3.6 Archiving and erasure

There is basically only a single rule regarding archiving and erasure in the General Data Protection Regulation, in regard to the university. This is that personal data can only be processed for as long as it is necessary to fulfill the purpose for which they were collected. As soon as the intended personal data are no longer needed for their purpose, they shall be erased. However, personal data can be found on a public document, which means that the rules on public access to information applies. From this follows that if archiving is prescribed by law or regulation, the data should be archived. In cases of uncertainty, the university’s archivists should be consulted.

The preservation and disclosure of personal data is based on the University's document management plan and complies with the regulations imposed by Riksarkivet (the National Archives). Regarding the actual storage of personal data, these must be stored safely at the university, in accordance with the guidelines for information, and IT security. If a cloud service is to be used, only cloud services approved by the university may be used. In any case, only one cloud service may be used to increase the ability to control the spread of personal data.

Finally, in regard to who has access to the data, the number of people should be kept to a minimum. If a person does not need the personal data to perform his or her duties, he or she should not have access to it.