¹û¶³´«Ã½

The requirements for Linux/Unix computers are the same as for Windows and macOS computers, but are not included in this document. The reason for this is that Windows and macOS computers are the most commonly used computers among ¹û¶³´«Ã½ students, and there are many different versions of Linux and Unix operating systems which would result in an exceedingly comprehensive document.
As a general rule, mobile phones and tablets should not be used for the processing of personal data as these often connect to cloud services with which the university does not have an agreement. However, recording of interviews can be done according to the instructions included in this document.
Chromebooks may not be used as they connect to cloud services with which the university does not have an agreement.

Definitions

Processing (of personal data): any operation performed on personal data. A few examples of processing: interviews (even if no names are mentioned), online surveys, showing someone personal data on a screen, printing personal data on a printer, saving a file containing personal data on a computer, sending personal data via email and deleting a file containing personal data. Even paper surveys are, as a main rule, a form of processing of personal data.

Sensitive personal data: data disclosing racial (the General Data Protection Regulation uses the term racial, but also clearly states that this does not imply an acceptance by the EU of theories which attempt to determine the existence of separate human races) or ethnic origin, political opinions, religious or philosophical beliefs, trade union affiliation and the processing of genetic data, biometric data to unequivocally identify a physical person, data concerning health, a physical person’s sexuality or sexual preference.

Unauthorised persons: people (e.g., your children, partner or classmates) who should not have access to the information.

Personal data: any kind of information that can be directly or indirectly linked to a living person. Examples of personal data: family relationships, personal finances, memberships, opinions and religious beliefs.

Academic papers: independent projects as well as academic papers that are part of a research project.

Processing of personal data as part of a course/programme

¹û¶³´«Ã½ is the personal data controller of students’ personal data processing that is part of the course or programme they are taking. When a student processes personal data under supervision of the University, the student acts as a representative of the University and the University is responsible for ensuring that the processing complies with applicable laws and that the data subjects’ integrity is protected. Further information on processing of personal data by students as well as guidelines and templates for academic papers can be found here:

• GDPR for students

For students to be able to process personal data as part of an academic paper, the processing needs to meet certain security requirements.

This means that computers used for writing academic papers need to:

Be protected by a strong password (see section below)

Have antivirus software installed and activated

Ensure that the built-in firewall of the operating system is turned on.
This how you do it for:

That the operating system has been updated with necessary security updates,
This how you do it for:

Software used also needs to be updated with necessary security updates. Instructions on how to update the software you use can be found in the help section of the software or on the company’s website. Examples of common software:

• 


Old operating systems do not receive any new security updates and are therefore not safe to use. Currently, this applies to versions of Windows 10 before 22H2, including Windows 7 & 8.1, as well as older versions of macOS before version 12. Microsoft and Apple regularly stop providing updates for older versions, so the information on this page is regularly updated. 
This is how you identify which version your computer is running.

Mobile phones and tablets

If mobile phones or tablets are used to record interviews, these must:

• be protected by a pin code that is difficult for someone else to guess (see section below), and
• the operating system and apps on the mobile phone or tablet that is used must also be updated with necessary security updates.

External USB sticks, USB hard drives and paper documents

If external storage media such as USB memory sticks or USB hard drives are used to store information, it is important that these are kept in a safe place so that unauthorised persons cannot gain access to the information you have saved. Paper documents (e.g., printouts) must also be kept in a safe place so that unauthorised persons cannot gain access to the documents.

Processing of sensitive personal data in academic papers

At ¹û¶³´«Ã½, the main principle is that it is prohibited for students to process sensitive personal data as part of writing an academic paper. However, there are exceptions. Sensitive personal data can, for example, be processed as part of academic papers by students in subjects that have been exempted by the dean. Consult your supervisor to ensure you have the right to process sensitive personal data and that the processing of personal data has been registered in the University’s register of processing of personal data in relation to academic papers before you start collecting personal data.

Students may only process sensitive personal data using IT technical solutions and services that the IT director has assessed as having adequate protection for the type of data in question and in accordance with applicable instructions. All other processing of sensitive personal data is prohibited and may result in disciplinary sanctions. Information about which systems to use and instructions on how to use them can be found here (in Swedish):

• Säker uppsats

Creating a strong password and pin code

The purpose of a password is to protect your information on IT services and computers so that attackers and unauthorised persons cannot read or destroy your information. Therefore, it is important that you create a strong password that makes it difficult for attackers and unauthorised persons to access your information. The following are tips and advice based on the Swedish Internet Foundation’s recommendations on how to create a strong password:

A unique password for each service


The world’s best password can become the world’s worst if you use it everywhere. If the password leaks, a person who wants to intrude suddenly has access to all your services. You should therefore use different passwords for different services, and you must never use the same password for your KauID that you use or have used for external services (such as Google, Spotify or Netflix). Nor should you reuse the same password that you have used before, for example, at your previous school.

Use unusual and impersonal passwords


Forget about passwords like Summer2023 or Swifties4Ever. A strong password needs to be unusual and contain nothing that can be linked to you as a person.

Think long when it comes to passwords


The longer the password, the better. A password should include at least 10 characters. By thinking in phrases, the password becomes easier to remember than a bunch of letters and numbers jumbled up. Four randomly selected words will get you far.

For more tips and information on how to create a strong password, visit the Swedish Internet Foundation’s website.

Pin codes

As with passwords, pin codes should be difficult to guess, so choose pin codes that have no connection to you as a person. Bad examples of pin codes are digits in a row like 1234 or 0000. Pin codes that are linked to your, your partner’s or your children’s birth dates are also examples of bad pin codes. As with passwords, long pin codes are more secure than short ones, so preferably choose pin codes that include six characters or more.

Cloud services and other external services

External cloud services that are not available via ¹û¶³´«Ã½ may not be used for processing of personal data. This applies to, for example, storage services such as Dropbox, Google docs, iCloud, etc.
An up-to-date list of the services that can be used can be found at:

• IT support/services

You must log in to these services using ¹û¶³´«Ã½â€™s links.

Recording interviews

Before recording an interview, start by considering the location you are in. Ensure that no unauthorised people can listen to what is being said during the interview. A suitable place to record an interview could be one of the group rooms available at the University.

Examples of suitable ways to record an interview:

Via Zoom


You can record an interview in Zoom if the computer, mobile phone or tablet used meets the security requirements (see Section 2 above). When the recording is made in Zoom, two files are created, one audio file and one video file. The video file must be deleted as soon as the interview is finished, unless otherwise agreed in advance with your supervisor.

Via computer


Local software installed on the computer that meets the security requirements (see Section 2 above) can be used to record interviews provided there is no synchronisation of the audio file to a cloud service that ¹û¶³´«Ã½ does not have an agreement with (see section above).

Via mobile phone or tablet


The following steps need to be taken if a mobile phone or tablet that meets the security requirements (see section above) is to be used to record an interview:
1.ÌýÌýÌýÌýÌýPut the mobile phone or tablet on airplane mode, ensure WiFi is turned off
2.ÌýÌýÌýÌýComplete the interview
3.ÌýÌýÌýÌýCopy the file with the interview via a cable to a computer that meets the security requirements (see Section 2 above)
4.ÌýÌýÌýÌýDelete the file containing the interview from the mobile phone or tablet
5.ÌýÌýÌýÌýTurn off airplane mode on your mobile phone or tablet

Via voice recorder (that is not connected to the Internet)


As long as the interview is stored on the recorder, it must be handled in such a way that unauthorised persons cannot listen to the recorded interview. This could include you supervising the recorder as long as it contains the interview or placing the recorded in a locked space. Once the interview has been saved on a computer that meets the security requirements (see Section 2 above) and has been deleted from the voice recorder, the recorder no longer has to be handled in any certain way.

Transcription

When transcribing personal data (that is, when interviews are written down) contained in an audio file, no cloud services or programmes that use a cloud service may be used since the University currently provides no such service for students. Transcriptions must be done by the students who are part of the independent project and on a computer that meets the security requirements (see Section 2 above).

Deleting data upon completion of an academic paper

After completing an academic paper, all work material containing personal data must be deleted from the computer and possibly other external storage media such as USB memory sticks. Remember to also delete what ends up in the recycle bin of the computer.
Any documents containing personal data that you have printed on paper should also be destroyed and then thrown away when the academic paper is completed. Remember to destroy the document before throwing it in a bin by, for example, cutting the paper into small pieces or using a paper shredder if you have access to one.
Ìý