Personal data in student projects

Start by determining the purpose of the project you will conduct - this is the purpose of your processing of personal data.

When you process personal data in order to benefit from your education, it is public interest that is used as legal basis.

Consider whether it is suitable and necessary to process personal data to achieve the purpose or if you can achieve the same purpose without processing personal data. If it is necessary, try to limit it so that you process as little personal data as possible.

With your supervisor, you must also assess the suitability of the intended project. Is the project something that is in line with your education? Can it be carried out so that the privacy of the individuals whose personal data is to be processed is not affected in a negative way? You can read more about how to make this assessment on the page Special categories of personal data.  

The suitability and necessity assessment must be carried out regardless of whether you are to process special categories of personal data or "ordinary" personal data.

Assess which types of personal data that are necessary to process in your project. Write down your purpose with the processing of data as briefly as possible.

Decide how to collect, store and otherwise process personal data.

Note that you should only use the tools and services provided by the university. It is not permitted to use tools and services that are available for free on the internet.

The tools provided by the university are found via the following pages:

Digital tools
Other digital tools and software

You also need to apply relevant security measures (for example coded information instead of printed names). Read more about security measures on the page Special categories of personal data.  

You only have the right to process personal data as long as it is necessary for your project. After completing the project, the personal data must be deleted.

If you plan to collect regular personal data directly from the data subject, the data subject must be informed about how the personal data is processed. The university has a template for this (only in Swedish as of now). You find it on this page under the heading "Templates". 

You do not need to obtain consent from the data subject when processing regular personal data.

If you plan to collect special categories of personal data directly from the data subject, the data subject must also consent to the processing of personal data. In connection with this, you must also inform about how the personal data is processed. The university has a template for this (only in Swedish as of now). You find it on this page under the heading "Templates". 

If you have collected the data from someone other than directly from the data subject, it is in many cases impossible to obtain consent and inform about the processing without having to collect contact information from another source. In these cases, you should not go to another register (for example the population register) to be able to contact the data subject regarding the processing carried out by you.

As the controller of personal data, the university must to be able to demonstrate that the legislation is followed. In order to have control over the processing of personal data that takes place at the university, a register is required. The register must, among other things, contain information about which personal data is processed, the purpose of the processing and contact details for the person responsible for the processing.

When you within your studies are processing personal data, it is you who is doing the work who is responsible for the processing and who is therefore the contact person for the data subjects. However, the university is data controller and is the organization that is held legally responsible if the processing takes place in violation of GDPR.

Before you start the collection of personal data, you must report your project in the university's record of processing activities. You report in the system DraftIT (only in Swedish): 

Link to form in DraftIT

Once you have logged in to DraftIT, you must fill in the form and answer the questions that are found there. Remember to complete the registration completely before closing the form.

You will not automatically receive any feedback when the registration in Draftit has been handled. In addition to the registration in the system, you must also check with your supervisor or with the responsible teacher for the course to ensure that your approach is correct. 

Be thorough and only process the data in the way that you informed about and have reported in the record. If the purpose or the way you process the data changes, you need to repeat the steps above that are affected by the changes. When you are finished (examined), you delete the data that is no longer needed.

What is personal data?

Personal data is any kind of information that can be linked to a living natural person. Typical examples are name, address and personal identity number. Photos of people can be personal data in cases where the person in the photo can be identified. The registration number of a car can be personal information if it is possible to link the information about the car to an individual natural person.

Special categories of personal data

In GDPR, a distinction is made between "regular" personal data and such data that is considered sensitive. This type of data is called special categories of personal data and is considered to need special protection. The processing of special categories of personal data is prohibited unless one of the exceptions in GDPR can be applied. Special categories of personal data refers to information about:

• ethnic origin,
• political opinions,
• religious or philosophical beliefs,
• membership of a trade union,
• health,
• a person's sex life or sexual orientation,
• genetic data, or
• biometric data used to uniquely identify a person.

Personal data worth extra protection

Personal identity numbers and coordination numbers are not categorized as special categories personal data. However, they are considered to require extra protection and must therefore be treated with particular care.

In addition to personal identity numbers and coordination numbers, children's personal data is considered particularly worthy of protection. This is because children are not considered to be able to exercise their rights in the same way as adults and it may be more difficult for them to predict the consequences of the processing of their data.

If you intend to process personal data of children, and therefore need to take any additional measures, you should talk to your supervisor. Additional measures taken may consist of additional and more specified information to the data subjects. GDPR requires that information given to children must be specially adapted to their age.

What is processing of personal data?

Processing is defined in the GDPR as basically any operation which is performed on personal data, regardless of whether it takes place electronically or not. Examples of processing are to collect, register, store, process, correct, delete or transfer. However, GDPR is only applied for processing that is fully or partially carried out by automated means (that is, electronically) or such processing that occurs in manual registers (for example, lists).

Legal bases for processing

In order to process personal data, there must be at least one legal basis for the processing. For students' processing of personal data within their studies, it is the legal basis of public interest or exercise of authority that is primarily used. 

• Public interest or exercise of authority
  You may need to process personal data in order to benefit from your education. The legal basis for that processing is that it constitutes a necessary public interest. The university can apply this legal basis on behalf of its students since the we has an assignment of conducting education according to the Higher Education Act and the Higher Education Ordinance.
• Consent 
  In exceptional cases, the legal basis consent can be used. You can process personal data after obtaining consent from the data subject. Keep in mind that a revoked consent must be respected if you use this legal basis. If you and your supervisor consider that consent is the best legal basis for your work, contact dataskydd@gu.se.

Processing different categories of personal data

As a general rule, special categories of personal data may not be processed, but there are exceptions. Since special categories of personal data is considered to have a greater protection value than other personal data, there are requirements of taking more extensive measures to protect this data.

More information about when it is allowed to process special categories of personal data is found on the page Special categories of personal data. Discuss with your supervisor how you meet the requirements.

The personal data worth extra protection, such as personal identity numbers and coordination numbers, may be processed with the support of the data subject's consent. Without consent, personal identity numbers may only be processed if it is clearly justified with regard to:

• the purpose of the processing,
• the importance of secure identification, or
• any other noteworthy reason.

There may also be special regulations that allow personal identity numbers and coordination numbers to be processed.

As a general rule, personal data relating to convictions in criminal cases and violations of law that include crimes or related security measures (criminal data) may not be processed unless it is expressly stated by Swedish or European law that someone may process the data. The information referred to here can be everything from case numbers to information relating to a possible arrest warrant and convictions.

More information about when it is allowed to process special categories of personal data is found on the page Special categories of personal data. Discuss with your supervisor how you meet the requirements.

Basic principles for processing

GDPR contains a number of basic principles that must always be followed. You must make sure to follow these principles when you process personal data within your studies:

• Personal data processing must be lawful, fair and processed in a manner that is transparent in relation to data subject.
• Personal data may only be processed for specific, explicit and legitimate purposes.
• The personal data must be relevant and limited to what is necessary in relation to the purpose.
• The personal data must be accurate and up-to-date.
• The personal data must not be saved longer than necessary.
• The personal data must be given adequate protection.
• The person in charge of personal data (the university) is responsible for and must be able to demonstrate that the principles are complied with. The University of Gothenburg is therefore responsible for the personal data processing that you carry out as a student.

The rights of the data subject

When you process personal data within your studies you must, on behalf of the University of Gothenburg, ensure that the rights of the data subjects are met. On our external website, you find information about the rights of the data subjects.