2.3.2 Permitted grounds for processing personal data in education

Regarding the legal bases, the premise is that most cases of treatment in the field of education are performed on the basis of "public interest," "exercise of official authority," or "legal obligation".

Consent can often not be used in cases where the data subject is in a dependency to the person responsible. This is the case in regard to education and, explains why the treatment of students’ personal data may be based on consent only in exceptional cases. The fact that the education is based on voluntary participation does not have any effect. Consent can only be used as a basis if no negative consequences, regardless of form, arise as a result of the consent not being given. These consequences need not be formal but may be conditions of a social nature "It's voluntary ... but everyone does it”. However, there are some permitted grounds which are relevant to the work of the university's administration

Public interest

As stated, research in the public interest may serve as a legal basis for personal data processing. In the light of Swedish government tradition, it is usually the case that most university activities are in the public interest. However, according to data protection legislation, this public interest must be present in Swedish law, either by specific laws, regulations, government regulations or collective agreements. Furthermore, it must be necessary to process personal data to achieve the public interest in order to use it as a basis for treatment.

Exercise of official authority

Initially, it should be stated that this concept of authority is not the same as that used in Förvaltningslagen (the Administration Act), but it is the EU legal concept of authority exercised. The term is thus wider. If an action under the authority of a university requires personal data processing, this may be the basis for the treatment. Examples of this are virtually all activities that a university is required to perform by Högskoleförordningen (the Higher Education act). However, it is important to note, that personal data processing must have a clear connection with the task that is part of the exercise of authority. If it is possible to perform the task without personal data, then it should be done that way.

Legal obligation

In order for a legal obligation to be used as a basis for personal data processing, the obligation must be stipulated in Swedish law, including in collective agreements, or in government decisions or regulations. The difference in respect to the two bases discussed above is that the legal obligation must be clear so that the individual can understand what kind of treatment will be carried out under the legal obligation. A typical example of this type of obligation is förordning (1993:1153) om redovisning av studier m.m. vid universitet och högskolor (Regulation (1993: 1153) on the accounting of studies, etc. at universities), also known as Ladokförordningen (the Ladok Regulation).