GDPR for students
This website is a support for you as a student when processing personal data when writing an essay or doing an independent degree project.
You will find general information about GDPR but also some tips on what to think about and how to handle different types of personal data, or can you rather avoid using personal data?
Introduction to the Data Protection Ordinance (GDPR)
The Data Protection Ordinance is the ordinance that applies when processing personal data in all EU countries as from 25 May 2018. GDPR is the English abbreviations of the ordinance (General Data Protection Regulation).
The legislation means that all processing of personal data that takes place must meet the fundamental principles described in the Data Protection Ordinance; which means that personal data may only be processed if there is a justified cause, the people whose personal data is being processed may have been informed about the processing, that you do not process more data than what is necessary for the original cause, that the personal data is not saved longer than necessary, and that the data is stored in a secure way suited to its purpose.
Concepts and definitions
Personal data
Personal data is information that directly or indirectly can be used to identify a living person. Personal data can be, for instance, name, address, personal identity number, IP number, license plate of a car, or property designation. It can also be biometric data such as finger prints or DNA. Data that may not be possible to interpret on its own is still considered personal data if it can be interpreted using a tool, for instance, encrypted data for which there is a code key.
Processing of personal data
All forms of measures linked to personal data is considered personal data processing. This can be, for instance, collection, registration, structuring, processing, compilation, and deletion. Processing of personal data is a very comprehensive concept.
Personal data responsibility
Personal data responsibility has the entity/person who decides the purpose and the measures for the processing of personal data. Linnaeus University has a personal data responsibility for the processing of personal data that takes place within Linnaeus University’s activities, which includes also the personal data processing carried out by students on their education, for instance in connection to the writing of theses.
Fundamental principles
Article 5 in the Data Protection Ordinance lists a number of fundamental principles that should be met in order for data processing to be legal. This means that processing of personal data that takes place in connection to the writing of a thesis must meet these fundamental principles.
- The data should be processed in a legal, correct, and open way in relation to the person whose personal data is being processed; that is to say; the registrant (lawfulness, correctness, and openness).
- The data should be collected for specific, explicitly stated, and justified purposes and not later on be processed in a way that is incompatible with this purpose (limitation of purpose).
- The data should be adequate, relevant and not too comprehensive for the purpose in question (limitation of data).
- The data should be correct and if necessary updated (correctness).
- The data must not be stored in a way that enables identification of the registrant for a longer period of time than what is necessary for the purposes for which the personal data has been processed (storage minimisation).
- The data should be processed in a way that guarantees adequate protection of the personal data (integrity and confidentiality).
Student processing of personal data requires consent
The basis of the Data Protection Ordinance is that you should have the right to decide who handles what personal data about you and for what purpose. In order for processing of personal data to be legal, a lawful basis is required, which means that consent is required form the person whose personal data is being processed. There are some exceptions where consent is not required in order to process personal data; for instance, a public authority needs to process certain personal data in its exercise of authority and a company needs to process certain personal data in order to be able to fulfil an agreement and to invoice. However, as for student theses, it is, as a rule, always required to have consent in order to process personal data.
Consent should, according to legislation, be:
- Informed, which means that a person has received enough information about personal data processing to be able to make a decision on whether to give consent or not.
- Voluntary, which means that it should be possible to say no, there must not be an unequal power balance, like, for instance, an employer and an employee, and there must not be any negative consequences for an individual who says no.
- Revocable, which means that it should be possible for the individual to withdraw his/her consent.
Sensitive personal data
Some personal data are considered sensitive personal data, which means that they are comprised by stricter regulations in the Data Protection Ordinance. Sensitive personal data is information about race or ethnicity, political views, religious or philosophical belief, membership in trade/labour union, genetic information, biometric data, health-related information, or information about an individual’s sex life or sexual orientation.
In general, according to the Data Protection Ordinance, it is prohibited to process sensitive personal data.
Support is available
If you have any questions concerning the Data Protection Ordinance or the processing of personal data, you are welcome to contact Linnaeus University’s personal data ombudsman.
Report to register on theses that contain personal data
If you use personal data in your thesis work, you need to report this to Linnaeus University’s personal data ombudsman, in order for the university to be able to keep track of where processing of personal data occurs. You do this via web form for reporting processing of personal data.
As a student, how should I process personal data in my work?
Step 1: Do you need to process personal data?
If the study can be carried out without processing personal data this is preferable. In that case, the requirements in the Data Protection Ordinance do not apply.
Step 2: Define the purpose of the processing and what information needs to be collected
What data should be collected and why? Reflect on the purpose of the processing of personal data to get a clear picture of what information is necessary for your study.
Step 3: Register the processing
Each processing of personal data should be registered in Linnaeus University’s register on personal data processing. You do this in the web form for reporting processing of personal data.
Step 4: Decide how the information should be stored and processed in a secure way during the work
Collected data must be processed in a secure way. Cloud services like Dropbox, iCloud, Google Drive, etc. must not be used for storage of personal data.
Step 5: Decide what parts of the information should be deleted once the work has been completed
Personal data must not be stored for a longer period of time than what is necessary. Once the thesis has been graded and uploaded to DiVA, the personal data, as a rule, should be deleted. For medical records, other regulations for filing apply, contact your supervisor for proper handling.
Step 6: Obtain consent, inform the registrants and collect the necessary personal data
You must have consent from the person in question in order to process personal data. Providing consent means that the registered person gives his/her consent to the processing.
In practice, this means that you provide information about:
- what information you would like to collect
- what this information should be used for and by whom
- for how long the information should be used
- that it is possible to request to take part of the collected information
- that the registered person has the right to withdraw his/her consent at any time
- that it is possible to contact the personal data ombudsman at Linnaeus University or the Swedish Data Protection Authority to make complaints.
Once the registrant has taken part of the information, he/she can provide consent to the processing and after this it is permitted to process the data. Consent should be documented so that it can be made available if needed.
Some programmes may have printed consent forms that you can use; contact your supervisor to check whether there is a specific consent form for your programme. Link to consent form.
Step 7: Process the collected material
When all the previous steps have been completed, you are ready to process the personal data in a correct way in accordance with the fundamental principles. Once you have completed your processing, do not forget to delete the personal data.