Personal data in independent student projects
The General Data Protection Regulation, together with a number of Swedish laws, requires that work with personal data is carried out correctly. Here is the necessary information about the steps required for the handling of personal data to be correct.
In addition to the rules that apply to personal data, depending on what you intend to process, there may be additional rules to take into account and you should therefore have an overall discussion with your supervisor and/or examiner/course coordinator about what information should be handled and plan accordingly.
For studies at basic and advanced level
This is what applies to studies at basic and advanced level at the Swedish Defence University. Start by reading "rules regarding ethics and handling of personal data in student projects Pdf, 231.5 kB.".
If you have any questions, please contact your administrator and/or examiner/course coordinator.
- Clarified my actual need to collect personal data.
- Documented purposes for my personal data processing
- Reconciled the need for personal data and purposes with my supervisor
- Read up on the basic principles of personal data processing
- Completed suitability assessment (only applies to the use of sensitive personal data)
- Ensuring the storage of personal data in approved storage services
- Appropriate safeguards taken.
- Assessed and documented what needs to be saved and deleted after the work is completed.
- Submitted information to the course coordinator's register for personal data processing.
- Adjusted and adapted consent form with information
- Obtained consent through the use of an adjusted consent form from all persons covered by the student work.
- When the work is completed and graded, contact the course coordinator and ensure that the information is deleted unless the conditions for them to be archived exist or are to be saved for a possible publication or similar.
Collection and processing of personal data
Any information that can be directly or indirectly linked to a living person is personal data. This means that it is not only names and social security numbers that can be personal data, but also usernames, e-mail or IP addresses, biometric data, and also, for example, a voice recording. It can also be a combination of more anonymous data that together makes it possible to identify an individual.
The processing of personal data must comply with the basic principles and there must be a legal basis for the processing.
This means, among other things, that:
- the processing must be carried out in a lawful, fair and transparent manner in relation to the data subject;
- the data shall be collected for specified, explicit and legitimate purposes;
- No more personal data may be processed than is necessary for the purpose.
- the information shall be accurate and up-to-date;
- the data shall not be kept longer than necessary for the processing, and
- The data must be processed in a secure manner.
A person's face can easily be used to identify the person and is thus personal data. A vote constitutes personal data provided that it is possible to identify the person by means of the voice, It is often not possible to anonymize this type of data without a lot of extra work and technical tools, Such data should nevertheless be pseudonymised as widely as possible, for example by replacing names of people, dates, places and similar information with ID numbers, serial numbers, pseudonyms or more general terms.
However, in cases where an "anonymous" survey is conducted, personal data is usually processed based on GDPR's definition of what is personal data. Data is only anonymous to the extent that it is completely impossible for anyone to connect the information with an individual. For example, it is enough that the survey tool somewhere logs the IP address or saves some indirect information about the person who answered the survey for the personal data rules to apply in the situation. Furthermore, the use of free text answers always means that there is a risk that the person answering the survey enters direct or indirect personal data about themselves or others. It should be assumed that most surveys involve the collection of personal data in some form, at least during the collection phase.
Sensitive personal data
Sensitive personal data means information about health, political opinions, religion, ethnic origin, trade union affiliation, sexual orientation, sex life and genetic and biometric data and is as a general rule prohibited to process according to GDPR.
The legal scope for processing sensitive personal data in independent student projects is very limited. If the student work is part of an existing research project, it is handled within that process. Investigate whether it is possible that the student work can be included in a research project.
If it is necessary to collect sensitive personal data for the performance of the student work, this must be reconciled and done in dialogue with the supervisor. Supervisors should also contact the course coordinator and examiner. If the student work is part of a research project, the conditions for the project must be followed and the project must have previously been granted permission to collect sensitive personal data through ethical review. If this is not possible, in addition to the supervisor's approval, an approved suitability test, consents and extensive security measures are required.
Suitability testing is similar to the ethical review required for research studies conducted by the Swedish Ethical Review Authority. Student projects are not covered by the Ethical Review Act (2003:460), which is why an aptitude test must be carried out by the student and then assessed by the supervisor in dialogue with the course coordinator and examiner.
Processing of personal data
In order to comply with the requirements of the GDPR, all of the different steps below must be assessed and performed. It is the department responsible for the course that ultimately decides how these requirements are to be fulfilled and must ensure that students are well informed about the conditions that apply to the student work. Both the student and the course coordinator must be involved and know every step of the process.
It is the supervisor in dialogue with the examiner who assesses whether the personal data processing can be carried out. It is possible to adjust the purpose or deny if it becomes too complicated.
The first step is to identify whether personal data should be processed in the student work. If the assessment is that personal data is being processed, steps 2–7 must be carried out. Processing of personal data is in principle everything that can be done with personal data. This may be, for example, collecting, registering, processing, storing, deleting, cross-checking, reading or printing the data. If the student work is carried out with anonymous data, personal data is also not processed. Anonymised data is information that cannot be linked to an individual, either with the data available to the Swedish Defence University or with information that can be obtained from elsewhere.
- If the personal data processed within the framework of the student project consists only of the names included in quotations (does not apply to own collected data), references and source references, GDPR's provisions are not applicable and these rules do not need to be followed.
- Any information that can be directly or indirectly linked to a living person is personal data. This means that it is not only such things as names and social security numbers that can be personal data, but also voice recording, usernames, email or IP addresses, biometric data, etc. It can also be a combination of more anonymous data that together makes it possible to identify an individual.
According to GDPR, you must know what it will be used for already when the data is collected. This is to not collect more information than necessary, to collect only for legitimate purposes and because one must also know how long the data will be used (although an exact end date does not necessarily have to be able to specify). "Good-to-have" is therefore not an acceptable argument in this context. Therefore, define the purpose of the processing and what data must be collected.
If you, together with your supervisor, have come to the conclusion that it is necessary to collect personal data in order to carry out the survey, the purpose of the processing needs to be defined. This is a requirement of the General Data Protection Regulation. The purpose of data processing is to collect the data needed to carry out the survey. However, the purpose needs to be adapted to what is to be investigated and why. It is not allowed to collect more personal data than is necessary to achieve the purpose and they may not be used for any purpose other than what they were collected for.
Collected information must be handled in a secure manner. Avoid or limit the use of external storage services for the storage of personal data. Use the tools and cloud services that FHS offers for managing and storing information.
Decide which parts of the information will be deleted and retained when the work is completed. Personal data may not be kept longer than necessary and shall be deleted when they are no longer needed. At the same time, there may be parts of the information that must remain in order to, for example, be able to substantiate the conclusions of the student work or if they are necessary for future data processing (for example, for the result to be published in a scientific article). In these cases, the material must be archived.
Therefore, it is important to determine what will happen to the personal data before the work of collecting the personal data begins. During the course of the work, there may be reason to reconsider the original plan, but it is important that there is a basic plan that is anchored with the supervisor, not least to be able to answer questions from the data subjects (the people whose data is collected). However, it is advisable to wait with any deletion of information until the work is completed. A good guideline is to delete the data when the grade is set and registered and thus no longer needed to substantiate the conclusions of the independent student project.
Obtain consent, inform data subjects and collect necessary personal data. Personal data may only be processed if there is a legal basis for the processing. The General Data Protection Regulation specifies a number of grounds that are considered permissible, but for a student project, in practice only consent is relevant (unless the student work belongs to a research project).
The requirement for consent to be voluntary also presupposes that there are no negative consequences if a person declines to participate in the study. It is therefore important that the consent contains the information required by the GDPR and accurately reflects what should be done with the personal data. Obtaining consent means clearly stating what data will be collected, what it will be used for and by whom and for how long the data will be used.
The consent must also contain information that it is possible to request to see the collected information and that it is possible to turn to the Swedish Defence University's data protection officer or the Swedish Authority for Privacy Protection with complaints. The student's and the course coordinator's contact information must also be included in the information. After the data subject has read the information, they can give their consent to the processing and it is then permitted to process the data. Once the personal data has been collected, it may not be used for anything other than what the participant has consented to without obtaining a new updated consent.
It is important to know about consent that it must be saved so that it can be retrieved if necessary and that the data subject has the right to withdraw their consent at any time. It should be as easy for data subjects to withdraw their consent as it is to give their consent.
For surveys, it may be more difficult to obtain written consent. Create clear information on the first page of the survey and mailing. The consent may be considered to have been obtained when the informed choose to participate by actively answering the questions in the survey after reading the information text.
If the information is provided in an interview situation, the information can be printed out and provided both verbal and in writing. You also need to document the individual's consent to participate. The consent can be either written or verbal. If you choose a verbal consent, it needs to be recorded and be possible to delete if the consent is withdrawn.
To support this, FHS has developed an information and consent form.
If everything was done correctly in the previous steps, this step, which is formally important, is not very burdensome.
Obtain informed consent, collect and process the personal data.
It is the person collecting the personal data who has the burden of proof to show that there is documented and valid consent. Collected consents must be stored in the area where other collected material is stored throughout the process.
When the thesis is completed and the examination of the course component is completed, the last part remains. The material that has been processed must now either be saved for archiving or deleted according to what was decided in step 4. Any consents obtained in order to be able to do the personal data processing must be saved for as long as the material itself, and deleted/discarded at the same time. Contact the course coordinator and check so that the course coordinator can deregister the processing from the register of personal data processing.
It is you as a student who is responsible for the material being deleted as it is no longer needed to verify the result in the report or for any other purpose. Remember not to delete documentation before the final grade is set on the course. Consult the course coordinator if there are uncertainties about what should be deleted and if something should be saved for a possible publication or similar.
- Anonymisation - If the data can no longer, either directly or indirectly, be linked to a person, these are anonymised and formally no longer personal data (the General Data Protection Regulation does not apply to these). If the work can be carried out on anonymised data, this must be done.
- Pseudonymisation - If the data processed is not directly linked to a person, but there is a separate key that links the person to information, these are pseudonymised. The data is still formally considered personal data, but the handling takes place with greater security.
- Encryption and encoding - Encrypting or encoding information is a way to minimize the damage of data leakage and is good as technical protection.
- Email control - It is recommended to always check the correct recipients before sending emails, avoid the hidden copy (bcc) function, use emails restrictively to send personal data and never for sensitive personal data.
- Storage and tools - Cloud services not provided by FHS may not be used to store personal data. This includes storage services such as Dropbox, Google docs, iCloud, and more. Ensure that any tools meet the requirements. The recommendation is to use the tools provided by FHS.
- Sensitive personal data – Requires encryption, backup, access control, two-factor password management. Contact FHS IT support for more information about correct actions.
- Information and knowledge - Important security measures that are often forgotten are information and knowledge. Ensuring that those who work with personal data are also aware of and follow the rules that exist for the work is important.
- Backup- Technically protecting information from loss in various types of breakdowns is not a requirement in the Data Protection Regulation, but can be important enough for the individual student. An absolute minimum is to ensure that the information is stored in a way that is covered by backup.
- External USB sticks or hard drives - Removable media should be avoided as they are particularly vulnerable to theft and loss. Should always be encrypted if these are used and only for temporary storage/transport.
If you have any questions, please contact your administrator and/or examiner/course coordinator.