GDPR when students collect personal data
The General Data Protection Regulation – “GDPR” – aims to protect individuals’ fundamental rights and liberties, especially the right to protect their personal data. Simply put, GDPR means that, when using personal data, you may only do what is explicitly permitted.
Personal data means “any information relating to an identifiable natural person” (art 4 GDPR). It can be anything from a personal ID number to an IP address to genetic data. There must be legal grounds for a lawful processing of personal data. In addition, there are also specific requirements that needs to be met; for example, information which needs to be provided and that the integrity of the data must be secured. An individual whose data you are using, the “data subject”, often has a right to insight into how the data is being used and a right to object if they think it is misused.
“Data subject” is a term frequently used throughout this information and means an identified or identifiable natural person whose information is in, for example, an essay or a project.
GDPR
Background
The General Data Protection Regulation (GDPR) entered into force in 2018 to strengthen personal privacy protection and create a single set of rules for the entire EU. Technological advances and companies like Google and Facebook, whose business model is selling personal data and information, contributed strongly to implementing new rules in the EU.
Everyone processing personal data regarding EU citizens shall, regardless of whether such processing takes place within or outside the EU, adhere to all people’s fundamental liberties and rights, especially their right to protect their personal data. This text aims to try to explain how this affects you as a student, practical terms.
GDPR applies to all processing of personal data if it is not strictly for personal use. Therefore, you must understand the rules if you, as a student, use personal data when conducting your studies. This means correctly handling personal data in your studies and as a preparation for your future career.
“Data subject” is a term frequently used throughout this document and means an identified or identifiable natural person whose information is in, for example, an essay or a project.
Collecting and processing of personal data
Any information that directly or indirectly can be connected to a natural living person is personal data. Personal data is not only names and personal identity numbers but also usernames, email or IP addresses, biometric data, physiological data, and even a voice recording. Combinations of data are also included if it is possible to link them to a natural person through the data. Apart from strictly private use, all processing of personal data must comply with the General Data Protection Regulation’s principles governing processing. Compliance means:
- the processing is done in a lawful, fair and transparent manner in relation to the data subject,
- data is collected for specified, explicit and legitimate purposes,
- data must not be excessive in relation to the purpose for which it is collected,
- data should be accurate and up to date,
- data must not be stored in the form of identifiable personal data longer than is necessary for the processing, and that,
- data is processed in a secure manner.
According to the regulation, we must know what the data will be used for when collected. This as to not collect more data than necessary and only for legitimate purposes. We also need to know how long the data will be used – even if we do not necessarily need to specify an exact termination date. It is not sufficient grounds that “someday it might come in handy”.
Lawfulness of processing
In addition to the above compliance requirements, there must also be a lawfulness of processing. There are six legal grounds, and it is sufficient that one of them is met for the processing to be allowed. Of course, a combination of these grounds is also possible.
- Consent – the data subject has given their informed approval to the processing. Consent must be documented and may be revoked at any time.
- The processing is necessary for the performance of a contract in which the data subject is involved.
- The processing is necessary to fulfil a legal obligation, for example, laws and authorities’ regulations, collective agreements, etc.
- The processing is necessary to protect interests of fundamental importance for the data subject, for example, health and medical care.
- The processing is necessary for performing a task in the public interest or as part of the data controller’s exercise of official authority.
- The processing is necessary for a third party’s justified interests (unless the data subject’s interests, rights and freedoms have greater weight). Note that the sixth legal ground is highly restricted for authorities, including you as a student at Örebro University.
As far as Örebro University is concerned, a considerable part of our activities constitutes the exercise of public powers. This exercise includes, for example, everything generally associated with education and examinations. Furthermore, our research is of public interest, as described by the Higher Education Act. Work that our students generate likely does not constitute a public interest and therefore, preferably, needs to be based on consent if personal data is used. Other grounds may be relevant depending on the circumstances. Still, if you are unsure, you should contact your course coordinator, supervisor or the data protection coordinator at your school or consult with the university’s data protection officer.
Processing of special categories of personal data (“sensitive personal data”)
Processing data that reveals the racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership, genetic data, and biometric data to identify a natural person uniquely, or their health, sex life or sexual orientation requires special care and rigorous security measures. Although called “special categories of personal data”, “sensitive data” is more commonly used.
The recommendation to students is, do not use sensitive data. This due to the fact that it requires more than other processing of personal data in regard to the clarity of consent and security levels. If such processing is necessary, it should be in cooperation with your supervisor or course coordinator.
Duty to provide information
When we collect personal data, the data subject has a right to be provided with information which must include, among other things:
- identity and contact details of the data controller (see below),
- contact details of the data protection officer (see below),
- the purpose or reason for the processing as well as the basis for it,
- who has access to or will see the data, and
- any transfer to countries outside the EU and information about the level of protection on the part of the recipient.
Included as annex is a checklist detailing what information is required. This checklist can also be found on Blackboard adjacent to the videos and other educational material regarding GDPR.
The duty to provide information applies even if we do not collect the data directly from the data subject. There are some exceptions; if the data subject has already been informed, if it is not practicably possible, the information is very difficult to provide, or if the processing is required by law. A practical example: when a student requests a computer account at the university, we retrieve data regarding the student from Ladok. We are obliged to inform the student about what data we will use when the account is requested. On the other hand, we do not need to specifically notify about the archiving of a student’s study results or contact information; the Ordinance (1993:1153) concerning the Reporting of Higher Education Studies regulates this.
Processing needs to be performed fairly and transparently regarding the data subject. If the data subject has questions or wishes to exercise their rights concerning the university’s processing, our duty as part of Örebro University is to assist them. This applies as long as there is no impediment, for example, rules regarding secrecy or archiving.
Ensuring data security
Personal data collected is to be processed with appropriate security by using suitable technical or organisational measures. This includes protection against unauthorised or unlawful processing and protection against accidental loss, destruction or damage. This means that you, as a student, need to ensure that only authorised persons have access to the data and that any databases or systems are protected by appropriate security measures (for example, by safeguarding your computer with a password).
Deciding on, implementing and monitoring appropriate security measures, both technical and administrative, are required under the General Data Protection Regulation and must be documented. This information material is, for example, one part of the university’s ongoing effort to comply with GDPR.
Roles and responsibilities
All processing of personal data, from the individual student’s essays to research projects and administrative systems, has a data controller. The data controller for the activities and operations carried out within the university is Örebro University. The university has the ultimate responsibility for all processing of personal data carried out within the context of our activities and operations.
Suppose you, as an individual student, need to handle personal data for your studies. In that case, you are to do this accordingly and be familiar with the rules that apply specifically to that situation.
At the university, a data protection officer (DPO) reviews the processing internally and provides assistance and support for the university’s operations. The data protection officer also handles questions and complaints from data subjects and is reached via the contact details on the website.
The Swedish Authority for Privacy Protection (IMY) is the supervisory authority for the General Data Protection Regulation. IMY is responsible for auditing the university’s personal data handling and dealing with data subject complaints.
In case of errors and shortcomings in processing, data controllers and the data processors may be subject to damages and penalties. Penalties are intended to be effective, proportionate, dissuasive and may be substantial.
More information on Data Protection Regulation at Örebro university is found in the document “Riktlinje för Örebro universitets behandling av personuppgifter”, case number 2020/00050.
Rights of the data subject
The General Data Protection Regulation gives the data subject certain rights, the purpose of which is to strengthen the protection of their personal integrity and position regarding the processing of the personal data. All data subjects have the right to transparent information in advance about the planned processing. The chief idea is that the data subject must be able to predict what will happen to the data in question.
The data subject has the right to obtain information regarding what information concerning them is being processed. The data subject has the right to have inaccurate information rectified without undue delay and the right to have personal data deleted, provided that it is legally and practically possible. The data subject also has the right to object to the processing, withdraw any consent, and complain to the supervisory authority if the data subject considers that the processing is wrong.
Other laws impacting processing of personal data
The General Data Protection Regulation is not the only law governing the handling of personal data.
Other laws of relevance are the Act containing supplementary provisions to the EU General Data Protection Regulation (SFS 2018:218), the Freedom of the Press Act, the Publicity and Secrecy Act and the Archives Act (SFS 1990:782). At Örebro University, all undergraduate theses and graduate-level work shall be preserved. There are additional rules regarding processing of personal data.