Privacy policy of the Finnish Biodiversity Information Facility (FinBIF)

Created: 7.3.2019. Updated 15.8.2023

This is the privacy policy concerning Internet services of the Finnish Museum of Natural History and the Finnish Biodiversity Information Facility (FinBIF) relating to species information and nature observations. These services include

  • the Laji.fi / species.fi portal
  • Mobiilivihko -mobile app
  • The Web Service of the Red List of Finnish Species
  • the Löydös observation reporting service
  • the information services of the Ringing Centre, incl. Lintuvaara
  • the Laji.fi forum
  • Kotka collection management system
  • vieraslajit.fi - National Finnish Invasive Species Portal
  • the Public Authorities Portal
  • Restricted data request system
  • the Result service of BirdAtlas
  • the bsg.laji.fi bird sound identification service

Personal information is handled for service administration and for identifying people entering data and saving observations. Contact information can be used e.g. for asking more information about an observation saved by the user.

1.Registrar

University of Helsinki, Finnish Museum of Natural History Business ID: 0313471-7

Address Finnish Museum of Natural History PO Box 17 (Pohjoinen Rautatiekatu 13) FI-00014 UNIVERSITY OF HELSINKI

2. Person responsible and/or liaison for matters related to the register

Esko Piirainen, IT Manager

Address Finnish Museum of Natural History PO Box 17 (Pohjoinen Rautatiekatu 13) FI-00014 UNIVERSITY OF HELSINKI Tel: +358 50 415 4849 Email: esko.piirainen at helsinki.fi

3. Name of register

Personal data registry of the Finnish Biodiversity Information Facility

4. Purpose of handling personal data / purpose of register

All personal data described in this document does not apply to every site and service provided by FinBIF. For some sites users do not register and for these personal data is limited mainly to data mentioned in Section 13: Cookies and statistics.

Broadly, FinBIF handles personal data as supplementary data to species information. Personal information is used for research, teaching and civil service, as well as (in a limited way) for citizen science purposes (personal, public observation logs).

The use of personal information is based on permission given by user to save, use and give out their data. In some cases, the basis for processing personal data is public interest (natural science research). In some cases, the basis for processing personal data is the legal obligation of the registrar.

More exactly, personal data is used to connect natural science data to actor data (e.g. observer, person who determined the species of an observation), to identify the user for services that require authentication (e.g. the forum) or to contact the user (e.g. responding to feedback, asking for more data about an observation). It is also possible to send feedback anonymously.

Personal data is saved for nature observations, since the significance of observations is directly proportional to the possibility of evaluating their reliability:

  • Without sufficient personal data of the observer or contact details of the owner or controller of the data, the value of observations is low.
  • Personal data or contact details are often required for verifying and validating data.
  • Personal data and contact details also enhance the legal protection of observers.

5. Data content of the register

The following data can be saved, with purposes and publicity/sharing as described:

Personal dataPurposePublicity and sharing
Identification (MA.nnn)Part of a unique URI identifier, used by the system to tell users apartPublic
First and last name or pseudonymShown with observation, unless prevented by userPublic
Location (the time and place reported by user for the observation)Shown with observation, unless prevented by userPublic
Email addressUsed to reset password and for contacting userShared with:
  • organisational partners [1] for research and public service use
  • third party applications the user logs on to using the FinBIF authentication [3]
Image or symbolShown on the profile page of userPublic
Freeform descriptionShown of the profile page of userPublic
Other information saved by user (e.g. home page, group, nickname)Shown on the profile page of userPublic
Postal addressUsed in case user needs to be mailed e.g. papers relating to a study they participate inNot shared without explicit consent given on a case-by-case basis
Telephone numberUsed to contact user in some circumstancesNot shared without explicit consent given on a case-by-case basis
Year of birthUsed for research, when it's necessary to separate two users with identical names, and no other identifying features are availableNot shared
Technical identifier provided by source system (username or -number)Connects the FinBIF user profile to an authentication source (e.g. Google, or the University user management system)Not shared
Roles and trust levelsUsed for giving out rights to specific subsystems etc.Shared with:
  • organisational partners [1] for research, public service and administrative [2] use
  • third party applications the user logs on to using the FinBIF authentication [3]
Organisation information (if using FinBIF as other than private person)Used to determine organisation that can alter role data of userShared with organisational partners [1] for research, public service and administrative [2] use
Admin of organisation (if using FinBIF as other than private person)Used to determine who can add users to organisationsShared with organisational partners [1] for research, public service and administrative [2] use
Public Authorities Portal access expiry dateUsed to determine access to Public Authorities PortalShared with organisational partners [1] for research, public service and administrative [2] use
Friends (i.e. other users of service that have approved in-service friend request)Used to give other users access to one's observations etc.Shared with third party applicationss the user logs on to using FinBIF authentication [3]
Saved settingsE.g. settings of forms, default language and other saved details (Mainly not personal information)Shared with third party applications the user logs on to using FinBIF authentication [3]
Other personal dataFulfilling statutory obligations [4]Distributed when required by law [4]

(1) "Organisational partners" are Finnish research or public service organisations that share data with FinBIF. A full list cannot be given, since the number is growing.

(2) "Administrative use" means that an organisation can see organisational or role information to determine if a user is related to their organisation. ("N.N. works for us, do they have the right organisation data?" , "does N.N. have sufficient access to data we share to FinBIF) or update, add or change organisational or role data relating to the organisation ("let's give N.N. the role they need for their work" , "N.N. has retired, let's remove our organisational role from their user information").

(3) "Third party applications" refers to applications that use FinBIF data and authentication. E.g.: PigeonMobile is an application made by Pigeonsoft, used to record pigeon observations into Notebook. N.N. uses PigeonMobile to report pigeon sightings. For this to work, PigeonMobile needs to access some of N.N.'s personal data (such as email address and role information) when they log in to the application.

(4) In order to fulfill its statutory obligations, FinBIF has to store and process other personal data in certain situations. This mainly concerns the professional use of the systems: for example, international agreements oblige in certain situations to keep a collection permit, which may contain, for example, the collector's passport number. This information is shared only when the law requires us to do so.

Some other information is collected for statistical purposes; more information in section 13.

Mandatory personal data for private users are only name or pseudonym, email address and the ID given by the system.

It is possible to use a pseudonym in FinBIF, but not if authentication via an organisational service requiring a real name (e.g. Haka, Virtu).

"Technical identifier provided by source system" means that when authenticating to FinBIF via an external system (Haka, Google etc), FinBIF uses the identifier provided by the external systeme to identify the user. FinBIF does not see passwords of the external system.

6. Regular sources of information

Information is gained from the following sources

  • Directly from the user (e.g. when registering or entering data on the contact form)
  • Web browser of the user (only for statistical information and location data of an observation)
  • External sources joined to the FinBIF systems (e.g. Hyönteistietokanta, services provided by authorities, organisational personnel database when using organisational authentication to log in)

Some data (e.g. discussion forum trust level) is generated and updated based on the use of the system.

7. Regular disclosure and transfer of data

Most of the data entered into FinBIF is open data shown on the FinBIF Web pages and over APIs. Of personal data this includes name of the observer, quality annotator or person making an identification. For observation data the person data is shown in relation with the location of the observation. Some services allow the user, if they wish, to hide this data or make it more fuzzy on a case by case basis.

In order to publishing the data, exact data saved is seen and handled by organisational public service partners of FinBIF. They are all Finnish organisations using the observation data for a given public service task. When the data includes personal information, it is to some extent shared with the partner. The personal data shared is limited to

  • identifier (MA.nnn)
  • name or pseudonym
  • location data (time and place relating to the observation)
  • email address
  • role and trust level
  • organisational data

For research, FinBIF shares the data with its Finnish research partners. The shared data is observation data that can include personal information. The shared personal information is limited to

  • identifier (MA.nnn)
  • name or pseudonym
  • location data (time and place relating to the observation)
  • email address
  • role and trust level
  • organisational data

It is possible to make publications of data saved into FinBIF. For observational data, publication includes the observer name (unless hidden by user) and location data (unless hidden by user).

8. Transfer of data outside EU or EEA

Personal data will is not transferred or disclosed outside the EU or EEA, with the exception of the data that is publicly visible on the Internet (name, location data of observation, other public profile data). There are following exceptions:

Donations of collection samples may require that the natural science collection sample to be handed over be accompanied by documents that show that the sample was properly acquired. These documents contain personal data.

The discussion forum of FinBIF is at the time located on a server in the USA. When logging on to the forum with the FinBIF authentication the following data is transferred to the service:

  • user identifier (MA.nnn)
  • First and last name or pseudonym
  • email address

For certain applications (eg. Mobiilivihko mobile app), error logging is done using a service that is based outside of the EU. No personal data is sent to the error logging service.

9. Principles of register protection

The personal data saved in the register can only be accessed by the administrator authorised by the register owner. This includes the named administrators of the organisational partners of FinBIF. They can access, and for role and organisational information, alter, the personal data of the FinBIF registered under their organisation. All use of the register is logged.

The network traffic is secured with secure protocols. The network and IT equipment containing the register are protected with a firewall and other technical measures. The IT equipment is kept in a locked facility under surveillance.

10. Right to inspect and its implementation

Users have the right to inspect data concerning themselves. Requests for inspection should be directed to the registrar.

Users may inspect their personal data related to their laji.fi user account in the user profile found in “Personal details” on the Laji.fi website.

A user who hasn't logged in can make a request for inspection by email or by letter to register owner (see section 2).

The inspection request is without charge when done once every 12 months at most.

11. Correcting data and implementation of corrections

Users have the right to correct erroneous or outdated information concerning themselves.

Information relating to the laji.fi user account can be corrected by the user using the laji.fi portal. If the information to be corrected relates to a user who hasn't logged in, or has been delivered from another system, the request for correction needs to be done with a signed letter or by email to the register administrator (see section 2).

A person can request their information to be deleted from the service. In this case all personal information is deleted from public services. For research and public service use, location information relating to observations is retained, but other personal information is removed.

12. Other rights

Personal data will not be used or disclosed for use in direct advertising, telesales or other marketing, market research and opinion polls as well as public registers and genealogical research, unless specifically authorised by the user.

It is possible to ask for such permission on e.g. an observation form relating to a certain project, so that the user can be reached with messages pertaining to the project or its administrator.

13. Cookies and statistics

The Internet services use cookies. Cookies are information describing the use of internet services, stored, for example, on the user’s computer and available to control communications between the web browser and server. Users are able to block cookies from the settings of the web browser they are using. Some parts of the service may not function in this case.

Anonymous statistics on the usage of the service are compiled with the help of log files and cookies. The personal data of visitors will not be connected with usage statistics.

Usage statistics are compiled with the help of the Plausible Analytics service only for website development and maintenance purposes. The website address and visitors’ IP addresses will be sent to a Plausible server. Plausible is hosted inside the EU community.

Further information on the Plausible service: https://plausible.io.

Requests, IP addresses and user-agents are logged.

14. Third party services

Our mobile application is distributed through third-party platforms: Google Play and Apple App Store. When you download, install, and use our app, certain data may be collected and processed by these third-party platforms. This section of our privacy policy explains how these platforms handle your data and how you can review their respective privacy policies.

Google Play

We use Google Play as a platform to distribute our app to users. Google Play may collect and process certain data when you download and install our app, such as device information, app version, installation ID, and other usage data. Google Play's data practices are governed by its own privacy policy, which you can review here: Link to Google Play Privacy Policy.

Please note that we are not responsible for the data practices of Google Play or any changes they may make to their policies. We recommend that you review Google Play's privacy policy to understand how they collect, use, and protect your data.

Apple App Store

Our app is also available for download on the Apple App Store. When you download and install our app from the Apple App Store, Apple may collect and process certain data, including device information, app version, installation ID, and other usage data. Apple's data practices are governed by its own privacy policy, which you can review here: Link to Apple Privacy Policy.

We are not responsible for the data practices of the Apple App Store or any changes they may make to their policies. We recommend that you review Apple's privacy policy to understand how they collect, use, and protect your data.

Inaturalist Mobile App

We provide the option for users to download and use the iNaturalist mobile app, which is developed by iNaturalist network, of which FinBIF is a part of. iNaturalist is a community-powered platform where users can record and identify plants, animals, and other organisms in nature. When you use the iNaturalist app, your data will be subject to their respective privacy policy. You can review the iNaturalist privacy policy here: Link to iNaturalist Privacy Policy.

Please note that we are not responsible for the data practices of third-party platforms or partner apps, including any changes they may make to their policies. We recommend that you review their privacy policies to understand how they collect, use, and protect your data.