Rules for students' processing of personal data

On this site you will find a description of the rules that apply at University West for how you as a student may process personal data within the framework of your education. There are also templates and other practical information.

The General Data Protection Regulation (GDPR) is the law that applies to the processing of personal data and was introduced by all member states of the EU on 25 May 2018. The regulation stipulates that all processing of personal data carried out must comply with the fundamental principles set out in the General Data Protection Regulation.

The university's responsibilty and the student's responsibility

The university is responsible for students' processing of personal data within the framework of their studies, so-called personal data controller. This means that you as a student have an obligation to ensure that your own personal data processing takes place in accordance with the university's decided rules when working with, for example, essays, assignments and degree projects.

Students' processing of personal data

Processing of personal data within the framework of education may only take place in accordance with the university's rules and guidelines and on the teacher's instructions or after the teacher's/supervisor's approval. Processing of personal data is a broad concept and includes all actions that are carried out with the personal data electronically. Examples of processing are collection, registration, organisation, structuring, storage, processing, alteration, retrieval, reading, use, disclosure, dissemination or otherwise provided, adjustment or combination, restriction, deletion or destruction of personal data.

Sensitive personal data (i.e. both sensitive and personal data that warrants extra protection) may never be processed in first- and second-cycle education.

Personal data

Personal data means any information relating to an identified or identifiable natural person. The decisive factor is that the information, individually or in combination with other data, is capable of identifying a living person. Examples of personal data are personal identity numbers, names, contact details such as email addresses, electronic identities of various kinds such as usernames on social media, as well as image and/or audio recordings. This and other personal data that appears in interview responses, questionnaire responses, images and other collected empirical data are covered by these rules.

Please note that even if you do not know or even have the opportunity to find out who the person is, it may be processing of personal data. It is sufficient that someone can link the data to a natural person for it to be considered as personal data. In order to determine whether a natural person is identifiable, you must consider the possibility of additional information, as well as any means that may reasonably be used to directly or indirectly identify the natural person.

Sensitive personal data

The General Data Protection Regulation lists special categories of personal data that are considered particularly sensitive and therefore have a stronger protection, so-called sensitive personal data. As a general rule, sensitive personal data may not be processed by students during their studies.

Exceptions to this are if your degree project is part of a larger research project, which has an ethical approval from the Swedish Ethical Review Authority. You may also process sensitive and personal data that warrants extra protection during internships (i.e VFU), provided that the placement allows it and that the processing is not part of an essay, presentation or the like.

Sensitive personal data is personal data that reveals:

Ethnic origin
Political views
Religious or philosophical beliefs
Trade union membership
Health
Sex life or sexual orientation
Genetic data
Biometric data to uniquely identify a natural person

In addition to the information listed above, there are other types of personal data that are particularly worthy of protection according to Swedish Authority for Privacy Protection. These can be, for example:

Salary information
Data on violations of the law
Evaluative data, such as data from performance appraisals, data on the results of personality tests or personality profiles
Information relating to someone's private sphere
Data on social conditions

Checklist for the processing of personal data

Specify the purpose and document the processing of personal data

Always start by determining the purpose (purpose) of the work you are going to carry out and what data is necessary to collect and process in order to achieve the purpose of the work.

Always consider what personal data is necessary to collect in order to fulfil the purpose of the work. Contact your teacher or supervisor for consultation if you are unsure. In the event of a disagreement between teacher and student about the need for processing personal data, the teacher's instructions apply.

Keep in mind that no superfluous personal data may be collected, but personal data that is processed must be adequate and relevant for the purpose of the processing. Personal data collected for student work may only be processed for the student work for which it has been collected and no other purposes or purposes.

Determine the method of collection, processing, and storage

Decide how you will collect, store and otherwise process the personal data.

When collecting, only tools and services provided by the university may be used. It is not allowed to use free services that you can access freely on the internet.

Keep in mind that personal data must be stored and processed in a secure manner to protect it against unauthorized or unauthorized processing, loss or destruction. To achieve this, you should adhere to at least the below points:

When collecting, only tools and services provided by the university may be used. It is not allowed to use free services that you can access freely on the internet.
The personal data must be stored in the university's IT systems and storage space, such as Canvas, your own home directory in the university's IT environment or your own OneDrive provided by the university. No private cloud storage may be used.
No personal data may be stored on a private computer, mobile phone, USB stick or other private device.
If private mobile phones are used to record audio or video in interviews, for example, recording and storage may not take place directly in the mobile phone. Instead, the students shall record audio and video via M365, either OneNote or OneDrive, which can be downloaded as an app to the mobile phone. Please note that you must log in with your student account in the apps!
Determine and ensure that only authorized persons have access to the personal data by, for example, password-protecting folders for storage.

Report the processing to the register

The university is obliged to keep a register of its personal data processing. Before you start processing your personal data, you must therefore report your work to the university's register.

Obtain consent and inform about the processing

Before you begin collecting or processing personal data, you must obtain consent from the person whose personal data is to be processed, the so-called data subject. The processing of minors' personal data requires the consent of the child's guardian.

Consent must be obtained before the processing of personal data begins and must be in writing. The template for consent and information about the processing of personal data in student work must be used. The forms must be collected and stored for the duration of the processing of personal data.

The data subject always has the right to withdraw their consent. If the consent is withdrawn, the student must immediately stop processing the personal data, and delete it.

Collect the personal data and carry out your work

Once consent has been obtained, the collection of personal data can begin. All collection must take place in a secure manner and for digital interviews, surveys or the like, the university's approved systems, software and cloud services must always be used. Open or private systems, software or cloud services may not be used.

Personal data may not be collected in such a way that personal data is stored on a private computer, mobile phone, USB stick or other private device. If private mobile phones are used, audio and video must be recorded via apps for either OneNote or OneDrive so that the storage takes place directly in the cloud under the university's control.

Remember to protect personal data throughout the course of the work so that no unauthorized person gains access to it.

Terminate the processing and delete the personal data

After the work has been completed, a notification of the cessation of processing must be sent to the university's register of records.

Personal data must be deleted from all storage areas when the data is no longer necessary, but no later than when the work has been approved. This does not apply to final products such as finished assignments, essays, degree projects and the like. Deletion means that the personal data cannot be recovered.

Templates

Template_Consent and information about processing of personal data in student work.docx

Rules for students' processing of personal data

The university's responsibilty and the student's responsibility

Students' processing of personal data

Personal data

Sensitive personal data

Specify the purpose and document the processing of personal data expand_more

Determine the method of collection, processing, and storage expand_more

Report the processing to the register expand_more

Obtain consent and inform about the processing expand_more

Collect the personal data and carry out your work expand_more

Terminate the processing and delete the personal data expand_more