The university is responsible for how students process personal data throughout their education – for example, when they are working on their degree project or a placement report. This processing of data must follow the requirements that are in place for personal data protection. On this webpage, you will find information that is specific for supervisors and students. More detailed information can be found on the other webpages here.
In certain cases, students’ work must also be reviewed by the university’s Research Ethics Committee (FEN). You can read more about FEN and ethical review on the university’s webpage Research Ethics Committee.
Is personal data processed in students’ work?
Personal data is data that can be identifiable by direct or indirect means, having either a direct or indirect connection to a living person. A direct connection can be name, email address or social security number (personnummer); an indirect connection might be the IP address of a computer, location data of a mobile or coded personal data. Pictures and sound recordings are also considered to be personal data. The deciding factor is that the data, either on its own or in combination with other data, can be linked to a living person.
Since the General Data Protection Regulation (GDPR) only regulates the processing of personal data, students should consider, prior to their study, whether they can complete it using anonymous information so that there is no way to connect that information to a person. Note that GDPR requirements encompass coded or pseudonymised personal data in the case that there is an existing keycode.
GDPR applies when personal data is processed manually or in a manner that is completely or partially automised, and is connected to a searchable register: for example, in the use of databases, web surveys, social media, and sound and image recordings. In these cases, participants in the study have the right to receive information about data processing in accordance with the requirements laid out in GDPR. Collected personal data may only be used for the purpose outlined in the information.
The data collected must be necessary for the purpose of the study and must not be saved longer than is necessary for the purpose of the study. Therefore, when it comes to students’ work, collected data can, in normal cases, be deleted after the work has received a passing grade and when there are no plans to use the data in continued studies (for which the participants have given their consent).
Is sensitive personal data processed?
Sensitive personal data is data about racial or ethnic origin, political opinions, religious or philosophical belief, membership in a trade union, health, sex life or sexual orientation, genetic data or biometric data.
If this type of data is going to be processed, then there are strict requirements that students must be aware of. This is why it is useful to consider conducting the study by using anonymous data where it is not possible to connect the information to the person in question, or without having to process this kind of data. Note that coded or pseudonymised personal data is not to be regarded as anonymous.
Consent as the Basis for Processing Data
Unlike the activities of the rest of the university, student work can, normally, only be carried out when consent has been given. This is especially the case with the processing of sensitive personal data when it is important that consent is voluntary and that there is no doubt that the registered person has given his/her approval after having first received clear information about what the processing of the personal data will involve. The consent will therefore be designed so that it also involves consent in terms of the processing of the personal data, not just participation in the study. So as to be able to prove consent, the consent should be in writing. The consent can be withdrawn at any time, after which no further data can be processed.
Inform Participants about the Processing of Personal Data
Participants have rights to both information about the study and information about what personal data will be processed and in what way. The following must, in accordance with GDPR, be clear in the information to participants:
Security, Storage and Transfer
The security requirements depend on the type and quantity of personal data, and the way it will be processed. In the case of sensitive personal data, the requirements are greater. They are also greater when the data is to be transferred over the Internet – for example, in the case of an online survey. This is why it is important that a risk analysis is conducted and documented before the study begins – for example, in the description of the method to be used for the study.
Students can store collected data in the university’s central server (this is called H: or hemmakatalog). This is the recommendation in the case of the processing of sensitive personal data. There, data is protected and a back-up copy made. If data is to be stored locally on a computer or on a mobile device, such as a mobile phone or a USB memory stick, then the student him-/herself must ensure that the personal data is protected and backed up.
Read more about security, storage and transfer under the heading Security and Transfer. Contact the university’s Data Protection Officer or IT with any questions.
The reason for having to report data processing is that the university, in accordance with GDPR, has an obligation to conduct a register of all current documents at the university. To ensure it meets this obligation, the university requires that it receives these applications.