2.15. Classification and content of data used and generated in research

Owned by Varmo Pilt
02 December 2021
5 min read

In the course of carrying out research and projects, the university may use existing and generated data, such as research data, business data, etc. Upon collecting and processing of data, relevant principles shall be applied depending on the availability of the data to the public; information can be obtained from the Coordinator for Protection of Personal Data and State Secrets Henri Schasmin (e-mail: henri.schasmin@taltech.ee; phone: 620 2017).

Data and their classification. Upon conducting research, the university comes across various data.

The data used in research can be classified as follows:

  1. public information, incl. restricted information;
  2. personal data, incl. special categories of personal data;
  3. confidential information, incl. trade secrets,
  4. state secrets and classified information of foreign states;
  5. other intellectual property.

Public information. “Public information” means information held by the public sector. Public information is information which is recorded in any manner and on any medium and which is obtained or created upon performance of public duties. Public information includes restricted information, access to which shall be restricted pursuant to law. In connection with research, the university is required to establish a restriction on access also to information on technological solutions if disclosure of such information would damage the interests of the holder of information or if classification of such information as internal is prescribed in a contract entered into with a person in private law and to information the disclosure of which may violate a trade secret.

Personal data. “Personal data” means any information that relates to or can be related to a natural person by which the person can be identified, directly or indirectly. A person can be identified directly or indirectly by his or her characteristics. Personal data can come in a variety of forms: personal data can be presented in words, numbers, graphics, audio and video recordings, etc. Examples of personal data: name, personal identification number, date of birth, photograph of the person, graphic data, audio and video recording of a person.

Special categories of personal data. The special categories of personal data include the following data concerning a natural person’s:

  1. health, special needs, sex life;
  2. ethnic or racial origin;
  3. political opinions, religious or philosophical beliefs;
  4. genetic and biometric data.

Processing of personal data. In the course of research, various operations can be carried out with personal data, i.e. personal data can be processed. In the course of research, personal data can be collected, used, communicated, altered, recorded, organised, stored, closed, deleted and destroyed. Any operations carried out with personal data shall be considered processing of personal data and shall be subject to the requirements laid down in the respective legislation.

Requirements for processing of personal data Any person participating in the research activities of the university must follow the principles of processing and protection of personal data arising from the General Data Protection Regulation of the European Union and other legislations and guidelines issued on the basis thereof.

A person involved in university research needs to pay attention to the following:

  1. personal data shall be collected only in an honest and legal manner;
  2. personal data shall be collected only to the minimum extent necessary for the achievement of determined and lawful purposes;
  3. information security measures shall be taken to protect personal data.

Collection of personal data in an honest and legal manner means that the personal data have been obtained legitimately. Collection of personal data only to the minimum extent necessary for the achievement of determined and lawful purposes refers to the principle that there must be a determined lawful purpose for collecting data and data shall be collected only to the extent necessary. Information security measures shall be taken to protect personal data, integrity, confidentiality and availability of data.

Purposes and bases of personal data processing. The purpose of processing personal data in research may be to carry out core or supporting research activities.

When carrying out research, personal data shall be processed in compliance with legislation on personal data protection and research and development. The most important legislation on research and development is the Organisation of Research and Development Act and the university’s regulations in the field of research and development.

In the core activities of research, the personal data processed may be related to the object of research (e.g. research related to persons and their behaviour, etc.). In the supporting activities of research, personal data may need to be processed in order to administer a research project (e.g. administering employment contracts, working time accounting, etc.)

Principles of Processing and Protection of Personal Data. A person involved in research must follow the principles of processing and protection of personal data. The principles of processing and protection of personal data at the university are laid down in the Procedure for Processing and Protection of Personal Data, see https://oigusaktid.taltech.ee/en/procedure-for-processing-and-protection-of-personal-data/ . The Procedure for Processing and Protection of Personal Data lays down the requirements for the processing and protection of personal data at the university. The terms and conditions governing the processing and protection of personal data at the university can be found on the university’s website at https://taltech.ee/en/privacy-policy .

The processing and protection of personal data in research will be regulated in more detail in the relevant guidelines “Personal Data for Research Purposes” pending approval of the Data Protection Inspectorate (the link will be added when the regulation is published) and the regulations of Tallinn University of Technology developed on the basis thereof (the link will be added when the regulation is published).  For information on processing and protection of personal data, please contact the Coordinator for Protection of Personal Data and State Secrets at the university (e-mail: henri.schasmin@taltech.ee; phone: 620 2017).

Confidential information, incl. trade secrets. “Confidential information”, incl. trade secrets, means information concerning the activities of an institution, a person or an organisation which, if disclosed to other persons, may harm the interests of the information owner. Confidential information is undisclosed and not subject to disclosure. A person involved in research may hold or create confidential information in the course of research.

A trade secret is information which meets the following requirements:

  1. it is held by a natural or legal person;
  2. it is confidential, since it is not generally known or readily accessible,
  3. it has commercial value because it is secret;
  4. it is protected by appropriate measures to ensure its confidentiality.

Upon conducting research, a person may come across various types of confidential information related to research and development. Appropriate information security measures, which are usually set out in the corresponding contracts, shall be applied to protect confidential information, incl. trade secrets.  It is recommended to consult the university’s data protection and information security specialists on information security issues in matters regarding the application of specific information security measures.

State secrets and classified information of foreign states. “State secret” means information which requires protection from disclosure in the interests of the national security or foreign relations of the Republic of Estonia.  “Classified information of foreign states” means information originating from a foreign state, the European Union, NATO or an organisation or institution established under an international agreement which is released to Estonia on the basis of international agreements, and that has been classified as secret by its originator and information created for the purposes of performance of an international agreement by the Republic of Estonia that is to be classified, as provided by the international agreement. In connection with research, the university is required to treat items of information concerning inventions and studies conducted for public defence purposes and their outcome as state secrets. A person involved in a research project of the European Union, NATO or another international organisation may have to process classified information of foreign states. For information on processing and protection of state secrets and classified information of foreign states, please contact the Coordinator for Protection of Personal Data and State Secrets at the university (e-mail: henri.schasmin@taltech.ee; phone: 620 2017).