The Finnish Defence Forces' accusations that researchers have leaked the results of psychological tests conducted on hundreds of thousands of conscripts are exceptional, estimates Reijo Aarnio, the Data Protection Ombudsman of Finland.
Helsingin Sanomat reported earlier this week that researchers are suspected of leaking the basic test results of as many as 400,000 conscripts to their colleagues in the United Kingdom.
The scope of the alleged data leak is very unusual, if not outright unprecedented, says Aarnio.
“But you're talking about an exceptional case when you take into consideration the kind of information [that was allegedly leaked],” he says in an interview with Uusi Suomi.
It currently remains unknown whether or not the data include any identifying information about the test subjects. The so-called P1 and P2 psychological tests were developed by the Centre for Military Medicine to measure not only the intelligence but also the leadership skills and pressure handling ability of conscripts, according to Aarnio.
“The risk is that these people can never be sure where the information will pop up and where it'll be used,” he points out.
One indication of the risks associated with the suspected data leak according to him is the probe launched by the Finnish Defence Forces.
“The Defence Forces is the best-equipped to evaluate risks related to the [defence] sector. Because they reacted as they did – and I think it's good that they reacted – it must be based on some kind of a risk assessment,” he explains.
Aarnio reminds that the researchers accused in connection with the alleged data leak have denied releasing any data to third parties abroad. A criminal investigation, he says, may well be necessary to determine whether or not the accusations are true.
The case is also related to a dispute between the Defence Forces and the National Archives of Finland over how long the test results should be stored: the former has demanded, citing privacy concerns, that old test results be deleted, while the latter has insisted that the results should be stored indefinitely for research purposes.
The Defence Forces currently determines which researchers are granted access to the test results. No permissions to access the data can be granted to foreigners.
Statistics Finland has removed all identifying information from the test results handed over to researchers since 2010, while before that the researchers themselves were responsible for anonymising, storing and deleting the data. The old system was effectively based on research ethics although researchers were required to delete the data after use, a spokesperson for the Defence Command told Helsingin Sanomat.
Whether or not researchers complied with the requirement remains unknown.
Aarnio reveals that in such cases the recipient of data, such as a researcher, is designated as a private data controller who is required to comply with all provisions set forth in the Personal Data Act.
“It prescribes that [the recipient] guarantees data protection, plans the data life cycle and deletes the data safely after they are no longer needed,” he lists.
The current system is consequently not founded solely on research ethics as the boundary conditions are clearly defined in the legislation, according to Aarnio. The owner of the data, he adds, may also impose additional conditions for releasing the data but is under no obligation to monitor how the data are processed.
The Data Protection Ombudsman, in turn, is not responsible for monitoring compliance with the provisions on the release and right to receive information laid out in the Act on the Openness of Government Activities. It is, however, responsible for monitoring the data recipients and may, in some cases, be notified of a release of data for research purposes in advance.
Aarnio considers it important that researchers have access to support to ensure sensitive data is handled accordingly. Research data pseudonymised with rudimentary tools, for example, can be decrypted with so-called key codes.
Researchers, he says, should be provided with services that ensure they do not have to wrangle with problems related to anonymisation.
“Statistics Finland, for example, has developed its services in that direction – and it's a good direction – but the country should definitely invest in improving the preconditions for high-quality and safe research,” says Aarnio.
Aleksi Teivainen – HT
Photo: Kaisa Siren – Lehtikuva
Source: Uusi Suomi