection policy
University of Helsinki	tietosuoja@helsinki.fi Data protection policy
University of Jyväskylä	tietosuoja@jyu.fi Data protection policy
University of Lapland	tietosuoja@ulapland.fi Data protection policy
University of Oulu	dpo@oulu.fi Data protection policy
University of Tampere	dpo@tuni.fi Data protection policy
University of Turku	dpo@utu.fi tietosuoja@utu.fi Data protection policy
University of Vaasa	tietosuojavastaava@uwasa.fi Data protection policy

What type of sensitive data can I process with CSC Sensitive Data Services?

Any type of sensitive data consented for research. Processing register data under the Act on Secondary us of Health and Social data is possible only with a Findata permit or register permit and using a restricted version of the SD Desktop service (see: Sd Desktop for secondary use).

What type of documentation do I need to provide to use CSC Sensitive Data Services?

When creating a CSC account and CSC project in MyCSC, you are guided to view and accept CSC's Data Processing Agreement (DPA) and describe the type of data you are processing in the description of processing activities form. If you have any questions about these documents or addittional legal agreements are needed between your organization and CSC, write to servicedesk@csc.fi (email subject: Sensitive Data).

Do you find this page useful?

Yes

Thank you for your feedback!

No

Thank you! Your feedback is appreciated.

Please let us know how we could improve this page by contacting us or by creating an issue in GitHub. You can also edit this page yourself and contribute your improvements by creating a pull request.