Privacy policy of the Finnish Biodiversity Information Facility (FinBIF)

Updated: 7.3.2019

This is the privacy policy concerning Internet services of the Finnish Museum of Natural History and the Finnish Biodiversity Information Facility (FinBIF) relating to species information and nature observations. These services include

  • the Laji.fi / species.fi portal
  • Finnish Red Book service
  • the Löydös observation reporting service
  • the information services of the Ringing Centre, incl. Lintuvaara
  • the Laji.fi forum

Personal information is handled for service administration and for identifying people entering data and saving observations. Contact information can be used e.g. for asking more information about an observation saved by the user.

1.Registrar

University of Helsinki, Finnish Museum of Natural History

Business ID: 0313471-7

Address

Finnish Museum of Natural History

PO Box 17 (Pohjoinen Rautatiekatu 13)

FI-00014 UNIVERSITY OF HELSINKI

2. Person responsible and/or liaison for matters related to the register

Esko Piirainen, IT Manager

Address

Finnish Museum of Natural History

PO Box 17 (Pohjoinen Rautatiekatu 13)

FI-00014 UNIVERSITY OF HELSINKI

Tel: +358 50 415 4849

Email: esko.piirainen at helsinki.fi

3. Name of register

Personal data registry of the Finnish Biodiversity Information Facility

4. Purpose of handling personal data / purpose of register

All personal data described in this document does not apply to every site and service provided by FinBIF. For some sites users do not register and for these personal data is limited mainly to data mentioned in Section 13: Coockies and statistics.

Broadly, FinBIF handles personal data as supplementary data to species information. Personal information is used for research, teaching and civil service, as well as (in a limited way) for citizen science purposes (personal, public observation logs).

The use of personal information is based on permission given by user to save, use and give out their data.

More exactly, personal data is used to connect natural science data to actor data (e.g. observer, person who determined the species of an boservation), to identify the user for services that require authentication (e.g. the forum) or to contact the user (e.g. responding to feedback, asking for more data about an observation). It is also possible to send feedback anonymously.

Personal data is saved for nature observations, since the significance of observations is directly proportional to the possibility of evaluating their reliability:

  • Without sufficient personal data of the observer or contact details of the owner or controller of the data, the value of observations is low.
  • Personal data or contact details are often required for verifying and validating data.
  • Personal data and contact details also enhance the legal protection of observers.

5. Data content of the register

The following data can be saved, with purposes and publicity/sharing as described:

Personal dataPurposePublicity and sharing
Identification (MA.nnn)Part of a unique URI identifier, used by the system to tell users apartPublic
First and last name or pseudonymShown with observation, unless prevented by userPublic
Location (the time and place reported by user for the observation)Shown with observation, unless prevented by userPublic
Email addressUsed to reset password and for contacting userShared with:

  • organisational partners [1] for research and public service use
  • third party applications the user logs on to using the FinBIF authentication [3]
Image or symbolShown on the profile page of userPublic
Freeform descriptionShown of the profile page of userPublic
Other information saved by user (e.g. home page, group, nickname)Shown on the profile page of userPublic
Postal addressUsed in case user needs to be mailed e.g. papers relating to a study they participate inNot shared without explicit consent given on a case-by-case basis
Telephone numberUsed to contact user in some circumstancesNot shared without explicit consent given on a case-by-case basis
Year of birthUsed for research, when it's necessary to separate two users with identical names, and no other identifying features are availableNot shared
Technical identifier provided by source system (username or -number)Connects the FinBIF user profile to an authentication source (e.g. Google, or the University user management system)Not shared
Roles and trust levelsUsed for giving out rights to specific subsystems etc.Shared with:

  • prganisational partners [1] for research, public service and administrative [2] use
  • third party applications the user logs on to using the FinBIF authentication [3]
Organisation information (if using FinBIF as other than private person)Used to determine organisation that can alter role data of userShared with organisational partners [1] for research, public service and administrative [2] use
Friends (i.e. other users of service that have approved in-service friend request)Used to give other users access to one's observations etc.Shared with third party applicationss the user logs on to using FinBIF authentication [3]
Saved settingsE.g. settings of forms, default language and other saved details (Mainly not personal information)Shared with third party applications the user logs on to using FinBIF authentication [3]

(1) "Organisational partners" are Finnish research or public service organisations that share data with FinBIF. A full list cannot be given, since the number is growing.

(2) "Administrative use" means that an organisation can see organisational or role information to determine if a user is related to their organisation. ("N.N. works for us, do they have the right organisation data?" , "does N.N. have sufficient access to data we share to FinBIF) or update, add or change organisational or role data relating to the organisation ("let's give N.N. the role they need for their work" , "N.N. has retired, let's remove our organisational role from their user information").

(3) "Third party applications" refers to applications that use FinBIF data and authentication. E.g.: PigeonMobile is an application made by Pigeonsoft, used to record pigeon observations into Notebook. N.N. uses PigeonMobile to report pigeon sightings. For this to work, PigeonMobile needs to access some of N.N.'s personal data (such as email address and role information) when they log in to the application.

Some other information is collected for statistical purposes; more information in secrion 13

Mandatory personal data for private users are only name or pseudonym, email address and the ID given by the system.

It is possible to use a pseudonym in FinBIF, but not if authentication via an organisational service requiring a real name (e.g. Haka, Virtu).

"Technical identifier provided by source system" means that when authenticating to FinBIF via an external system (Haka, Google etc), FinBIF uses the identifier provided by the external systeme to identify the user. FinBIF does not see passwords of the external system.

6. Regular sources of information

Information is gained from the following sources

  • Directly from the user (e.g. when registering or entering data on the contact form)
  • Web browser of the user (only for statistical information and location data of an observation)
  • Suoraan käyttäjiltä itseltään (esim. rekisteröitymisen tai yhteydenottolomakkeen kautta)
  • External sources joined to the FinBIF systems (e.g. Hyönteistietokanta, services provided by authorities, organisational personnel database when using organisational authentication to log in)

Some data (e.g. trust level) is generated and updated based on the use of the system.

7. Regular disclosure and transfer of data

Most of the data entered into FinBIF is open data shown on the FinBIF Web pages and over APIs. Of personal data this includes name of observer and location of observation. The user can, if they wish, to hide this data or make it more fuzzy on a case by case basis.

In order to publishing the data, exact data saved is seen and handled by organisational public service partners of FinBIF. They are all Finnish organisations using the observation data for a given public service task. When the data includes personal information, it is to some extent shared with the partner. The personal data shared is limited to

  • identifier (MA.nnn)
  • name or pseudonym
  • location data (time and place relating to the observation)
  • email address
  • role and trust level
  • organisational data

For research, FinBIF shares the data with its Finnish research partners. The shared data is observation data that can include personal information. The shared personal information is limited to

  • identifier (MA.nnn)
  • name or pseudonym
  • location data (time and place relating to the observation)
  • email address
  • role and trust level
  • organisational data

It is possible to make publications of data saved into FinBIF. For obsevational data, publication includes the observer name (unless hidden by user) and locational data (unless hidden by user).

8. Transfer of data outside EU or EEA

Personal data will is not transferred or disclosed outside the EU or EEA, with the exception of the data that is publicly visible on the Internet (name, location data of observation, other public profile data). There are following exceptions:

The discussion forum of FinBIF is at the time located on a server in the USA. When logging on to the forum with the FinBIF authentication the following data is transferred to the service:

  • user identifier (MA.nnn)
  • First and last name or pseudonym
  • email address

Statistics for the service, which is elaborated in section 13, happens outside the EU, but anonymously.

9. Principles of register protection

The personal data saved in the register can only be accessed by the administrator authorised by the register owner. This includes tha named administrators of the organisational partners of FinBIF. They can access, and for role and organisational information, alter, the personal data of the FinBIF registered under their organisation. All use of the register is logged.

The network traffic is secured with secure protocols. The network and IT equipment containing the register are protected with a firewall and other technical measures. The IT equipment is kept in a locked facility under surveillance.

10. Right to inspect and its implementation

Users have the right to inspect data concerning themselves. Requests for inspection should be directed to the registrar.

Users may inspect their personal data related to their laji.fi user account in the user profile found in “Personal details” on the Laji.fi website.

A user who hasn't logged in can make a request for inspection by email or by letter to register owner (see section 2).

The inspection request is without charge when done once every 12 months at most.

11. Correcting data and implementation of corrections

Users have the right to correct erroneous or outdated information concerning themselves.

Information relating to the laji.fi user account can be corrected by the user using the laji.fi portal. If the information to be corrected relates to a user who hasn't logged in, or has been delivered from another system, the request for correction needs to be done with a signed letter or by email to the register administrator (see section 2).

A person can request their information to be deleted from the service. In this case all personal information is deleted from public services. For research and public service use, location information relating to observations is retained, but other personal information is removed.

12. Other rights

Personal data will not be used or disclosed for use in direct advertising, telesales or other marketing, market research and opinion polls as well as public registers and genealogical research, unless specifically authorised by the user.

It is possible to ask for such permission on e.g. an observation form relating to a certain project, so that the user can be reached with messages pertaining to the project or its administrator.

13. Cookies and statistics

The Internet services use cookies. Cookies are information describing the use of internet services, stored, for example, on the user’s computer and available to control communications between the web browser and server. Users are able to block cookies from the settings of the web browser they are using. Some parts of the service may not function in this case.

Anonymous statistics on the usage of the service are compiled with the help of log files and cookies. The personal data of visitors will not be connected with usage statistics.

Usage statistics are compiled with the help of the Google Analytics service only for website development and maintenance purposes. The website address and visitors’ IP addresses will be sent to a Google server.

Further information on the Google Analytics service:: http://www.google.com/analytics/

Requests, IP addresses and user-agents are logged.