You must consider ethical issues throughout your research project, starting from the phase when you start planning the collection of research data.
When studying people, the basic principle is that those people should give their consent for the study before you start. Before giving their consent they need information on the purposes and methods of the research. You have to be able to show the consent of your data subjects. So, you should e.g. record the consent in the beginning of an interview.
If you are studying patients, children, youths, handicapped etc., who maybe cannot evaluate themselves, what the research means to them, you have to get approval from the parents or the trustees. Even they should be listened if possible and they should not be studied if they disagree.
According to the EU General Data Protection Regulation if you are using personal data in your research, you have to be able to show that data security and the ethical norms of research are taken into account during the whole process of collection, storing, analyzing and interpreting the data and that you are collecting and analyzing personal data only to the extent that is appropriate to the goals of your research. This obligation to be able to show means, that a proper data management plan and documentation about following the plan is mandatory in human research. The rights of the data subjects to see the data concerning him or herself and to be forgotten will probably be restricted in the future Data Protection Act so that the goals of the research wouldn't be endangered. The final texts and interpretations do not exist yet.
If you are going to use register data containing personal data, you have to have permission from the register holder, sometimes also the opinion of the Data Protection Ombudsman. You may also need a research permission if you are doing research at schools, nursery schools, social or health care organizations etc. In some special cases or when the funder or the publisher requires you will need ethical review of your research plan.
When the data includes personal or administrative information, you have to follow the regulations in the Personal Data Act and in the Act on the Openness of Government Activities.
When planning your research you should agree within the project group and with your employer on the rights, responsibilities, and obligations related to the data that you are going to collect:
Who owns the data? May the researcher hold onto some of it? Are there differences between a doctoral candidate and a postdoctoral researcher?
What are the user privileges of the parties if one of the group member leaves during the project or if new members are taken in?
What happens after the research project: Who has the right to use the data and who is in charge of its storage?
How do you manage the copyright of photos, drawings, etc. included in the data? Legally, copyright is passed down to inheritors.
How do you manage the copyright of software and databases?
If you are going to reuse data collected by someone else, you have to follow the terms and conditions regarding the use of the data, determined by the creator of the data or the person to whom the creator has handed over the data.
Research data must be sufficiently protected in terms of confidentiality (only persons with the appropriate access rights may handle the data), integrity (only persons with the appropriate access rights may edit the data) and availability.
Data protection methods include technological solutions, agreements and legal methods. Researchers should make a note of any risks and determine who will implement the protection measures and how.
Protection of confidential personal information
If the research subjects are to remain anonymous, you must draft a plan as to how any personal details (e.g., names or personal identity numbers) will be protected, handled and/or deleted. Research materials can be anonymized by removing any personal details or coarsening them by utilizing categories.
Researchers who collect and handle materials that include identifiable information must draft a file description indicating, among other things, any anonymization methods and measures taken to protect the data.
Care of datasets after the project
Digital and physical datasets, that shall be stored, shall be transferred into a proper archive
Digital and physical datasets, that won't be stored, shall be destroyed safely
Temporary datasets, that are not needed, shall be destroyed safely
Care of information security and safety does not end, when the project ends!