Processing of personal data in degree projects
Uppsala University is data controller for the processing of personal data undertaken in the University's activities. This means that the University is also responsible for the processing of personal data undertaken by students within the framework of their education.
General Data Protection Regulation
The General Data Protection Regulation (GDPR) has been in force in EU member states since 25 May 2018. The Regulation aims to strengthen the rights of individuals' privacy when processing personal data.
Personal data is any information that relates to an identified or identifiable natural person. This person is called the data subject. All information that can directly or indirectly identify a person is considered to be personal data. This includes any information that can be linked individually or together with other information to a living person. Examples include name, personal identity number, IP address, pictures, audio recordings and email addresses.
In order to determine whether a natural person is identifiable, all aids that can reasonably be used to directly or indirectly identify the person must be considered. If, for example, there is a saved key code that allows the information to be linked to a person, this is a matter of personal data. Even if you as a student do not know which person the information applies to, it constitutes personal data. It is enough that someone can link the data to a natural person.
If the information is completely anonymous and cannot be linked to a natural person, the information falls outside the scope of GDPR.
Sensitive personal data
Some personal data is considered sensitive and has stronger protection in the General Data Protection Regulation. This is personal data that applies to:
- information about race or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership;
- information about health or a natural person's sex life or sexual orientation;
- processing of genetic and biometric data to identify a natural person.
The main rule according to GDPR is that it is prohibited to process sensitive personal data. However, there are certain exceptions, for example if the data subject has consented to the processing.
Correct personal data processing – step by step
If you process personal data as part of your project, the processing is covered by GDPR and it is Uppsala University's responsibility to ensure that the rules are followed.
The first thing you should do is consider whether it is necessary to process personal data for your work. Think about the purpose of the work and whether this purpose can be achieved without processing personal data. If you consider it necessary to process personal data, you should also consider what types of data and to what extent it is necessary to process them.
Formulate the purpose of the work and why the personal data is to be processed. Decide what the goal of the work is and in what way the personal data contributes to achieving this goal. A brief description of what the personal data is to be used for and why it is processed is sufficient. The important thing is for the purpose to be clear and distinct.
It is not permitted to process more personal data than is necessary to achieve the purpose. Also decide which categories of personal data are to be processed and whether sensitive personal data will be processed. Examples of categories are contact information, information concerning political opinions, etc.
All personal data collected must be processed in a secure manner. It is important that unauthorised persons do not have access to personal data.
Decide what will happen to the personal data when the work is completed. Personal data may not be retained for longer than is necessary and is to be deleted when the work has been presented and graded.
Each instance of personal data processing must be registered by Uppsala University in its capacity of data controller. The purpose of this registration is to give the person responsible for personal data an overview of what kinds of data are being processed in connection with activities. The register must contain information stating that personal data processing takes place, what its purpose is and who conducts it.
When processing sensitive personal data, consent must be obtained before the processing begins. If no sensitive personal data is processed, no consent is required.
The data subject must be informed about:
- Which categories of data are being collected.
- The purpose of the processing.
- The legal basis for the processing.
- How long the data will be used.
- The possibility of requesting access to the personal data.
- Uppsala University’s status as data controller and contact information.
- Contact information for the data protection officer.
- The possibility of making a complaint to the data protection officer at Uppsala University or the Swedish Authority for Privacy Protection.
If the processing is consent-based, the data subject must be informed that:
- The data subject can revoke their consent.
This step is the practical work of your study.
When the work is completed, the personal data must be deleted as determined in step 4.
All processing of personal data must comply with the basic principles set out in GDPR.