������ý

Aim of the text

The European General Data Protection Regulation (GDPR) and complementing Swedish legislation require that all work with personal data should be done transparently, correctly and securely. Students considering processing personal data as part of their independent projects have to consider many aspects before they can start. This text provides a brief overview of the aspects you need to consider to process personal data lawfully.

The text below starts with an introduction to the GDPR (Part 1) before presenting guidelines for independent projects in nine steps (Part 2).

Part 1 – Introduction to the General Data Protection Regulation (GDPR)

Overview of the General Data Protection Regulation

The General Data Protection Regulation comes into legal force in all EU countries on the 25th of May 2018. The Regulation will bring about a number of changes for those who process personal data and will strengthen the rights of individuals as far as privacy is concerned.

All processing of personal data must fulfil the basic principles of the GDPR. Simplified, this means that personal data only may be collected for certain legitimate purposes, that only necessary personal data may be processed and that data may not be stored for longer than necessary. It is also important to remember that personal data always must be processed in a secure manner.

An overarching aim of the new stipulations in the GDPR is to emphasise that those who process personal data also are responsible for ensuring that the GDPR is followed and that this can be shown through written documentation. It is therefore crucial that students have basic knowledge of the regulations regarding personal data processing.

Link to the official EU version of the GDPR:

Basic terminology

Personal data

Any piece of information related to an identified or identifiable natural person. It is decisive that the information, on its own or in combination with other details, can be associated with a living person. Typical personal data include names, civic registration numbers, addresses or IP addresses, but other factors that in combination can be associated with a natural person are also regarded as personal data.

Please note that the fact that someone may be able to associate the information to a living natural person is enough for it to be regarded personal data.

Even when you as data processor do not know or have no way of finding out which natural person is associated with the data this may still constitute personal data processing. In determining whether a person is identifiable, one has to take into account all aids that reasonably may be used – by the data controller or another legal or natural person – to identify the natural person directly or indirectly. As long as there, for example, is an encryption key saved somewhere that makes it possible to associate the data with a specific person, the data are treated as personal data.

Personal data processing

Personal data processing is a wide-ranging concept. All forms of measures taken that involve personal data are regarded as personal data processing, from the collection of the personal data until they are finally deleted or destroyed.

The GDPR [MG1]��includes the following examples of personal data processing: collection, registration, structuring, storage, processing or modification, development, reading, using, disclosure, dissemination and finally also deletion or destruction of personal data. Remember that printing personal data or sending emails always involves personal data processing.

Personal data controller

The personal data controller determines the aims and means of personal data processing.

Who is responsible for students’ personal data processing?

������ý is the personal data controller for the processing of personal data as part of university activities. This does not only include the data processing done by teachers and administrative staff, but, as a rule, the university is also responsible for personal data processed by students as part of their courses and programmes. If students for example process personal data as part of their independent projects, this is regulated by the GDPR and ������ý is responsible for ensuring that the regulations are followed.

There are some exceptions, however. If students are on practical placements (VFU), the organisation where students are placed is the personal data controller when students complete different duties in for example healthcare or schools (in the same way that the organisation is the personal data controller when its employees process personal data).

Basic principles for the processing of personal data

The processing of personal data must each time comply with the six basic principles set out in Article 5 of the GDPR. When ������ý students process personal data, the university has to ensure that the requirements below are met and that fulfilment of the requirements is documented.

• Data must be processed lawfully, fairly and in a transparent manner in relation to the data subject, i.e. the person whose data we process (lawfulness, fairness and transparency).
• Data must be collected for specified, explicit and legitimate purposes and may not be further processed in a manner that is incompatible with those purposes incompatible with the initial purposes (purpose limitation).
• Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation).
• Data must be accurate and, where necessary, kept up to date (accuracy).
• Data must not be kept in a form which permits the identification of data subjects for any longer than is necessary for the purposes for which the personal data are processed (storage limitation).
• Data must be processed in a manner that ensures appropriate security of the personal data (integrity and confidentiality).

These are the basic principles for the processing of personal data and all activities have to be assessed in relation to the points above.

Students’ personal data processing requires consent

Usually, only consent can form the lawful basis of personal data processing by students as part of their courses and programmes.

The premise of the GDPR is that each individual owns their own personal data. Those persons who for example are to participate in a study must therefore have the opportunity to decide whether their personal data may be processed. Therefore each individual must be given information about what personal data processing involves, before they have to decide whether they consent to their personal data being processed (informed consent).

Sensitive personal data

Some personal data are by nature sensitive and therefore enjoy stronger protection under the GDPR. These are called sensitive personal data and include data on race or ethnic background, political opinions, religious or philosophical beliefs, membership in labour unions, genetic data, biometric data for unambiguous identification of physical persons, and details on the health, sexual activity or sexual orientation of a physical person. Personal data on for example a person’s mother tongue or home language may also be sensitive personal data, because in some cases ethnic background can be inferred from such data.

The premise of the GDPR is that the processing of sensitive personal data is prohibited.

Please note that ������ý generally does not allow students to process sensitive personal data. There are, however, some exceptional cases in which students may be allowed to process sensitive personal data, as for example during practical placements (VFU) in healthcare or at a psychological clinic.

Processing sensitive personal data in independent projects

The GDPR allows for some exceptions to the prohibition of processing sensitive personal data, but such processing must always be restrictive and must fulfil high requirements as regards organisational and technological security measures. The extensive allowance for processing sensitive personal data for research purposes made in the GDPR, the Research Data Act and the Ethical Review Act is not applicable to programmes and courses at bachelor or master level, because these are not regarded as research.

Bill 2007/08:44, Vissa etikprövningsfrågor m.m [Some ethical review questions, etc.], states that “the government is of the opinion that it is unreasonable to expect students at bachelor or master level to certainly have acquired knowledge and insight to the extent needed to ensure the security of people participating in research. Students should therefore not be given the responsibility associated with activities that involve participants and when these people are at risk physically, mentally or as far as their privacy is concerned.”

Please note that ������ý therefore does not allow students to process sensitive personal data in their independent projects.

The only exception from this rule is when students do their independent projects as part of a research project at ������ý that has been ethically vetted by a regional Ethical Review Board.

Support is available

Faculties and departments are knowledgeable on how personal data are processed in independent student projects at ������ý. Contact your supervisor, course coordinator or examiner for support.

More information

Data Inspectorate:

��

Part 2 – Processing personal data in independent projects: Guidelines in nine steps

The European General Data Protection Regulation (GDPR) and complementing Swedish legislation require that all work with personal data should be done transparently, correctly and securely. Students who want to process personal data in their independent projects/degree projects/essays (called “independent projects” below) therefore have to consider many aspects before they can start on their projects.

This text explains the nine steps that have to be followed for the lawful processing of personal data. In short, students must:

1. Assess whether it is necessary to process personal data.
2. Define the aim of personal data processing and determine which personal data must be collected.
3. Ensure that no sensitive personal data will be processed.
4. Decide how the information will be stored and ensure that it is processed securely during the project.
5. Decide which parts of the information must be deleted and which parts must be stored after the project is done.
6. Draw up an information letter and consent form.
7. Complete the form for the registration of personal data as part of the independent project, so that your supervisor can enter your project into the university’s register.
8. Inform and obtain the consent of each individual who will participate in the study, collect the necessary personal data and process the personal data in accordance with what was decided in steps 1–7 above.
9. Delete or archive personal data material in accordance with the decision in step 5 above, after the independent project has been awarded a passing grade.

Consult your supervisor about the appropriate measures for your independent project and remember that your supervisor must be involved in and aware of each step in the process. In order to fulfil the requirements in the GDPR, all the steps must be assessed and completed correctly.

Step 1 – Do I need to process personal data?

The first question you need to ask is whether it is really necessary to process personal data in your independent project. If you do not process personal data the requirements in the GDPR are not applicable, which will make your independent project easier to complete.

It is important to remember that all information that directly or indirectly can be associated with a living person constitutes personal data. This means that it is not just information regarding name, civic registration numbers, IP numbers or recorded interviews (even anonymous ones) that constitute personal data. Combinations of less identifiable data may also make it possible to identify individuals.

Step 2 – Define the aim of the study (aim of data processing)

Before starting working on the project, it is important to consider and clearly document which types of data must be collected and why. This is not difficult for students doing independent projects – the aim of data processing is simply to be able to do the investigation you need to do to complete your project. It is however important that you carefully consider and formulate the aim of data processing, and that you are sure which information you need to fulfil this aim.

Please note that it is never allowed to collect and process more personal data than you need to fulfil this aim.

It is also important to remember that personal data may not be shared with more people than necessary. Unauthorised persons must not be able to access personal data – only those who need access to the data to complete the independent project so that it can be examined are allowed to process personal data.

Step 3 – Ensure that no sensitive personal data will be processed

Under the GDPR, sensitive personal data include data on race or ethnic background, political opinions, religious or philosophical beliefs, membership in labour unions, genetic data, biometric data for unambiguous identification of physical persons, and details on the health, sexual activity or sexual orientation of a physical person. Personal data on for example a person’s mother tongue or home language may also be sensitive personal data, because in some cases ethnic background can be inferred from such data.

The premise of the GDPR is that the processing of sensitive personal data is prohibited.

Please note that ������ý therefore does not allow students to process sensitive personal data in their independent projects.

The only exception from this rule is when students do their independent projects as part of a research project at ������ý that has been ethically vetted by a regional Ethical Review Board.

Step 4 – Decide how the information will be stored and processed

Collected data must be processed securely. ������ý offers a number of services that may be useful during your project, such as Box and Sunet Survey. You are also allowed to save collected personal data using the storage provided by the university to students under H: (accessible online via ). All these services are appropriate for the processing and storing of personal data during independent projects.

External cloud services (not offered through ������ý) may not be used to process personal data. These include storage services such as Dropbox, Google Docs, iCloud, etc. You are also not allowed to store personal data on unencrypted USB drives, smartphones or tablets, as these usually do not have adequately security and are frequently synced to cloud services.

Step 5 – Decide which parts of the information must be deleted or stored

Personal data may not be stored for longer than necessary and must be deleted when no longer needed. In some exceptional situations, personal data may have to be stored for a certain time to substantiate the conclusions of an independent project or because they will be processed in future (for example if you plan on publishing your results in a scholarly article). It is therefore important to decide what will happen with collected personal data before the start of the actual project. Must some data be given to ������ý to be stored for a certain time? All other personal data must be deleted by students when their independent projects have been awarded passing grades in Ladok.

Step 6 – Draw up an information letter and consent form

According to the GDPR, personal data may only be processed if there is a lawful reason to do so. The GDPR lists a number of requirements, and at least one of them must be met for personal data processing to be lawful. In practice, however, consent from each individual participant is the only lawful basis on which personal data may be processed in independent projects.

You obtain the consent of participants by informing them in writing about the aim of the study, which personal data you want to collect, for what purpose the personal data will be used, and how long personal data will be saved before being deleted. Participants in the study can only consent to personal data processing after they have been informed in this manner.

Please note that withdrawing consent must be as easy as giving it. The contact details of the student(s) doing the independent project and the supervisor must therefore always be included in the information letter.

������ý has developed a template for the information letter and consent form that you can use. See the link below.

• Information letter
• Consent��form

Step 7 – Complete the form for the registration of personal data as part of the independent project

Before you are allowed to start processing personal data, you have to complete a form regarding data processing as part of your independent project and your project must be entered into ������ý’s register of independent projects involving personal data processing. Students have to complete the details required in the form. See the link below.

When you have completed the form, it has to be approved by your supervisor. Your supervisor is then responsible for ensuring that the information is recorded in ������ý’s register of independent projects involving personal data processing. The supervisor has the main responsibility for reviewing the completed form for the registration of personal data, the information letter and consent form for participants and ensuring that these documents fulfil the requirements of the GDPR.

The collected personal data may not be included in the register of independent projects involving personal data processing. The register is simply a list showing which personal data will be collected and processed that allows ������ý to monitor personal data processing as part of students’ independent projects.

Step 8 – Obtain the informed consent of each individual participant, collect and process personal data

If the previous steps have been followed correctly, this is a simple formal step that does not demand further measures. At the same time, this is in practice the main step during which you conduct the study for your independent project.

Step 9 – Delete or archive personal data material after your independent project has been examined

When you have completed your independent project, that course component have been examined and your grade has been reported into Ladok, a final important step has to be completed. The personal data you processed must now be deleted or transferred for storage/archiving in accordance with what was decided in Step 5.

It is your responsibility as a student to delete the personal data material after your independent project is completed.