Data policy of Aalto NeuroImaging -infrastructure

The data policy and file storage at Aalto NeuroImaging (AMI Centre, MEG Core, Aalto TMS, and Aalto Behavioral Laboratory) is compliant with the General Data Protection Regulation (GDPR; EU 2016/679, enforcable from 25th of May 2018) concerning the data protection and privacy for all individuals within the European Union.

The final version of our data policy is subject to modifications and requirements inflicted by (i) the Finnish government and TENK ( as well as when (ii) Aalto University has published its official and detailed instructions and policies regarding the GDPR. Aalto NeuroImaging will follow the principles described by all the abovementioned instances (i-ii).

In addition to our current operation principles, the principal investigator should note especially the following:

  • PI is responsible for the data acquisition, data transfer and storage at their own respective institute and department. Aalto NeuroImaging (ANI) provides secure first-hand storage (with grace period) but is not saving the data for future use for any user.


  • ANI will provide detailed instructions (subject to the abovementiones changes) how data should be de-identified and handled when measured and stored temporarily at ANI's servers and when transferred and stored to other institutes servers and perhaps further shared. This may include, e.g., the following:
    • All data must be anonymous. You should not use names, initials or anything when naming your measurement files at the instance of data acquisition. You should have a separate key for combining, e.g., 'Subject001' with N.N. and this key should be kept in a separate and secure location from the data.
    • The same applies for other identification information normally stored in the headers of medical data format (birthdays etc.).
    • MRI data might need to be defaced, that is you should remove the anatomical features of the individuals faces from the data immediately after you have transferred the data to your own institute/department.
    • The changes may inflict modifications to your consent forms. Detailed information will follow later. However, the law will override any consent given by the subject, so the subject cannot abandon their rights to their data (even if they would like to do so).
    • You should not keep any data in usb-sticks or any other portable media as it cannot be securely encrypted. Detailed information about what is safe and what is not will follow. At Aalto, Aalto workstations are encrypted, but not necessarily all laptops. Make sure you only use encrypted devices!

The final instructions should be ready by fall 2018, when all the abovementioned decisions have been made and open issues are solved.

Page content by: tuotolv [at] neuro [dot] hut [dot] fi (Tuomas Tolvanen) | Last updated: 09.05.2018.