2.3.1 Personal data in education

In order to teach, we must also handle personal data. This is necessary for us to know who we are teaching and to be able to register and report the progress that our students make in their respective programmes. At the same time, this processing is also regulated by the requirements of the General Data Protection Regulation. It is necessary for us to comply with the rules and principles of the Regulation and to have a legal basis for the treatment.

Personal data must be collected and processed to meet an explicitly stated purpose. This purpose must be specific, that is, we must state why the processing is necessary to perform the task. The basic idea is that the data subject should be able to predict what will happen to the information being processed. The information we collect should be adequate and relevant to the purpose for which it is collected, and it should not be more than what is required. It is also important that the information is accurate and if necessary, updated. If we are aware of an error, we are to correct or delete the information.

We may not store or otherwise process personal data for longer than what is necessary. We should then delete or anonymize the information (making it impossible to connect the information to any individual in any way) if there is no requirement for us to keep it. Such requirements may occur, for example, from Arkivlagen (the Archive Act), Offentlighets- och sekretesslagen (the law that governs access to public documents), “Ladokförordningen" (the act regulating information in Ladok) and many others. The General Data Protection Regulation introduces a series of new rules, but in general it can be said that the requirements we have previously had to preserve information will also apply in the future.

The information collected must be treated in a way that ensures appropriate security, including protection against unauthorized treatment and loss, destruction or accidental injury, and using appropriate technical and organizational measures. This means that we must ensure that only authorized persons have access to the information and that any databases or systems are covered by security measures that are sufficiently secure. Deciding upon, introducing and monitoring appropriate security measures, both technical and administrative, is a requirement in the General Data Protection Regulation and this must be documented.

Finally, the information should be treated in a correct and open manner in relation to the data subject. If the data subject has questions or wishes to take advantage of his or her rights in relation to the processing we undertake, it is our duty as part of Linnaeus University to help, unless there are any barriers to this due to, for example, secrecy or archiving regulations.