Good governance

Legal compliance, transparency and Code of Conduct

Luke is a state research institute and our activities are based on the Act on the Natural Resources Institute Finland. Our activities are transparent and openly reported. Compliance with the principles of good governance is an important part of all our activities.

At Luke, our work and activities are guided by our strategy, Code of Conduct and Luke's values. The Code of Conduct sets out Luke's ethical principles. According to our Code of Conduct, every Luke member is committed to the principles of our Code of Conduct.

We strive to continuously improve the social impact of our activities, our productivity and to assess the results achieved and their cost-effectiveness. Transparency allows citizens and other stakeholders to assess our activities and their relevance. Transparency is achieved, for example, through communication and by complying with the provisions of the Publication of Public Officials Act.

Luke works in good cooperation with both domestic and foreign partners and requires them to comply with legal practices, research independence and good governance principles. In 2024, we published the Know Your Partners Guide. We want to know the significant risks associated with potential partners at an early stage. Examples of such risks include sanctions-related risks, involvement in illegal activities, corruption, lack of clarity about the actual beneficiaries, power holders and financiers, activities that run counter to Luke's values, and significant financial or reputational risks. The Code has been the subject of training and is part of the induction process for new employees.

Luke is a public procurement unit that adheres to the Act on Public Procurement and Concession Contracts as well as governmental procurement guidelines. The Code of Conduct sets out provisions for responsible procurement. It provides guidance on making responsible and sustainable purchases in accordance with our values, while taking into account factors such as safety, climate, and environmental considerations.

In 2024, approximately ten percent of our procurements included environmental responsibility criteria. These included, for example, setting heavy metal limits for fertilizers, favoring carbon-neutral products in print service tenders, and awarding extra points for energy efficiency in laboratory equipment tenders.

All tenders conducted by Luke have considered economic responsibility. This includes checking suppliers’ risk classifications, contractor liability data, and compliance with sanctions requirements.

When making procurements, we commit the supplier to promote social responsibility and sustainable development in the performance of the contract. In practice, this is reflected, for instance, by including a specific contractual clause on this obligation in Luke’s general terms for small-scale procurements.

The data protection policy defines the responsibilities, procedures, and monitoring methods related to the processing of personal data. The objective of the policy is to ensure the fulfillment of data subjects’ rights and freedoms, as well as compliance with the requirements of the General Data Protection Regulation (GDPR) and the Finnish Data Protection Act.

The data protection policy applies to all staff and compliance with it is a prerequisite for processing personal data. The policy is implemented through standardized practices and guidelines on data protection, which are accessible to all Luke employees via the Lukenet intranet. In 2024, the guidelines and some of Luke's contract templates related to data protection were updated.

In spring 2024, the access rights of visiting researchers and experts were harmonized in line with models used by other research institutes and universities. Access rights are now granted only to systems necessary for fulfilling contractual obligations. This clarified approach improves both information security and data protection within the organization.

The Code of Conduct includes a section on confidentiality and the protection of information. All processing of personal data must comply with relevant data protection and confidentiality obligations. At Luke, the privacy of clients and employees is respected, and data is processed appropriately and securely, following sound information management practices. We implement all required measures under data protection legislation to uphold the rights of data subjects. Any incidents or breaches are reported in the financial statements.

In 2024, special attention was given to practices related to corporate collaboration. The topic was discussed by the management team, leading to updates in certain guidelines and the organization of staff training sessions.

In 2024, Luke also prepared a Contract and Risk Management Policy. The purpose of the contract policy is to clarify the internal roles, rights, and responsibilities related to the preparation and lifecycle of contracts at Luke. The policy harmonizes practices and builds a shared understanding of Luke’s contractual advocacy, including both proactive and retrospective risk management.

The Risk Management Policy defines the objectives, organization, principles, responsibilities, and procedures of risk management. Risk management is an integral part of Luke’s management system and decision-making preparation. It covers all of Luke’s operations, including activities for which Luke is responsible under legislation, contracts, or other obligations. The policy ensures a consistent approach throughout the organization and provides the management with sufficient information for informed decision-making.