Thesis ethics and legislation

You must comply with the principles of responsible conduct of researchin all you research work. These principles cover the researcher’s responsibility towards the public, the research subjects and the scientific community.

The responsibility towards the public is related to the content of your research: you must conduct your research carefully and appropriately and disclose all essential information. The data obtained from the research subjects must be collected openly, and the rights of the subjects may not be violated. You should also indicate the importance of other researchers to your work by including clear references to sources, among other things.

Compliance with the responsible conduct of research is monitored in Finland by the Finnish National Board on Research Integrity, which is a joint ethical body maintained by the higher education institutions. The Board has also defined the violations of the responsible conduct of research.

The most serious form of violation is misconduct, which can take the form of:

• fabrication or falsification, which means presenting invented results or observations or intentionally modifying them so that they are false
• plagiarism, which means presenting someone else’s text as your own
• misappropriation, which means using someone else’s plan, idea or material without authorisation.

A milder form of violation is neglecting the responsible conduct of research, an example of which is careless or negligent implementation of a thesis.

If a violation of the responsible conduct of research is detected, the thesis can be rejected.

When conducting research that involves the processing of personal data, you must also observe the provisions of the EU’s General Data Protection Regulation (GDPR).

More information about research ethics:

• Ethical Recommendations for UAS Theses (Arene – the Rectors’ Conference of Finnish Universities of Applied Sciences, 2020)
• Finnish Advisory Board on Research Integrity (TENK): Responsible conduct of research

The data protection legislation also applies to material collected for theses. The EU’s General Data Protection Regulation (GDPR) is a regulation governing the processing of personal data.

If the material used for your thesis includes personal data, you must create a plan for the processing of personal data before starting to collect data. If you collect survey or interview material, for example, you will most likely create a personal data register.

Please read the guidelines below and prepare the necessary documentation (e.g. a privacy notice and a data protection impact assessment) and plan how you will obtain consent from participants in your research for processing their personal data and how you will manage the data you collect. Model templates are available in the section Theses agreements and templates on Thesis process and guidelines. 

If you’re writing your thesis on a commission from a partner, please agree on the processing of personal data and questions related to maintaining a register with the party that commissioned the work.

You have copyright to the thesis you have written. You must always agree separately on transferring your copyrights to the party commissioning your thesis, for example. If you wish, you can publish your thesis under a Creative Commons licence.

When working on your thesis, you may also create other material covered by copyrights, in addition to the thesis you publish. If such material is created in cooperation with, for example, a partner or other students, you must agree in advance on who owns it and who is allowed to use it.

As a writer of a thesis, you must respect the copyrights of others. This means that you have to follow the appropriate referencing practices when using other people’s work.

The risks arising from the processing of personal data and the effects of the processing on the research participants (research subjects) should always be evaluated and the processing planned in such a way that these risks are limited.

Personal data may only be processed if the processing has one of the bases listed in the General Data Protection Regulation. In a Bachelor's thesis, the basis for processing is always the consent of the research subject. In Master's theses, the basis for processing may also be the public interest if the Master's thesis is part of an RDI project coordinated by Metropolia that meets the criteria for scientific research. A Bachelor's thesis does not meet the criteria for scientific research, which is why the public interest cannot be the basis for processing in these cases.

The selected basis for processing affects, among other things, the rights of the data subject. If consent is the legal basis for the processing of personal data, it must also be possible to withdraw consent just as easily, i.e., the data subject may request the deletion and transfer of their personal data.

The controller refers to the entity that, alone or together with others, defines the purposes and means of personal data processing. There can also be several controllers, in which case we speak of a joint controllers.

If the thesis worker does the thesis work as an employee, the data controller is the employer organization, or the employer organization, the Metropolia student and the Metropolia University of Applied Sciences together (in this case, it is recommended to draw up an agreement on the matter -> contract template that includes a joint controller agreement).

In the case of a Metropolia TKI project or a research project, the data controller is Metropolia University of Applied Sciences and the student together (or a partner as agreed).

If no other entity is the data controller, the student and Metropolia University of Applied Sciences.

The plan must be including data collection, analysis, use during the thesis, possible research collaboration and sharing of personal data, further research, archiving, destruction before you begin to collect or otherwise process personal data. You can use Metropolia's thesis planning template to help with planning. The template is available in the section Thesis agreements and templates on Thesis process and guidelines.

Remember that the general principles of personal data processing include data minimization, which means e.g. that only necessary personal data may be collected and otherwise processed.

The template for informing research participants prepared for Metropolia (including the privacy notice) utilizes the DPIA impact assessment and research plan as well as the data management plan. The template is available in the section Thesis agreements and templates on Thesis process and guidelines.

Make sure that the processing of personal data is uniformly described in the research plan and data management plan and in the information form for the subject.

Document the systems you use for the storage and other processing of personal data by filling in the relevant information, for example, in the appropriate section of the information document given to research participants. 

The template is available in the section Thesis agreements and templates on Thesis process and guidelines.

Use only information systems and applications that are approved by Metropolia, as well as good practices, e.g. regarding email. 

If you implement a questionnaire in your thesis, where personal data or some other sensitive or confidential information is collected from the subjects, then use the e-form software running on Metropolia's own server for this purpose.

Note the following:

• If an external entity processes personal data for the purposes defined by the controller, e.g. when personal data is transferred to a subcontractor or cloud service, a personal data processing agreement must be drawn up for the processing of personal data. If a personal data processing agreement (Data Processing Agreement or DPA) has already been concluded with the service provider, there is no need to conclude a new agreement. You can check with Metropolia's data protection officer whether a DPA has already been completed.
• If personal data is transferred to another higher education institution or research institution, which defines the purpose of using the personal data together, or if the higher education institutions have a common filling system that both use independently, both higher education institutions are the data controllers (=joint data controller).
• If personal data is handed over to another university or research institute in such a way that it can itself define the purpose of use of the personal data, e.g. the purpose of use and informing the research subjects must be agreed in detail before handing over the personal data.
• Personal data can be transferred outside the EEA only if there is a reason for the transfer.

If you process personal data in your thesis, you must inform the research subjects about this using the "Participant Information Sheet". Whether it becomes necessary for you to process personal data in a way other than what the research subjects have been told during the thesis, you must inform the research subjects of the changes and update all necessary documents, such as the template "Participant Information Sheet" (including the Privacy Notice).

The template is available in the section Thesis agreements and templates on Thesis process and guidelines.

If you need help with data privacy issues related to your thesis, contact your your thesis supervisor. The supervisor is the primarily responsible for taking data privacy legislation into account in theses. 

Metropolia University of Applied Sciences' data protection officer trains thesis supervisors (Metropolia teachers and other staff) in how data protection legislation and the rights of research subjects should be taken into account in theses.