Processing is a general term in data processing that means any operation performed on data. It includes data collection, storage, copying, modification, systematisation, retrieval, transmission and destruction. The processing of personal data goes on from the moment the data is received until it is destroyed and includes all operations in between.
Processing also includes the anonymisation of personalised or pseudonymised data, which, together with the prior collection of data, must comply with the general data protection principles.
The GDPR distinguishes between three responsible roles in the processing of personal data.
- A controller is an institution that determines the purposes and means of processing, i.e. controls the processing of personal data. A controller is usually a legal person in which personal data processing occurs. As an organisation, the University of Tartu is the controller; the researcher is responsible for everything they do with personal data in their work. The researcher sets the data processing objectives and says what data they collect and by what means.
The fact that the university may be the personal data controller does not mean that every university employee can access personal data. Such access must be needs-based and limited to researchers involved in the specific project or stage of research. In the case of sensitive data, such as children’s data or special categories of personal data, access should be further restricted to researchers who absolutely need to process the personalised data. - Where decisions on personal data are made jointly by several institutions, such as the university and other research institutions, they are joint controllers. Joint responsibility means that requires that the cooperating institutions determine the purposes and means of processing together. For example, in EU-funded projects, the project partners may each be responsible for their own activities or act as joint controllers, depending on the division of work and decisions.
- A processor is an individual or an institution that the controller has authorised to process personal data based on a contract. A processor works on behalf of the controller. As they cannot determine or change the purposes and means of processing personal data, processors are not controllers. A person working at the university under an employment contract is not a processor because the university cannot authorise itself to do the processing. However, a university researcher, who has been hired by another public or private body under a separate agreement to carry out analysis or expert assessment, can be a processor.
Usually, researchers are not processors or controllers: through their duties, they fulfil the obligations of the university as a controller. For example, if a researcher is the principal or responsible investigator in an international project, the university is the controller or joint controller – depending on the agreement between the research institutions – throughout the project. It does not mean that the researcher has no responsibility. It is a good practice to appoint a researcher who is responsible for the data processed in the specific research study and must ensure the accuracy of data processing. Their task is to ensure the confidential and secure data processing and provide guidance to researchers processing personal data.
Both the responsible researcher and the controller must follow data protection principles, but they report to different authorities. The controller, i.e. the university, reports a data breach to the Data Protection Inspectorate. The responsible researcher reports to the employer, i.e. the university, and must also notify the university’s senior specialist for data protection. The university must assess the potential risks associated with the processing of personal data and take measures to mitigate them, while the researcher must carry out the risk analysis.
Thus, it depends on the agreement between the researchers and the university as to which staff member is responsible for data protection issues. The university’s documentary procedure rules provide that the responsibility for personal data processing lies with the specialist for data protection, the head of the structural unit, and the employee processing personal data. Each employee who processes personal data must ensure data integrity and confidentiality. The head of the structural unit must ensure the registration of all personal data processing activities.
A third party means an individual or institution other than the data subject, controller, processor and persons who work under the direct authority of the controller or processor. To put it more simply, it is a person who does not have a clear role in processing personal data. In the case of a research paper, third parties may include, for example, the researcher’s family members, an opponent or reviewer of the article, and employees of the publishing house publishing the article.
In addition, there are recipients – individuals or institutions to which personal data are disclosed. This role is situation-specific. The recipient may be a controller, processor or a third person.
Each institution, including the university, establishes its data protection policy which every person involved in research, from a student transcribing an interview to a professor leading a research project, must follow. The conditions set in the policy must be observed regardless of the purpose of processing. At the university, the same policy applies to personal data related to human resources, academic affairs and research. The purpose of research does not diminish the need to protect personal data or respect individuals’ rights.