Contact
Personal data breaches must be reported immediately in the IA system.
This guide sets out the requirements you must meet in order to comply with laws and regulations such as the General Data Protection Regulation (GDPR), the Public Procurement Act and the Archives Act when sending out a survey. All steps in this guide must be completed before you publish your survey.
There are a number of important things to consider if you plan on using an external survey supplier service (e.g. Netigate, SurveyMonkey, Google, etc.) or hiring a company to develop a survey for you.
When purchasing any type of service, you must remember that there are procurement rules. If SLU has a framework agreement with a supplier, this agreement must be used, regardless of your planned purchase amount. If there is no framework agreement but SLU purchases survey services for more than a specified amount every year, these services must be procured. Learn more about purchasing limits on the staff web.
If you have any questions, contact the Purchasing Unit at upphandling@slu.se.
The starting point is to use a supplier that SLU has a procured agreement with. If you want to use another supplier, there must be a special reason for this, e.g. that the procured supplier does not offer specific functions that you need. Being more familiar with a certain supplier’s services is not sufficient reason to use another supplier; the reason must be related to the quality of the service.
Once you have decided on a company to help with the survey, you must ensure that a data processing contract is drawn up. This agreement regulates how the supplier is allowed to process the personal data SLU collects through the survey. Normally, the supplier has a standard agreement for this. If the supplier does not have such an agreement, there are SLU templates. The templates and other information on personal data and data protection can be found on the staff web.
Even if the supplier has been procured by SLU, this is not a guarantee that there is a data processing contract. Make sure to double-check this. You are also responsible for ensuring that the supplier will protect the information you plan to collect through the survey in a satisfactory manner.
Today, there is a certain scepticism regarding long and complicated links where it is not clear where the link comes from or where it leads. When you create a survey link, ensure that the link is as short as possible and make it very clear that SLU is the sender. The same applies to the graphic design of pages included in the survey.
Aim to make it clear that SLU is the sender (as well as the specific sender), e.g. by making sure that the SLU logo is clearly visible. If it is not possible to create links connected to SLU, the participants must be given clear information that the link comes from SLU.
In order for you to complete personal data processing involved in a survey, you must establish the legal basis for the processing in question. Which legal basis to use depends on the reason for creating the survey.
The most common legal bases are
Option 2 should be the legal basis used in most cases. In order to use ‘task of public interest’ as the legal basis, you must be able to prove where in Swedish legislation, public authority decisions, public authority assignments or collective agreements it is stated in which context this task must be completed.
An example is Section 1a of the Ordinance for the Swedish University of Agricultural Sciences, which states that SLU must undertake research, or Chapter 1, Section 2 of the Higher Education Act, which states that we must provide information about our activities.
Read more about legal bases in the data protection manual.
If the survey is aimed at students and it is considered likely that they will view the survey as compulsory, the legal basis of consent cannot be used. The same applies if the survey is used to follow up administration or concerns subjects connected to employment at SLU.
In cases where you use consent as the legal basis for data processing, you must save documentation on how you collected consent during the period during which you process or store survey answers.
When you process personal data, an important step is establishing the purpose for collecting the data in question. Why are you collecting this personal data? What questions do you expect the survey to answer? Make sure to phrase your purpose so that the person answering the survey knows what will happen with the information you collect. Use clear and plain language. If you are unsure if you have made the purpose clear, ask a colleague who is not working with the survey to take a look at your text.
If you know that the data you collect will be used for additional future research, or added to a database, inform the survey respondents of this straight away. Otherwise, you must inform them again when you change the processing purpose, which can be difficult in practice.
Also, make sure to inform the data subjects that their information will be archived in accordance with Swedish archival legislation.
When carrying out a survey, you must carefully consider what information you need to collect in order to fulfil the purpose in question. You are not allowed to collect more personal data than you need. Only you can decide what type of data you need. Therefore, it is necessary that you write down your thoughts on the information you intend to collect.
This is even more important if you collect sensitive personal data – in those cases, you must be able to apply one of the exemptions listed in article 9 of the General Data Protection Regulation. SLU’s Legal Affairs Unit can help you assess if this is an option.
It is especially useful to establish if the supplier you use will collect and save the IP addresses of the devices used by the respondents. If it is possible to avoid storing IP addresses, the connection to the individual is weakened and their integrity more strongly protected.
When you have created a survey, you must include information on who is behind it, the processing purpose, the legal basis for processing, etc. In order for your collection of personal data to be allowed, you must provide this information to the respondents. There is an information template on the staff web.
Listing this information on a start page connected to the survey link is a good idea.
You can provide information in steps. For the first step, you must always provide the following information:
If you use consent as the legal basis for processing personal data, you can also ask the respondent to give their consent on such a page. For example, respondents can consent by ticking a box. However, it may not be ticked beforehand. You must also document the consent of all respondents.
The main rule for storing personal data is that we may only store it for the time it takes to fulfil the purpose of the processing. However, this does not apply when the data can be found in public documents as public document regulations require SLU to store data for a longer period.
The information for respondents previously described must contain information on how long you will process the personal data you collect. If possible, state how long the processing will take. If that is not possible, describe how you will decide for how long to store the personal data. For example, until the report used as a basis for the survey is complete and published.
Additionally, the personal data you collect (both metadata about the respondents and the actual survey answers) are public documents. Public documents must be managed in accordance with the rules for such documents. Every department has an employee with knowledge of document registry and archiving, and they can explain how you must handle the data you intend to collect. If the person in question cannot help you with this, contact the Archives, Information Governance and Records Unit at the Vice-Chancellor’s Office.
Last but not least, you must register your processing. If your survey is connected to a research project, you must register it in your department register for personal data processing within research. In other cases, contact SLU’s data protection officer for help with registering the processing. The data protection officer can be reached at dataskydd@slu.se.
Personal data breaches must be reported immediately in the IA system.