Processing personal data in student projects
Örebro University has the formal responsibility for processing personal data carried out at the university, which also applies to our students’ handling of personal data within the framework of their studies.
There is much to consider for students intending to use personal data in an essay, degree project, or any other work related to their studies at Örebro University. This text summarises the steps necessary for processing personal data in situations where data collected is not intended to be used in a formal research project or similar project. In addition to the rules applicable to personal data, additional restrictions may apply, depending on what you intend to do. Therefore, you should have a comprehensive discussion with your supervisor about what information you intend to process, how and plan accordingly.
The EU’s General Data Protection Regulation and several related Swedish laws assign strict requirements for the correct handling of all personal data. Örebro University has the formal responsibility for processing personal data carried out at the university, which also applies to our students’ handling of personal data within the framework of their studies.
There is much to consider for students intending to use personal data in an essay, degree project, or any other work related to their studies at Örebro University. This text summarises the steps necessary for processing personal data in situations where data collected is not intended to be used in a formal research project or similar project. In addition to the rules applicable to personal data, additional restrictions may apply, depending on what you intend to do. Therefore, you should have a comprehensive discussion with your supervisor about what information you intend to process, how and plan accordingly.
Step 1 – Does personal data need to be processed?
The first question is if it is necessary to process personal data? If a study can be carried out without processing personal data, this is preferable. The General Data Protection Regulation does not apply if you do not use personal data, making your work easier.
It is essential to remember that all information, directly or indirectly, linked to a living person is personal data. Not only is a name, personal identity number, DNA or photo considered personal data, but any combination of more anonymous data that can identify a specific person is as well. Even if a student/supervisor only has access to pseudonymised data, GDPR still applies. Whether a data key (by which pseudonymised data can be linked to natural persons) is accessible by the university, at any public authority (such as the National Board of Health and Welfare) or abroad, it is still processing personal data.
For example, combining a person’s age, shoe size and Swedish citizenship is not personal data. However, if the selection is limited to a smaller group such as the Swedish Academy, it is probably personal data.
Step 2 – Define processing purpose and data collection
Before practical work begins, it is important to clarify what information will be collected and why. This should not be a difficult task; the purpose of the processing is simply to carry out the analysis necessary to support your work. However, it is essential to thoroughly consider and describe the purpose and understand what data is needed to achieve this. You may not collect data simply because it might “come in handy”.
Step 3 – Sensitive personal data
If you deem it necessary to collect sensitive personal data for your student project, discuss it and get approval from your supervisor or course coordinator. It is highly recommended to pay extra attention to the clarity of any consent forms to ensure that the data subject is aware of the sensitive data to be processed. When processing sensitive personal data, additional security measures might be encryption and passwords when communicating via email, using secure storage spaces, having different passwords for maps and files, etc. See step 4 for security information.
Step 4 – Safe storage of data and secure handling
Collected data must be processed in a secure manner. Avoid or limit the use of external storage services for the storage of personal data. This applies to Dropbox, Google Docs, iCloud, OneDrive, and other such types of storage.
Students are advised to use ORU Survey as a digital survey tool when processing personal data.
Step 5 – Decide what data to delete or preserve
Personal data may not be stored longer than necessary and is to be deleted when no longer needed. At the same time, parts of the data may be retained to substantiate the conclusions in the degree project or because they are required for future instances of processing (i.e. to be used in an essay on the next level). If the data is nonessential for future processing, it is advisable to delete it after grading has been reported in the student registry and no longer is needed to support the findings in your report.
Therefore before your practical work begins, it is essential to decide what is to be done with the collected personal data. What data is to be saved, and what can be deleted? During the work, there may be reasons to reconsider the original plan. Still, it is important to agree on a basic plan with your supervisor or course coordinator (depending on the structure of the assignment), not the least to answer questions from data subjects whose data you want to use. It is advised to complete the project before deletion; if it comes to that, see Step 8.
Steg 6 – Obtain consent, informing data subjects and necessary personal data collection
Personal data may only be processed if legal grounds exist for it. The General Data Protection Regulation specifies the grounds regarded as permissible, but consent is the chief option in the case of a student project. If consent is not possible, consult your supervisor and the data protection officer.
Obtaining consent means in practice that you clearly and distinctly state what data you wish to collect, what it will be used for and by whom, and for how long the data will be used. If you are already planning to use the collected material in subsequent work, you need to inform the data subject about this in your consent form. You also must inform them about the right to request to see the data collected. It is possible for the data subject to submit a complaint to the data protection officer or to the Swedish Authority for Privacy Protection (IMY). The annex contains a checklist of considerations when designing your information.
Once the data subject has been informed, as stated above, they can consent to the processing, and it is then permitted to process the data. It is essential to know that consent must be documented and saved to be reviewed if necessary. The data subject has the right to revoke their consent at any time. Suppose processing special categories of personal data (sensitive personal data) is based on consent. In that case, this processing must be specifically emphasised when informing, and you must clearly state that the consent covers it. Consult your supervisor or course coordinator if you are uncertain about consent. Note that requirements are stringent regarding security in handling special categories of personal data (sensitive personal data).
Step 7 – Processing collected material
In practical terms, this is the main task. If the preceding steps have been correctly performed, this is a formal step that should not require any additional measures regarding GDPR.
Step 8 – After processing – delete or save material as needed
As the practical work is now completed, this should be a simple step. The data that has been processed will now be saved or deleted, according to your findings in Step 5. If you have collected consent forms, these must be held for as long as the collected material and deleted along with the collected material.
As a student, you are responsible for deleting the material when it is no longer necessary to verify the report results or for other reasons. Note: do not delete the material before the final grading on the course is complete.