Data protection manual

Perhaps you have heard of the "new PUL" (Personal Data Act) or the new "GDPR" (General Data Protection Regulation). Some recognise PUL from before, without knowing exactly what it was. This is because the rules have allowed for exceptions, and fines have been so low that the rules have largely been ignored.

The GDPR ("dataskyddsförordningen" in Swedish) is basically the same as PUL but without the exceptions and with much higher fines. The maximum fine under the GDPR is SEK 190,000,000. However, the prison sentences included in PUL have been removed. Another important difference is the documentation requirement. If we cannot document our procedures, the Swedish Authority for Privacy Protection will conclude that we have made an error. Therefore, documentation is very important.

As you have probably noticed, documentation and procedures are of the utmost importance when processing personal data. A lot is allowed, as long as a processing decision is documented and justified.

Documentation is our greatest tool in order to follow the law and avoid more serious consequences. This is the reason why it is compulsory to register any personal data processing.

The term sensitive personal data is defined in the box below.

The main rule is that it is not allowed to process sensitive personal data. The main rule is followed by a number of exceptions, primarily for public authorities, employers and research. It is therefore very possible that a project is excluded from the main rule.

The following are primary exceptions:

1. There is consent. The data subject freely consents to the processing of their personal data, i.e. the data subject will not face any negative consequences by withholding consent. Consent must be explicit and preferably in writing.
   
   
2. It is necessary for the employer to process personal data. If processing personal data is necessary in order for SLU to fulfil its obligations in accordance with employment law, social law or collective agreements.
   
   
3. Certain important purposes of public interest. In certain cases, sensitive personal data may be processed within research, archiving and statistics, if the purpose is of public interest. If sensitive personal data is processed within research, processing must also be tried in accordance with the Ethical Review Act by the Swedish Ethical Review Authority.

1. If you are uncertain of the answer, contact dataskydd@slu.se for guidance.
   
   
2. If the answer is a clear NO, you do not need to do anything.
   
   
3. If the answer is YES, you must contact dataskydd@slu.se to ensure that your processing is entered in the register that is handled by SLU's data protection officer.

You have concluded that you will process personal data at some point – what is the next step?

In order to be allowed to process personal data at SLU, the person processing must follow certain principles. You must assess if these principles are followed in your projects. If your work is part of an existing activity or project, it is possible that you might not be able to assess the situation personally – in certain cases, this must be assessed at division or unit level.

There are certain principles that control how we can process personal data. These data protection principles must be met in relation to the type of processing.

Lawfulness, fairness and transparency

The data must be processed lawfully, fairly and in a transparent manner in relation to the data subject. If the data subject has any questions or wants to exercise their processing rights, it is our obligation to help unless anything prevents this, for example secrecy. The requirement that processing must be lawful means that processing must have a legal basis. The legal basis is discussed more thoroughly further on. The fairness requirement does not mean that the data must be fair, but that we should not process personal data in a way that the data subject does not expect.

Purpose limitations

Personal data must be collected and processed to meet explicitly stated purposes. These purposes must be specific, i.e. you have to state why you consider processing necessary for the purpose supported by the legal basis. It is not enough to give "administration" or "financial systems" as reasons for processing.

The data subject must be able to foresee what will happen to their data when you process it. The data can then only be processed for purposes that are compatible with the purpose for which it was collected. For example, survey answers from students that have been collected to assess the study environment cannot be processed in order to direct advertising to them, unless marketing has been listed as a processing purpose as well.

Data minimisation

The personal data which you collect must be adequate and relevant in relation to the purpose for which it was collected in the first place. You are not allowed to collect more data than necessary. In short, this means that you can only process information that is necessary for the processing purpose.

Fairness

The data must be fair and, if necessary, updated. If you find out that any data is incorrect in relation to the processing purpose, you must take measures to correct or erase it.

Storage limitation

You must limit personal data storage. This means that when the processing purpose is achieved, the data must be erased in a safe manner, or personal identifiers removed to ensure that an individual cannot be connected to the data, for example if the data is aggregated into statistics.

However, personal data may be preserved longer than what is necessary for the original purpose if the data is required to meet historical or scientific purposes or to meet archive purposes of public interest.

A common misunderstanding is that this means that you are obligated to dispose of official documents. That is not the case. The regulations for document appraisal and disposal established by the SLU archivists apply.

More on appraisal, disposal and information management.

Privacy and confidentiality

Personal data must be processed in a manner that ensures appropriate security of the data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage.

This must be done by using appropriate technological and organisational measures. It means that you must ensure that only authorised people have access to the data, that any databases or systems have satisfactory security measures and that there are procedures for when data may be erased.

Only when SLU's data protection officer concludes that all of these principles have been met is processing allowed to begin.

When it is clear that you are allowed to process personal data, you must answer why you wish to do so. Personal data must be collected and processed to meet an explicitly stated and justified purpose.

The purpose must be specific. You have to state why you consider processing necessary for the purpose supported by the legal basis. It is not enough to give "administration" or "financial systems" as reasons for processing. The data subject must be able to foresee what will happen to their data when you process it. The data cannot be processed for purposes that are incompatible with the purpose for which it was collected.

According to the GDPR, further processing of personal data for research or archive purposes must be compatible with the original purpose for collecting data. In this case, further processing means processing personal data for another purpose than that for which it was collected.

Formulating the purpose is one of the most important things to do when preparing personal data processing. Ensure you take the time required to question and formulate what you want to do with the personal data.

The purpose controls what you are allowed to do with the data you collect. If, later on, you want to do something else with the collected data and have not stated this as a purpose, you must once again describe the purpose and renew contact with the data subjects

To be allowed to process personal data, a legal basis is required. Which basis to use at SLU depends on the operation where personal data is processed. We use the following bases:

Task of public interest

The broadest basis is that processing personal data is necessary to fulfil a task of public interest. Public interest must be determined according to Swedish law, which means that the task must be defined in a legal act or a public authority decision supported by a legal act.

As a public authority, most of what SLU does serves a public interest, but processing must be necessary to fulfil that interest. You cannot routinely use public interest as a legal basis for processing personal data – the task must be connected to SLU operations and assignments, and it must be regulated in Swedish law.

Therefore, you have to state which matter of public interest will be fulfilled by processing personal data, and which act or decision that requires SLU perform this task.

Exercise of public authority

Processing is also allowed if it is necessary to exercise public authority. This basis is applicable e.g. relating to the examination of students, approving special learning support and handling matters relating to official documents. That is, for actions you normally associate with public authorities. However, it can also be used for other tasks assigned to SLU as a public authority, such as environmental monitoring and assessment.

Note that it is sufficient if the processing is "part of" the exercise of public authority. The processing does not have to be necessary to make a decision, as processing data to provide decision support can be part of the exercise of public authority.

Legal obligation

Another basis often used by public authorities is a legal obligation. This basis means that you are allowed to process personal data if it is necessary to fulfil a duty stated in Swedish legislation.

Examples of when such duties follow from Swedish law is, among other things, the Ordinance Concerning the Reporting of Higher Education Studies (the Ladok ordinance) which states that SLU must carry a register of students, or the Swedish Accounting Act. Please note that collective agreements also can constitute such a legal obligation.

This assessment includes a part that may be difficult to carry out alone. If you want to use a legal obligation as support when processing personal data, the data subject must be able to foresee the obligation. This means that the data subject must have access to the provision and foresee that it will mean that their personal data will be processed.

So-called register statutes such as the Ladok ordinance are clear enough, as is the act concerning student finance which regulates the operations of the Swedish Board of Student Finance (CSN).

The Higher Education Ordinance is one example of regulations that steer SLU operations but which are not specific enough to be used for this basis.

If you have trouble with this assessment, contact the data protection officer.

Fulfilling agreements

Processing personal data is also allowed if it is required to fulfil or enter into an agreement.

Please note that this is only possible when processing personal data between SLU and the data subject. It is not possible to use an agreement as a basis for processing data if the data subjects in question are not connected to the agreement. For example, it is not possible to use an agreement between SLU and Google as a basis for processing a student's personal data, if they are not connected to the agreement.

Legitimate interest

In certain exceptional cases, we can also use a basis called legitimate interest.

This basis means that we are allowed to process personal data if we have a justified interest unless the data subject's interest that we do not process their personal data is greater.

As mentioned, this is an exception which requires that processing is not connected to our assignment as a public authority, for example regarding fundraising. When we use this exception, we must thoroughly assess why our interest is greater than the data subject's.

If you want to use this legal basis, contact dataskydd@slu.se.

Consent

Finally, it is allowed to process personal data if the data subject gives their consent. It is vital that their consent is given completely freely, i.e. that there will be no negative consequences should they decline.

For example, you can use consent for participation in a non-compulsory conference, but not for participation in a compulsory course. This means that we can only use consent in relation to our students and employees in exceptional cases.

If you cannot use a service without consenting that your personal data be processed, consent is normally not considered voluntary. In these cases, it is best to use another basis, for example the one regarding agreements above.

Obtained consent must be written and documented. The data subject can revoke their consent at any time. It is rare to use consent for public authority data in relation to students or between employers and employees.

Personal data security is divided into two parts – organisational and technological security.

The main principle for organisational security is that only authorised persons – who need personal data to carry out their duties – not anyone else, may have access to the data. Personal data should be communicated to as few parties as possible, without preventing processing.

There must also be procedures for how you are allowed to process personal data within your unit/division, especially in regard to disclosing data outside of SLU. This is especially relevant when distributing copies of information. If a decision is interesting, not the personal data which it contains, the personal data cannot be visible on the copy.

In addition, personal data must be handled in a manner that ensures appropriate technological security. For example, personal data must be protected against unlawful processing, accidental loss, destruction or damage.

Examples of such security measures are encryption, pseudonymisation and password protection. Technological measures must be taken in collaboration with the Division of IT.

Security measures must be adjusted to the processing risks – the higher the risk processing personal data poses to the data subjects' freedoms and rights, the greater the security measures. When assessing risk, you must pay regard to the consequences SLU and the data subjects would face should something happen to the personal data. This can favourably be done in connection with a security classification with the Security Unit.

If the processing results in risks for the data subject, you must contact dataskydd@slu.se for an impact assessment.

If any planned processing of personal data is likely to result in a high risk to the rights and freedoms of data subjects, you need to carry out an impact  assessment.

Examples of cases where an impact assessment may be necessary:

• large-scale processing of sensitive personal data
• the use of new and unproven technologies
• systematic monitoring of people and processing of the personal data of persons who, for whatever reason, are disadvantaged or dependent and therefore vulnerable (e.g. children, asylum seekers, elderly people and patients).

Please contact dataskydd@slu.se if you are unsure and need help in deciding whether an impact assessment is needed.

When collecting personal data, you must provide the data subject with certain information.

Two situations are explained here. The first is if you collect personal data directly from the data subject, for example through a survey. The other is if you collect personal data from another source than the data subject, for example from the Swedish Tax Office or an external database.

The information you must provide to the data subject is very similar in both situations. The largest difference is that there are a few exceptions to the duty to inform when personal data is collected from another source than the data subject. The data protection officer will decide if an exception is applicable.

You must provide the data subject with the following information:

1. Who the data controller is (SLU) and contact information for the person representing SLU for this project.
   
   
2. Contact information for SLU's data protection officer, dataskydd@slu.se.
   
   
3. The processing purpose.
   
   
4. The legal basis for processing. It is important to be clear. If you use a legal obligation or a task of public interest as a processing reason, they must be specified.
   
   
5. Who will receive the information? You must state if anyone outside SLU will be able to access the personal data. If the personal data will be transferred to a third party at some point, this must be stated here. You do not need to inform the data subject if their data will be transferred within SLU.
   
   
6. When the personal data will be processed. If you do not know when the personal data will be processed, state the criteria you use to determine the time period.
   
   
7. The data subject can revoke their given consent at any time.
   
   
8. The data subject has the right to request to have their personal data erased, corrected or limited. They also have the right of access to the personal data being processed and the right to object to the processing of their data.
   
   
9. The right to lodge a complaint with the Swedish Authority for Privacy Protection, as well as contact information for them.
   
   
10. If you intend to process the data for another purpose than what you are collecting it for at the moment, you must inform the data subject of this.

If you collected the information from another source than the data subject, you must also provide the following information:

1. which source has been used;
2. if the information is available to the public
3. which information categories you will process.

There is a template for information to data subjects.

The General Data Protection Regulation not only contains a number of regulations on how to process personal data. It also contains regulations for the data subject's rights in relation to SLU as the data controller. The starting point is that we must comply with the data subject's rights and be obliging with their request, just as with other public authority operations.

These rights and the circumstances in which they are used are outlined under Rights under the General Data Protection Regulation.

More detailed information can be found on the page on the rights of data subjects. If a data subject wishes to exercise their rights, ask them to contact dataskydd@slu.se.

Three different cooperation conditions are described below:

1. cooperation with someone outside the EU/EEA;
2. someone who does not work within SLU operations;
3. SLU suppliers.

Outside the EU/EEA

If you cooperate with partners outside the EU/EEA, for example a foreign government, and transfer personal data to a country outside the EU/EEA, you must ensure that legislation in that country, as well as its conditions for personal data, do not involve risking the data subject's privacy. The receiver of personal data must have an adequate level of security. Please note that storing personal data in a joint database or cloud service may mean transferring data to another country.

If you are unsure of a receiver's security level, or if any of your measures will involve transferring personal data, contact dataskydd@slu.se.

Outside SLU

In certain cases, for example during research cooperation with other universities, cooperation may involve two parties deciding on the personal data processing purpose together. Both parties are then responsible for the data. In those cases, it is important that the organisations agree on who has processing responsibility.

The main principle is that the party with the greatest control over personal data are also mostly responsible for ensuring that the data is processed in a correct manner.

SLU suppliers

In some other cases, another party gets access to personal data in order to supply a service or similar, for example software or holding a conference. In those cases, SLU decides the personal data processing purpose, not the suppliers. The supplier then acts as the data processor and is only allowed to process personal data as instructed by SLU, or according to legislation requirements.

SLU must then establish a data processing contract with the supplier. Such agreements must be drawn up as they are compulsory in the GDPR.

You can use the SLU data processing contract template . You can use standard EU agreements as well. The data processing contract can also be part of another agreement or general conditions. The most important thing is to ensure that the supplier cannot alter conditions without SLU's input.

The GDPR contains only one rule on appraisal and disposal. It states that personal data must be disposed of when it is no longer needed for its purpose. You must, therefore, determine whether the data is still needed for the purpose for which it was collected.

It is allowed to save data if there is a reason to do so. As with everything data protection-related, it must be documented.

Personal data may be saved in the same manner if required by law, for example in regard to official document regulations or documenting research material. Laws are not the only thing that apply when it comes to saving personal data – regulations, government decisions, appropriation directions, collective agreements or other public authority decisions that are supported by law also apply.

If you know that you are obligated to save personal data that is not covered by a project purpose, you must state that you save the data as a separate purpose. You must also state a legal basis.

At SLU, this means that the appraisal and disposal plan must be followed in practice. Read more about appraisal and disposal on the page on records management.