Contact
Personal data breaches must be reported immediately in the IA system.
As a supervisor at SLU, you are the link between SLU and students doing degree projects. This role includes giving students correct information about the rules for any processing of personal data they do as part of their studies.
The purpose of this guide is to provide you with the tools you need to ensure that the students you supervise comply with data protection rules.
SLU is responsible for what the students do during their studies, which means it is vital that you ensure that they follow the rules. If they do not, we could face fines of up to SEK 10 million.
The information below does not concern personal data in the form of literature references.
Firstly, you and the student must assess to what extent personal data will occur in their work. To make things easier, we will describe three key terms within data protection legislation below: processing, personal data and sensitive personal data.
Processing is defined in the General Data Protection Regulation (GDPR). It is an umbrella term for anything you can do with personal data.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means or not. Examples are the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
In principle, everything you can do with personal data is processing. Processing personal data in computers is not the only thing affected. The regulations also apply to personal data on paper.
Personal data means any information relating to an identified or identifiable natural person ('data subject'). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The concept of personal data is very broad. What determines if something is defined as personal data or not is whether you can connect the processed data to a person. You personally do not have to be able to connect the data to a person – it just has to possible in general. As long as someone can do that, it is personal data.
Examples of personal data are addresses, email and IP addresses – not surprising. Car registration numbers, animal chip numbers, dates; even log numbers for water samples can be personal data if it is possible to conclude who took the sample at a certain time. Something that initially does not seem to be personal data often turns out to be.
Please note that the above not only applies to data of possible study participants or similar, but also to the data of those who are carrying out a project.
It is therefore important to think outside the box when it comes to processing personal data. If you are unsure, assume that it is personal data and follow the rules.
Sensitive personal data are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
The main rule is that it is not allowed to process sensitive personal data without an individual's consent. Therefore, it is important to keep track of that kind of data.
If it turns out that the only personal data that will be included in the work is the student's and supervisor's data, there will be no data protection issues. You are then aware of the personal data being processed, and since you design the work together, you also know how it will be processed.
However, if the student processes personal data to a larger extent than stated above, you must carry out a more thorough review. The reason for this is that student works are not a completely private activity – SLU is responsible for the processing.
Every time you process personal data, you must have a legal basis for doing so. In regard to personal data in student works, consent is often the best choice. This means that if the work includes personal data that does not belong to the student or supervisor, the person involved must give their consent.
Every time you process personal data, you must have a purpose for doing so. How to describe this purpose depends on the type of personal data the student collects. It is important that the purpose is specific and expressed clearly.
You can describe the purpose like this: "The purpose for processing personal data is to investigate the approach to alternative food, for example insects."
There can be several purposes when collecting personal data. We suggest you describe the purpose of the work. The starting point is that the data subject must be able to understand how their data will be used. If the data only concerns address information for landowners, this information is enough.
The student is then not allowed to process personal data for other purposes that are not compatible with the first purpose. According to the law, using personal data for further research projects is deemed compatible with the original purpose.
If the student collects personal data, it must be of a certain quality.
Firstly, the data must be relevant to the purpose. For example, if a student investigates people's attitude to insects as food, it is not relevant to collect data on what their favourite sport is, or if they dislike their colleagues/classmates. It also not allowed to collect a large amount of data on one person. In addition, the data must correspond to reality, i.e. be correct.
If the data may involve a risk to the data subject's privacy, appropriate security measures must be taken. Primarily, this means that it is not allowed to distribute the data in such a way that the student cannot retract it. The greater the risk, the safer the data must be stored.
The following circumstances can be considered risks:
If the degree project is carried out in such a way that any or several of the risks above are included, you must contact dataskydd@slu.se for an impact assessment.
The data subject, i.e. the person whose personal data is collected, must also be informed if the student processes their data.
In order to ensure that the data subject receives this information, the student should only collect the data directly from the data subject, or from publically available databases. When the student collects personal data directly from the data subject, they must give the data subject certain information. There is a template for information to the data subjects.
It is important to remember that the data subject must be made aware that their data will be disclosed to SLU at a later date; this is so the student can publish their work and SLU can grade it.
If the student uses a large amount of personal data, for example from a database, they do not have to inform every individual about this, because there is an exception to the duty to inform. The exception only applies to situations where it would be impossible or involve a disproportionately large effort to inform every data subject.
The data subject has certain rights in relation to SLU as the data controller. If the data subject requests to exercise any of their rights, you must refer them to dataskydd@slu.se.
The data subject has the following rights:
More detailed information on the rights of the data subject can be found on the staff web.
Personal data must be appraised and disposed of when it is no longer needed for its purpose. The main rule, however, is that research data cannot be disposed of.
If there are appraisal and disposal regulations that state when personal data should be appraised and archived, they take precedence over the principle above.
If legislation states that processing should continue, this also takes precedence over this principle.
More on information and archives management.
Personal data breaches must be reported immediately in the IA system.