Privacy policy of the Finnish Biodiversity Information Facility (FinBIF)
Created: 7.3.2019. Updated 15.8.2023
This is the privacy policy concerning Internet services of the Finnish Museum of Natural History and the Finnish Biodiversity Information Facility (FinBIF) relating to species information and nature observations. These services include
- the Laji.fi / species.fi portal
- Mobiilivihko -mobile app
- The Web Service of the Red List of Finnish Species
- the Löydös observation reporting service
- the information services of the Ringing Centre, incl. Lintuvaara
- the Laji.fi forum
- Kotka collection management system
- vieraslajit.fi - National Finnish Invasive Species Portal
- the Public Authorities Portal
- Restricted data request system
- the Result service of BirdAtlas
- the bsg.laji.fi bird sound identification service
Personal information is handled for service administration and for identifying people entering data and saving observations. Contact information can be used e.g. for asking more information about an observation saved by the user.
1.Registrar
University of Helsinki, Finnish Museum of Natural History Business ID: 0313471-7
Address Finnish Museum of Natural History PO Box 17 (Pohjoinen Rautatiekatu 13) FI-00014 UNIVERSITY OF HELSINKI
2. Person responsible and/or liaison for matters related to the register
Esko Piirainen, IT Manager
Address Finnish Museum of Natural History PO Box 17 (Pohjoinen Rautatiekatu 13) FI-00014 UNIVERSITY OF HELSINKI Tel: +358 50 415 4849 Email: esko.piirainen at helsinki.fi
3. Name of register
Personal data registry of the Finnish Biodiversity Information Facility
4. Purpose of handling personal data / purpose of register
All personal data described in this document does not apply to every site and service provided by FinBIF. For some sites users do not register and for these personal data is limited mainly to data mentioned in Section 13: Cookies and statistics.
Broadly, FinBIF handles personal data as supplementary data to species information. Personal information is used for research, teaching and civil service, as well as (in a limited way) for citizen science purposes (personal, public observation logs).
The use of personal information is based on permission given by user to save, use and give out their data. In some cases, the basis for processing personal data is public interest (natural science research). In some cases, the basis for processing personal data is the legal obligation of the registrar.
More exactly, personal data is used to connect natural science data to actor data (e.g. observer, person who determined the species of an observation), to identify the user for services that require authentication (e.g. the forum) or to contact the user (e.g. responding to feedback, asking for more data about an observation). It is also possible to send feedback anonymously.
Personal data is saved for nature observations, since the significance of observations is directly proportional to the possibility of evaluating their reliability:
- Without sufficient personal data of the observer or contact details of the owner or controller of the data, the value of observations is low.
- Personal data or contact details are often required for verifying and validating data.
- Personal data and contact details also enhance the legal protection of observers.
5. Data content of the register
The following data can be saved, with purposes and publicity/sharing as described:
Personal data | Purpose | Publicity and sharing |
Identification (MA.nnn) | Part of a unique URI identifier, used by the system to tell users apart | Public |
First and last name or pseudonym | Shown with observation, unless prevented by user | Public |
Location (the time and place reported by user for the observation) | Shown with observation, unless prevented by user | Public |
Email address | Used to reset password and for contacting user | Shared with:
|
Image or symbol | Shown on the profile page of user | Public |
Freeform description | Shown of the profile page of user | Public |
Other information saved by user (e.g. home page, group, nickname) | Shown on the profile page of user | Public |
Postal address | Used in case user needs to be mailed e.g. papers relating to a study they participate in | Not shared without explicit consent given on a case-by-case basis |
Telephone number | Used to contact user in some circumstances | Not shared without explicit consent given on a case-by-case basis |
Year of birth | Used for research, when it's necessary to separate two users with identical names, and no other identifying features are available | Not shared |
Technical identifier provided by source system (username or -number) | Connects the FinBIF user profile to an authentication source (e.g. Google, or the University user management system) | Not shared |
Roles and trust levels | Used for giving out rights to specific subsystems etc. | Shared with:
|
Organisation information (if using FinBIF as other than private person) | Used to determine organisation that can alter role data of user | Shared with organisational partners [1] for research, public service and administrative [2] use |
Admin of organisation (if using FinBIF as other than private person) | Used to determine who can add users to organisations | Shared with organisational partners [1] for research, public service and administrative [2] use |
Public Authorities Portal access expiry date | Used to determine access to Public Authorities Portal | Shared with organisational partners [1] for research, public service and administrative [2] use |
Friends (i.e. other users of service that have approved in-service friend request) | Used to give other users access to one's observations etc. | Shared with third party applicationss the user logs on to using FinBIF authentication [3] |
Saved settings | E.g. settings of forms, default language and other saved details (Mainly not personal information) | Shared with third party applications the user logs on to using FinBIF authentication [3] |
Other personal data | Fulfilling statutory obligations [4] | Distributed when required by law [4] |
(1) "Organisational partners" are Finnish research or public service organisations that share data with FinBIF. A full list cannot be given, since the number is growing.
(2) "Administrative use" means that an organisation can see organisational or role information to determine if a user is related to their organisation. ("N.N. works for us, do they have the right organisation data?" , "does N.N. have sufficient access to data we share to FinBIF) or update, add or change organisational or role data relating to the organisation ("let's give N.N. the role they need for their work" , "N.N. has retired, let's remove our organisational role from their user information").
(3) "Third party applications" refers to applications that use FinBIF data and authentication. E.g.: PigeonMobile is an application made by Pigeonsoft, used to record pigeon observations into Notebook. N.N. uses PigeonMobile to report pigeon sightings. For this to work, PigeonMobile needs to access some of N.N.'s personal data (such as email address and role information) when they log in to the application.
(4) In order to fulfill its statutory obligations, FinBIF has to store and process other personal data in certain situations. This mainly concerns the professional use of the systems: for example, international agreements oblige in certain situations to keep a collection permit, which may contain, for example, the collector's passport number. This information is shared only when the law requires us to do so.
Some other information is collected for statistical purposes; more information in section 13.
Mandatory personal data for private users are only name or pseudonym, email address and the ID given by the system.
It is possible to use a pseudonym in FinBIF, but not if authentication via an organisational service requiring a real name (e.g. Haka, Virtu).
"Technical identifier provided by source system" means that when authenticating to FinBIF via an external system (Haka, Google etc), FinBIF uses the identifier provided by the external systeme to identify the user. FinBIF does not see passwords of the external system.
6. Regular sources of information
Information is gained from the following sources
- Directly from the user (e.g. when registering or entering data on the contact form)
- Web browser of the user (only for statistical information and location data of an observation)
- External sources joined to the FinBIF systems (e.g. Hyönteistietokanta, services provided by authorities, organisational personnel database when using organisational authentication to log in)
Some data (e.g. discussion forum trust level) is generated and updated based on the use of the system.
7. Regular disclosure and transfer of data
Most of the data entered into FinBIF is open data shown on the FinBIF Web pages and over APIs. Of personal data this includes name of the observer, quality annotator or person making an identification. For observation data the person data is shown in relation with the location of the observation. Some services allow the user, if they wish, to hide this data or make it more fuzzy on a case by case basis.
In order to publishing the data, exact data saved is seen and handled by organisational public service partners of FinBIF. They are all Finnish organisations using the observation data for a given public service task. When the data includes personal information, it is to some extent shared with the partner. The personal data shared is limited to
- identifier (MA.nnn)
- name or pseudonym
- location data (time and place relating to the observation)
- email address
- role and trust level
- organisational data
For research, FinBIF shares the data with its Finnish research partners. The shared data is observation data that can include personal information. The shared personal information is limited to
- identifier (MA.nnn)
- name or pseudonym
- location data (time and place relating to the observation)
- email address
- role and trust level
- organisational data
It is possible to make publications of data saved into FinBIF. For observational data, publication includes the observer name (unless hidden by user) and location data (unless hidden by user).
8. Transfer of data outside EU or EEA
Personal data will is not transferred or disclosed outside the EU or EEA, with the exception of the data that is publicly visible on the Internet (name, location data of observation, other public profile data). There are following exceptions:
Donations of collection samples may require that the natural science collection sample to be handed over be accompanied by documents that show that the sample was properly acquired. These documents contain personal data.
The discussion forum of FinBIF is at the time located on a server in the USA. When logging on to the forum with the FinBIF authentication the following data is transferred to the service:
- user identifier (MA.nnn)
- First and last name or pseudonym
- email address
For certain applications (eg. Mobiilivihko mobile app), error logging is done using a service that is based outside of the EU. No personal data is sent to the error logging service.
9. Principles of register protection
The personal data saved in the register can only be accessed by the administrator authorised by the register owner. This includes the named administrators of the organisational partners of FinBIF. They can access, and for role and organisational information, alter, the personal data of the FinBIF registered under their organisation. All use of the register is logged.
The network traffic is secured with secure protocols. The network and IT equipment containing the register are protected with a firewall and other technical measures. The IT equipment is kept in a locked facility under surveillance.
10. Right to inspect and its implementation
Users have the right to inspect data concerning themselves. Requests for inspection should be directed to the registrar.
Users may inspect their personal data related to their laji.fi user account in the user profile found in “Personal details” on the Laji.fi website.
A user who hasn't logged in can make a request for inspection by email or by letter to register owner (see section 2).
The inspection request is without charge when done once every 12 months at most.
11. Correcting data and implementation of corrections
Users have the right to correct erroneous or outdated information concerning themselves.
Information relating to the laji.fi user account can be corrected by the user using the laji.fi portal. If the information to be corrected relates to a user who hasn't logged in, or has been delivered from another system, the request for correction needs to be done with a signed letter or by email to the register administrator (see section 2).
A person can request their information to be deleted from the service. In this case all personal information is deleted from public services. For research and public service use, location information relating to observations is retained, but other personal information is removed.
12. Other rights
Personal data will not be used or disclosed for use in direct advertising, telesales or other marketing, market research and opinion polls as well as public registers and genealogical research, unless specifically authorised by the user.
It is possible to ask for such permission on e.g. an observation form relating to a certain project, so that the user can be reached with messages pertaining to the project or its administrator.
13. Cookies and statistics
The Internet services use cookies. Cookies are information describing the use of internet services, stored, for example, on the user’s computer and available to control communications between the web browser and server. Users are able to block cookies from the settings of the web browser they are using. Some parts of the service may not function in this case.
Anonymous statistics on the usage of the service are compiled with the help of log files and cookies. The personal data of visitors will not be connected with usage statistics.
Usage statistics are compiled with the help of the Plausible Analytics service only for website development and maintenance purposes. The website address and visitors’ IP addresses will be sent to a Plausible server. Plausible is hosted inside the EU community.
Further information on the Plausible service: https://plausible.io.
Requests, IP addresses and user-agents are logged.
14. Third party services
Our mobile application is distributed through third-party platforms: Google Play and Apple App Store. When you download, install, and use our app, certain data may be collected and processed by these third-party platforms. This section of our privacy policy explains how these platforms handle your data and how you can review their respective privacy policies.
Google Play
We use Google Play as a platform to distribute our app to users. Google Play may collect and process certain data when you download and install our app, such as device information, app version, installation ID, and other usage data. Google Play's data practices are governed by its own privacy policy, which you can review here: Link to Google Play Privacy Policy.
Please note that we are not responsible for the data practices of Google Play or any changes they may make to their policies. We recommend that you review Google Play's privacy policy to understand how they collect, use, and protect your data.
Apple App Store
Our app is also available for download on the Apple App Store. When you download and install our app from the Apple App Store, Apple may collect and process certain data, including device information, app version, installation ID, and other usage data. Apple's data practices are governed by its own privacy policy, which you can review here: Link to Apple Privacy Policy.
We are not responsible for the data practices of the Apple App Store or any changes they may make to their policies. We recommend that you review Apple's privacy policy to understand how they collect, use, and protect your data.
Inaturalist Mobile App
We provide the option for users to download and use the iNaturalist mobile app, which is developed by iNaturalist network, of which FinBIF is a part of. iNaturalist is a community-powered platform where users can record and identify plants, animals, and other organisms in nature. When you use the iNaturalist app, your data will be subject to their respective privacy policy. You can review the iNaturalist privacy policy here: Link to iNaturalist Privacy Policy.
Please note that we are not responsible for the data practices of third-party platforms or partner apps, including any changes they may make to their policies. We recommend that you review their privacy policies to understand how they collect, use, and protect your data.