Student projects and GDPR
Here you will find information linked to student projects and GDPR.
Background
The General Data Protection Regulation, (GDPR) applies to the personal data processing that takes place at Mälardalen University's (MDU). The University is the responsible data controller for the processing of all personal data that takes place within the framework of the University's research and education activities. The eventual personal data processing that students may carry out within the framework of their education, for example in conjunction with writing their thesis or other graduate projects, is thus personal data processing for which Mälardalen University is responsible. This requires MDU to raise awareness for students about what is applicable according to the legislation when personal data shall be dealt with within the framework of a student project, and it requires students at MDU to process personal data in accordance with the applicable law.
This page aims to inform you as a student at MDU about GDPR and what you need to think about as well as how to act if you need to process personal data within the framework of your studies at the University. The information was originally developed at Örebro University and has been processed by the Data Protection Officer at MDU for adaptation to MDU's conditions and organisation.
Summary
GDPR aims to strengthen the protection of privacy and to create a coherent regulatory framework within the EU regarding the processing of personal data. The technological development and management of companies such as Google and Facebook, whose business models are based on the sale of personal information and data, were key contributing factors to the EU's introduction of the regulatory framework. In simple terms, GDPR means that, when processing personal data, one can only do what is expressly permitted in the legislation.
The “data subject" is an expression used consistently in this information and means an identified or identifiable natural person whose information is used in, for example, a thesis or project work.
Personal data is any piece of information that can be directly or indirectly linked to a living person. It can be anything from a personal identity number to IP addresses and genetic data. There must be legal support for the use of personal data. There are also many demands; for example, that information shall be provided, security be maintained and that the data subject usually has the right to gain insight into how the information is used and also has the right to object if he/she believes that you are doing something wrong.
Below is a guide with eight steps designed for you as a student and that you can use if you are going to process personal data within the framework of your studies at MDU, e.g., in your degree project.
There is a checklist available regarding information for the data subject that you can use when collecting data based on the legal basis consent.
A template for consent will be available soon.
Collection and processing of personal data
GDPR states that every piece of information that can be directly or indirectly linked to a living person is personal data. This means that it is not only items such as names and personal identity numbers that can be personal data, but also usernames, email or IP addresses, biometric data, physiological data and even a voice recording for example. Combinations of data are also covered as long as it is possible to link these to a natural person through the data. Such personal data processing must comply with all the GDPR principles for processing, which means, that:
- processing shall be done in a lawful, correct and transparent manner in relation to the data subject,
- the data shall be collected for specific, explicitly stated and legitimate purposes,
- the data shall not be too extensive in relation to the purpose for which it is collected,
- the data shall be accurate and up to date,
- the data may not be saved in the form of identifiable personal data for longer than is required for processing and that
- the data shall be processed in a secure manner.
According to the GDPR, you must know ahead of time what the data will be used for when the data has been collected. This avoids collecting more information than necessary, and it is clear to everyone for what legitimate purpose the data collection takes place.
Legal basis
For personal data processing, there must be a legal basis. GDPR provides six legal bases for personal data processing. It is enough that one of them is fulfilled for processing to be allowed. A common basis for the processing of personal data is consent to the processing. It is also the basis that you as a student can primarily use when processing personal data within the framework of a student project. For the other operations at MDU, the exercise of public authority and public interestare the legal bases which are the most common bases for personal data processing. Another common legal basis is the fulfilment of contracts.
Special categories of personal data ("sensitive personal data")
The processing of personal data that reveals health, political opinions, religion, ethnic origin, trade union affiliation, sexual orientation, sexual life and genetic and biometric data requires special support according to GDPR and more comprehensive security measures. The GDPR refers to this type of data as "special categories of personal data", but in everyday speech we usually talk about "sensitive personal data".
Mälardalen University recommends that students do not process sensitive personal data in their student projects, as it places higher demands on the processing, for example in terms of the clarity of consent and on security levels for processing and storing the data. If such processing is carried out anyway, it should be done in discussion with the course coordinator and supervisor who can, if necessary, turn to the Data Protection Officer at MDU for advice.
Obligation to provide information
When collecting personal data, there is an obligation to provide information to the data subject that must include the following:
- the identity and contact details of the data controller (more on the data controller below),
- the contact details for the Data protection officer (more on the Data protection officer below),
- the purpose/reason for the processing and the legal support for it,
- who will have access to the data and
- possible transfer to non-EU countries and information on the level of protection of the recipient.
To facilitate the design of this information a checklist is available regarding what information should be included when you collect data supported by the legal basis consent.
The obligation to provide information applies even if the University does not collect the data directly from the data subject. Certain exceptions may be allowed; if you know that the data subject has already been informed, whether it is practically impossible or very difficult to inform or if the processing is an obligation according to the legislation. However, it is unlikely that you as a student can apply such exceptions, as the recommendation is that the collection of data for student projects takes place directly from the data subjects with the support of the legal basis consent.
Processing of data shall be done in a correct and transparent manner in relation to the data subject. If the data subject has questions or wants to use their rights in relation to the processing carried out by MDU, an obligation exists to help them. This applies if there are no obstacles to this due to, for example, rules on confidentiality or archiving.
Security
The collected data shall be processed in such a way as to ensure the appropriate security of personal data using appropriate technical or organisational measures. This includes protection against unauthorised or unlawful processing and protection against loss, destruction, or damage by accident. This means that you as a student must ensure that only authorised persons have access to the data and that any databases or systems where the data is stored are subject to various security measures (e.g., protecting the computer with a password and locking the computer when you walk away from the computer).
Roles and responsibilities
For all personal data management, from the individual student's thesis work to research projects and administrative systems, there is a data controller and for the activities carried out within the higher education institution, this is Mälardalen University. The University is ultimately responsible for the processing of all personal data that takes place within the framework of the organisation.
An individual student who needs to process personal data, within the framework of their studies, are expected to understand what is applicable so that the processing of personal data shall be correct.
At the University there is also a Data protection officer who will internally review the processing but will also act as help and support for the organisation. The Data protection officer shall also be available to handle questions and complaints from data subjects. Contact details for the representative can be found here External link.
Integritetsskyddsmyndigheten (The Swedish Authority for Privacy Protection), www.imy.se External link., is the supervisory authority for GDPR and is thus responsible for reviewing the organisation’s processing of personal data and handling complaints from data subjects.
In the event of errors and deficiencies in the processing, both the data controller and any processors may be subject to both penalty payments (fines) and damages. The penalty payments shall be effective, proportionate and deterrent and may be very high.
The rights of the data subject
Through the GDPR, the data subject has several rights that are in place to strengthen the protection of personal privacy and position vis-à-vis the person who processes the personal data. All data subjects have the right to receive information in advance in a clear and transparent manner about the intended personal data processing. The basic idea is that the data subject should be able to predict what will happen to the information in question.
The data subject has the right to know what data is processed about him or her. The data subject also has the right to have incorrect information corrected without undue delay and the right to have personal information deleted, where legally and practically possible. Furthermore, the data subject also has the right to object to the processing, to withdraw any consents and the right to complain to the supervisory authority if the data subject considers that the processing is incorrect.
Other laws that also govern the processing of personal data
The GDPR is supplemented by certain national laws, such as the Data Protection Act (2018:218), the Freedom of the Press Act (1949:105), Public Access to Information and Secrecy Act (2009:400) and the Archives Act (1990:782) and related local regulations. For example, a degree project shall be saved and stored at Mälardalen University in the DIVA database.
Personal data processing during student projects
The GDPR, together with several Swedish laws that are linked to this, imposes strict requirements that all work with personal data is to be carried out correctly. Mälardalen University is formally responsible for the personal data processing carried out throughout the entire organisation and this also applies to our students' own processing of personal data within the framework of their education. This list is aimed at you as a student who processes personal data within the framework of your studies.
If you as a student intend to use personal data in a thesis, a degree project or something else related to your studies at Mälardalen University, there is a lot to bear in mind. This text provides a brief overhaul of the steps necessary for the processing of personal data to be correct. In addition to the rules that apply to personal data, depending on what you intend to do, there may be additional rules to consider and you should therefore have a comprehensive discussion with your supervisor about what information you intend to process and in what way and plan accordingly.
Step 1 – Does the personal data need to be processed?
The first question is whether it is really necessary to process personal data? If the investigation can be carried out with maintained quality, and without personal data being processed, then this is preferable. If you do not use personal data, GDPR does not apply, which makes the work easier for you as a student.
It is important to remember that personal data is defined as all information that can be directly or indirectly linked to a living person. This means that it is not only such things as name, personal identity number, DNA or portrait photo that is a personal data, but it can also be a combination of more anonymous data that together makes it possible to identify an individual person. Even if students/supervisors only have access to coded (pseudonymised) data, the GDPR still applies. If there is a code list available, whether it is at the University, at another authority (such as the National Board of Health and Welfare) or abroad, personal data is still processed.
Example
The combination of age and shoe number together with group affiliation for a person is not personal data if we only know that it is a Swedish citizen but can be if you know that the selection is limited to a small group, such as The Swedish Academy.
Step 2 – Define the purpose and what type of data needs to be collected
Before the practical work begins, it is important to make clear what data should be collected and why. For those who are going to do a student project this should not be a difficult task, but the purpose of the personal data processing is simply to be able to carry out the investigation that is necessary to back up your work. However, it is important that you think through and formulate the purpose and that you are clear about what type of personal information is necessary to achieve it. You are not allowed to collect personal data just because it may be "good to have” it.
Step 3 – Sensitive personal data
If you believe that it is necessary to collect sensitive personal data to execute your student project, this should be coordinated and done in discussion with the course coordinator and supervisor. Extra focus should be placed on the clarity of consent so that the data subject is aware that sensitive personal data is being processed. Additional security measures for processing sensitive personal data may include encryption and/or passwords in case of email correspondence, secure storage space (for example, select H: for storage, other than storing the data on OneDrive), extra password protection for folders and files, etc. See Step 4 about secure processing.
Step 4 – How can the information be stored and processed securely during the work in progress
MS Forms may be used by students when conducting surveys, taking into account the risks that may arise when processing personal data in the tool. Therefore, personal data processing in the tool should be limited to a minimum, for instance by processing only an IP address (which is normally a type of personal data) in the tool. Sensitive and/or personal data which is worthy of protection may not be processed in MS Forms regardless of whether it is direct/indirect or pseudonymised data. The responsibility for students’ use of the tool lies with the
Course Coordinator/supervisor. If sensitive data and data which is worthy of protection must be processed, then the Survey and Report survey tool or alternatively paper format surveys must be used. Currently students cannot have direct access to Survey and Report, whereby teachers can send out digital surveys via the tool on behalf of students, if the teacher deems it possible within the framework of their assignment. Otherwise surveys where personal data is processed can be conducted in physical, paper format and stored in a locked-up area at the University.
Interviews can be conducted digitally and recorded via Zoom as long as sensitive material is not processed. If sensitive information is to be processed, interviews should take place via a physical meeting, via Zoom or a telephone meeting, where recording takes place with a dictaphone during the meeting, is transcribed after the interview, stored securely and deleted after transcription. More details are available under Step 5.
Step 5 – Decide what to delete or what should be retained when you finish your project
Personal data may not be stored for longer than is necessary and shall be deleted when it is no longer needed. At the same time, parts of the information may have to remain in place for some time to be able to substantiate the conclusions of the project or because they are necessary for your own personal data processing in the foreseeable future (e.g., to be used as a basis for a thesis at the next level). In cases where the information is not necessary for future processing, a good guideline is to delete it when the grade is set, registered in the student registry and thus is no longer needed to substantiate the conclusions of the report.
Before the practical work starts, it is therefore important to decide what will happen to the collected personal data afterwards. What data should be saved or discarded? During the course of the work, there may be reason to reconsider the original planning, but it is important that there is a fundamental plan that is anchored with your supervisor or course coordinator (depending on the structure of the assignment). This is especially in order to be able to answer questions from the data subjects.
Step 6 – Obtain consent, inform and collect personal data
For a student project, it is normally just consent that is relevant as a legal basis for the processing of personal data.
In practice, obtaining consent means that you clearly and explicitly tell people what data you want to collect, what it will be used for and by whom and how long the data will be used. If you already plan to use the collected material in future student projects, in addition to the current assignment, you must inform the person about it when obtaining the consent from the data subject. You must also inform the person that it is possible to request to see the collected information and that it is possible to contact the Data Protection Officer at the University or the Swedish Privacy Protection Authority with complaints. A checklist of what you need to consider when designing your information can be found here.
After the data subject has received the information, they can give their consent to the processing and it is then allowed to process the personal data necessary to carry out the purpose of the processing and your work. It is important to know that once consent is obtained, it should be documented and saved so that it can be referred to when necessary. The data subject has the right to withdraw his or her consent at any time. For the processing of special categories of personal data (sensitive personal data) based on consent, it is required that it is specifically pointed out in the information and that the consent actually covers this. Consult with your supervisor or course coordinator in case of uncertainty regarding consents. Please also note that sensitive data places extra demands on the security of the processing (see Step 3).
Information about consent for personal data processing regarding student projects Pdf, 117.8 kB.
Checklist:
Checklist for students prior to personal data processing Pdf, 82.2 kB. Pdf, 160.2 kB.
Step 7 – Process the collected material
Provided that the previous steps have been carried out, this is a formally simple step that does not require any further action based on GDPR. At the same time, this is in practice the work which must be done.
Step 8 – After processing; delete or save the material as needed
This should also be a simple step as the practical work has now been completed. The material that has been processed should now either be saved or deleted according to what you have decided in Step 5. Any consents you have obtained to do the personal data processing must be saved for as long as the material itself and deleted/discarded at the same time.
As a student, you are responsible for deleting the material as it is no longer needed to verify the results of the report or for any other purpose. Make sure not to delete the material before the final grade is set on the course.